Educause Security Discussion mailing list archives
Re: Public Use VLAN (x-posted to netman listserv)
From: Jeff Moore <mail () JEFFMOORE COM>
Date: Wed, 3 Oct 2012 08:15:24 -0700
Interesting. That sounds like a model we originally started with on our wireless. Initially our wireless was a broadcast ssid that was wide open. Because of this we treated it as a non trusted network and gave it its own firewall and external address space(Just enough to do PAT). Also we forced it to use the smaller of our two links so that if things went south the rest of our traffic would be unaffected. Also we didnt give it any IPs from our nets that are associated to our ASNs. So if the link failed the open network failed(small trade off for isolation. and one that has worked with the QOS we provided. This is changing). We have changed allot since then and are working toward full individual client authentication via our new PaloAlto firewalls. As for DNS We simply pointed to our external DNS. We have two domains one internal and one external. With the PIX/ASAs you can use the "dns" flag in your statics and the firewall will then automatically translate to the internal IP even though DNS is replying with an external address. But I am assuming you are setup the other way around with an internal DNS that you want to pull from. Am I reading this correctly? Not sure if the DNS flag will work downstream. Would be interesting to see.Maybe that will help. Sorry for the rudimentary answer. One of our perl gurus here has written a nice web page here to get guest credentials setup for radius. Is that something you all have considered? If you would like I can put you in touch with him. I am sure he would be more than happy to share his script. Its version 1.0 and hasn't been deployed yet but he is really good so I doubt there will be much polishing needed. Also if you are wanting ammo to push back on open networks use the ol CALEA ammo! That will stop administration in their tracks! ;) Good Luck! Jeff M CCC On Tue, Oct 2, 2012 at 6:56 PM, Allen Wood <awood () hillcollege edu> wrote:
As much as I hate it, I’ve been told to setup an open wireless network for our campus. I created a vlan with access lists that deny all traffic to inside our network, and created the open SSID to put on it. Traffic can flow freely now from the open wireless to the internet.**** ** ** However, I’m using a public DNS for the clients and they’re unable to reach our locally hosted (NAT’d) web servers. We’re currently using a Cisco ASA at the edge of our network which does all of our NAT’ing. I could open up the VLAN access list a bit and allow them access to our internal DNS & web servers, but I’d rather not.**** ** ** Has anyone run into this issue before? What’s the “best practices” at this point… other than removing the public network in the first place! ** ** ** ** Thanks in advance,**** ** ** Allen**** ** **
-- Jeff Moore Desk (503) 877-4707 <https://www.google.com/voice?pli=1#phones> Cell (503) 9 <https://www.google.com/voice?pli=1#phones>10-0756 Mail () JeffMoore com
Current thread:
- Public Use VLAN (x-posted to netman listserv) Allen Wood (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Moore (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) H Morrow Long (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- Re: Public Use VLAN (x-posted to netman listserv) Morrow Long (Oct 04)
- Re: Public Use VLAN (x-posted to netman listserv) David Gillett (Oct 03)
- <Possible follow-ups>
- Re: Public Use VLAN (x-posted to netman listserv) Aaron Hockett (Oct 02)
- Re: Public Use VLAN (x-posted to netman listserv) Jeff Kell (Oct 03)