Re: [fw-wiz] Discretionary WiFi Access

From: Jim Seymour (
Date: 07/08/05

  • Next message: James Paterson: "[fw-wiz] The Death Of A Firewall"
    Date: Fri,  8 Jul 2005 09:57:56 -0400 (EDT)

    Dave Null <> wrote:
    > My company has started looking into campus-wide WiFi. I'll keep my
    > personal feeling on this to myself though.

    WiFi doesn't *have* to be a problem. Use WPA for your secure WLAN.

    > One thing that keeps
    > comming up is that one of the largest user communities that would take
    > advantage of this would be non-employees. Vendors, Salesmen, people
    > meeting with GMs/VPs/Execs are probably going to be the main users of
    > this. My question is, if you currently have a similar situation in
    > your work environment, how do you handle granting these people
    > temp/guest WiFi access.

    We don't--currently. But the issue has been raised.

    > Access controls for employees can be fairly stringent (i.e. only
    > connect from company owned assets who's MAC is inventoried,

    Worthless measure. I did away with MAC address ACLs when I added my
    second AP. (We have a kind of "MAC access control" due to the use of
    DHCP for address assignment, but, of course, that would be trivial to
    get around.)

    > use of 2
    > factor authentication, etc), but a lot of this isnt applicable for
    > temporary visitors.


    > I know the easy answer here is 'Dont give them WiFi access', but I
    > don't think that is going to be an option.

    Of course, when it blows up in management's collective faces, they will
    take responsibility for that, *and* see to it the IT dept. is
    compensated for the extra time spent cleaning up, right?

    > Thoughts, comments, flames?

    There are a couple of ways to go, but both of them involve setting up a
    completely separate WiFi network, with a completely separate (set of)
    WiFi AP(s) running in "open" mode. One way is to terminate the "guest"
    WLAN on a dedicated port on your existing firewall or Internet border
    router. Another way would be to terminate the guest WLAN at a firewall
    connecting to your existing LAN. I don't like the latter option. And
    if your Internet firewall is anything like mine, your guests would
    probably find the resulting 'net access largely useless, anyway. (No
    IMAP/POP/SMTP or IM of any type through the firewall. ActiveTrojan
    filtered/blocked. Etc., etc.)

    If the idea of running an open mode WLAN scares you (it ought to), you
    *could* compromise on a WEP or WPA-PSK WLAN. But those would almost
    certainly involve you in tech. support for your guests. And, of
    course, if anything should break coincident with whatever you did to
    get them on your guest WLAN...

    Airports, coffee houses and the like use some sort of system that lets
    guests on the WLAN, but all traffic leads to a firewall and HTTP
    requests get them to a system that lets them buy time with a CC. Maybe
    something like that? You'd still need a completely separate WLAN, of


    Note: My mail server employs *very* aggressive anti-spam
    filtering.  If you reply to this email and your email is
    rejected, please accept my apologies and let me know via my
    web form at <>.
    firewall-wizards mailing list

  • Next message: James Paterson: "[fw-wiz] The Death Of A Firewall"