RE: [fw-wiz] Discretionary WiFi Access

• Previous message: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• In reply to: Jose Varghese: "RE: [fw-wiz] Discretionary WiFi Access"
• Next in thread: Vinicius Moreira Mello: "Re: [fw-wiz] Discretionary WiFi Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 8 Jul 2005 11:13:35 -0500

One thing to consider is that once you've set up a separate network inside
your infrastructure, how are you going to monitor it? It would be pretty
irresponsible these days to just set up a 'fire and forget' guest network,
even if it isn't connected to your main network.

Disclaimer or not, you'd need to consider logging options, and security is
still an important piece, since your guest network is a doorway for
potential information leaks. Your main network may be very secure, but
will that stop someone from transferring data by plugging in to your
unsecured network? Nope.

You also would have to consider using strong web blocking, AV, and
firewall rule sets, since you could easily damage your business image (not
to mention generate a ton of bad audit results) by running an unsecured
network within your infrastructure.

Stefan Dorn

firewall-wizards-admin@honor.icsalabs.com wrote on 07-08-2005 07:48:45 AM:

>
> Keeping it simple:Physical segregation and only Internet access
>
> Provide access points ONLY at cafeterias and conference rooms. Have
separate
> L2, L3 devices for these access points and donor interface at any point
with
> the company LAN.Limit signal strength to within your premises.
>
> Have a separate Firewall and provide outbound access, with standard
gateway
> controls like AV, URL filter .
>
> ---------------------------------------------
> Some companies implement MAC-address-locking for guests. Give your
driving
> license and take a wireless card. U always remember to take your license
> back.
>
> Jose Varghese
> Paladion Networks
>
> Application Security Magazine
> http://palisade.paladion.net
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dave
Null
> Sent: Friday, July 08, 2005 2:17 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Discretionary WiFi Access
>
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my
personal
> feeling on this to myself though. One thing that keeps comming up is
that
> one of the largest user communities that would take advantage of this
would
> be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs
are
> probably going to be the main users of this. My question is, if you
> currently have a similar situation in your work environment, how do you
> handle granting these people temp/guest WiFi access.
>
> Access controls for employees can be fairly stringent (i.e. only connect
> from company owned assets who's MAC is inventoried, use of 2 factor
> authentication, etc), but a lot of this isnt applicable for temporary
> visitors. I know one company that would give you a WiFi card when you
signed
> in that was in their database of 'allowed' MAC addresses (I know, dont
get
> me started on MAC spoofing), however I would bet cash money that those
cards
> walked away regularly. Similar thing with issuing a temporary token fob
> (SecureID or the like).
>
> I know the easy answer here is 'Dont give them WiFi access', but I don't
> think that is going to be an option. Thoughts, comments, flames?
>
> -noid
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Brenno Hiemstra: "Re: [fw-wiz] Discretionary WiFi Access"
• In reply to: Jose Varghese: "RE: [fw-wiz] Discretionary WiFi Access"
• Next in thread: Vinicius Moreira Mello: "Re: [fw-wiz] Discretionary WiFi Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Secure Network Design (DMZ, LAN, etc) ... You can't have separate subnets separated by a switch. ... is only because the firewall is going to be doing NAT in addition to ... > Subject: Re: Secure Network Design ... (Security-Basics) RE: Secure Network Design (DMZ, LAN, etc) ... webservers acting as routers so that they can get to your databases on ... then why have a separate network? ... interface on your internal firewall which protects the innermost network ... switch. ... (Security-Basics) Re: Advice on site topology ... speed network is that you can locate servers for all users in either ... be in one domain perhaps in separate OU's. ... Your forest name was too specific when it was created in the past. ... Would it be best to have distinct networks and domains and link them in ... (microsoft.public.windows.server.active_directory) RE: Secure Network Design (DMZ, LAN, etc) ... 192.168.1.0/24 network and another one on the ... Any thoughts on the IPTables vs. a commercial firewall thing? ... You can't have separate subnets separated by a switch. ... (Security-Basics) Re: Advice on site topology ... Another way to do it would be to create a new forest and migrate ... If you need two separate domains or forests, ... high speed network is that you can locate servers for all users in either ... Would it be best to have distinct networks and domains and link them in ... (microsoft.public.windows.server.active_directory)