RE: [fw-wiz] Discretionary WiFi Access

• Previous message: Ben Nagy: "RE: [fw-wiz] (no subject)"
• In reply to: Dave Null: "[fw-wiz] Discretionary WiFi Access"
• Next in thread: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• Reply: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• Reply: StefanDorn_at_bankcib.com: "RE: [fw-wiz] Discretionary WiFi Access"
• Reply: Vinicius Moreira Mello: "Re: [fw-wiz] Discretionary WiFi Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 8 Jul 2005 18:18:45 +0530

 
Keeping it simple:Physical segregation and only Internet access

Provide access points ONLY at cafeterias and conference rooms. Have separate
L2, L3 devices for these access points and donor interface at any point with
the company LAN.Limit signal strength to within your premises.

Have a separate Firewall and provide outbound access, with standard gateway
controls like AV, URL filter .

---------------------------------------------
Some companies implement MAC-address-locking for guests. Give your driving
license and take a wireless card. U always remember to take your license
back.

Jose Varghese
Paladion Networks

Application Security Magazine
http://palisade.paladion.net

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dave Null
Sent: Friday, July 08, 2005 2:17 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Discretionary WiFi Access

Its not firewall related, but there's some smart minds on this list.
My company has started looking into campus-wide WiFi. I'll keep my personal
feeling on this to myself though. One thing that keeps comming up is that
one of the largest user communities that would take advantage of this would
be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs are
probably going to be the main users of this. My question is, if you
currently have a similar situation in your work environment, how do you
handle granting these people temp/guest WiFi access.

Access controls for employees can be fairly stringent (i.e. only connect
from company owned assets who's MAC is inventoried, use of 2 factor
authentication, etc), but a lot of this isnt applicable for temporary
visitors. I know one company that would give you a WiFi card when you signed
in that was in their database of 'allowed' MAC addresses (I know, dont get
me started on MAC spoofing), however I would bet cash money that those cards
walked away regularly. Similar thing with issuing a temporary token fob
(SecureID or the like).

I know the easy answer here is 'Dont give them WiFi access', but I don't
think that is going to be an option. Thoughts, comments, flames?

                           -noid
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Ben Nagy: "RE: [fw-wiz] (no subject)"
• In reply to: Dave Null: "[fw-wiz] Discretionary WiFi Access"
• Next in thread: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• Reply: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• Reply: StefanDorn_at_bankcib.com: "RE: [fw-wiz] Discretionary WiFi Access"
• Reply: Vinicius Moreira Mello: "Re: [fw-wiz] Discretionary WiFi Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]