Re: broadband connections in hotels

["Peter VE" <peter.ve () pandora be>]

Client firewall =   CyberArmor from Infoexpress

Taking control out of the hands of the users is generally spoken the safest
solution... but not always practical... I know... but as I said before :
better safe than sorry ;-)



----- Original Message -----
From: "shawnmer" <shawnmer () io com>
To: "Peter VE" <peter.ve () pandora be>
Cc: <security-basics () securityfocus com>
Sent: Saturday, December 07, 2002 1:23 AM
Subject: Re: broadband connections in hotels


> Hi,
>
> This is a result of your taking all control out of the hands of
> users...while it's very controlable from a sysadmin point of view, your
> users are obviously taken out of the loop and you wish to keep it that
> way.
>
> That being said...
>
> What firewall are you using on the laptops?
>
> The device hosting the web page in the hotels your users are using is
> likely a Cisco BBSM (Building Broadband Service Manager)
> <http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/>
>
> I've seen these use both port 80 and HTTPS on 443.  The webserver is IIS
:(
> -scm
>
>
>
> PV:Peter VE
>
> PV>
> PV>Hi all,
> PV>
> PV>I have a problem that has been bothering me for quite some time now
> PV>All of our laptops have a personal firewall.
> PV>THis means that they can connect to the internet (in terms of getting
an IP
> PV>address and do DNS name resolution) + establish a VPN tunnel into the
> PV>corporate network. That's it... no browsing allowed, no email reading
or
> PV>sending allowed....
> PV>When the users wants to access the internet, he has to establish the
VPN and
> PV>use the corporate proxy server...  better safe than sorry
> PV>The users are not able to change the firewall policy nor  disable the
> PV>firewall... it's always running
> PV>The firewall is clever enough to detect when you are on the corporate
> PV>network (private IP + ability to resolve internal DNS names), when you
are
> PV>on the internet (non-corporate IP address, or private ip address  but
not
> PV>able to resolve corporate internal DNS name), when you are using VPN
and so
> PV>on... this really works well
> PV>
> PV>Some hotels offer a broadband connection... but before you can access
the
> PV>internet, you need to connect to a website, and enter a passcode (so
proper
> PV>billing can be done).  We are blocking all access so the user cannot
access
> PV>this website...
> PV>This is bothering me... how can we set things up so the user can use
the
> PV>local broadband connection,
> PV>without dynamically changing the policy,
> PV>without allowing internet browsing access at all times..
> PV>Also, keep in mind that not all websites are running on port 80... it
could
> PV>be a different port...
> PV>
> PV>Any ideas ?
> PV>
> PV>thanks
> PV>
> PV>P
> PV>