RE: broadband connections in hotels

[Brad O'Brien <brad.obrien () brylade com>]

Greetings Peter,

         From what you describe, one thing that you may want to try is allow 
access to 192.168.x.x by IP only in the firewall rules as most of the webpages 
from hotels are internal sites.  This has it’s obvious disadvantages, so you 
have to decide how much security you want to sacrifice in order to maintain 
flexability for the user. 

         If they are external sites, then you could have the person dial-up 
with the built in 56K modem and  VPN into work, thereby using the corporate 
proxy and then authenticate the password on the site in question.  That should 
activate the billing for a set period of time (usually one night) and allow 
the user to then disconenct the dial-up and connect to the broadband 
connection.  

         If all else fails, most of the hotels offering broadband to their 
guests would have a PC that the front desk that has an unrestricted internet 
access to that could initiate the billing on the travelers behalf.

Hope this helps,
Brad O'Brien
Operations Manager
Brylade Computer Solutions Ltd.

 

 

 

 

-----Original Message-----
From: Peter VE [mailto:peter.ve () pandora be] 
Sent: December 6, 2002 5:38 PM
To: security-basics () security-focus com
Subject: broadband connections in hotels

 

 

Hi all,

 

I have a problem that has been bothering me for quite some time now

All of our laptops have a personal firewall.

THis means that they can connect to the internet (in terms of getting an IP

address and do DNS name resolution) + establish a VPN tunnel into the

corporate network. That's it... no browsing allowed, no email reading or

sending allowed....

When the users wants to access the internet, he has to establish the VPN and

use the corporate proxy server...  better safe than sorry

The users are not able to change the firewall policy nor  disable the

firewall... it's always running

The firewall is clever enough to detect when you are on the corporate

network (private IP + ability to resolve internal DNS names), when you are

on the internet (non-corporate IP address, or private ip address  but not

able to resolve corporate internal DNS name), when you are using VPN and so

on... this really works well

 

Some hotels offer a broadband connection... but before you can access the

internet, you need to connect to a website, and enter a passcode (so proper

billing can be done).  We are blocking all access so the user cannot access

this website...

This is bothering me... how can we set things up so the user can use the

local broadband connection,

without dynamically changing the policy,

without allowing internet browsing access at all times..

Also, keep in mind that not all websites are running on port 80... it could

be a different port...

 

Any ideas ?

 

thanks

 

P