Re: [fw-wiz] Discretionary WiFi Access

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 07/08/05

  • Next message: James Paterson: "[fw-wiz] The Death Of A Firewall"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri,  8 Jul 2005 09:57:56 -0400 (EDT)
    
    

    Dave Null <noid23@gmail.com> wrote:
    >
    [snip]
    > My company has started looking into campus-wide WiFi. I'll keep my
    > personal feeling on this to myself though.

    WiFi doesn't *have* to be a problem. Use WPA for your secure WLAN.

    > One thing that keeps
    > comming up is that one of the largest user communities that would take
    > advantage of this would be non-employees. Vendors, Salesmen, people
    > meeting with GMs/VPs/Execs are probably going to be the main users of
    > this. My question is, if you currently have a similar situation in
    > your work environment, how do you handle granting these people
    > temp/guest WiFi access.

    We don't--currently. But the issue has been raised.

    >
    > Access controls for employees can be fairly stringent (i.e. only
    > connect from company owned assets who's MAC is inventoried,

    Worthless measure. I did away with MAC address ACLs when I added my
    second AP. (We have a kind of "MAC access control" due to the use of
    DHCP for address assignment, but, of course, that would be trivial to
    get around.)

    > use of 2
    > factor authentication, etc), but a lot of this isnt applicable for
    > temporary visitors.

    Yup.

    [snip]
    >
    > I know the easy answer here is 'Dont give them WiFi access', but I
    > don't think that is going to be an option.

    Of course, when it blows up in management's collective faces, they will
    take responsibility for that, *and* see to it the IT dept. is
    compensated for the extra time spent cleaning up, right?

    > Thoughts, comments, flames?

    There are a couple of ways to go, but both of them involve setting up a
    completely separate WiFi network, with a completely separate (set of)
    WiFi AP(s) running in "open" mode. One way is to terminate the "guest"
    WLAN on a dedicated port on your existing firewall or Internet border
    router. Another way would be to terminate the guest WLAN at a firewall
    connecting to your existing LAN. I don't like the latter option. And
    if your Internet firewall is anything like mine, your guests would
    probably find the resulting 'net access largely useless, anyway. (No
    IMAP/POP/SMTP or IM of any type through the firewall. ActiveTrojan
    filtered/blocked. Etc., etc.)

    If the idea of running an open mode WLAN scares you (it ought to), you
    *could* compromise on a WEP or WPA-PSK WLAN. But those would almost
    certainly involve you in tech. support for your guests. And, of
    course, if anything should break coincident with whatever you did to
    get them on your guest WLAN...

    Airports, coffee houses and the like use some sort of system that lets
    guests on the WLAN, but all traffic leads to a firewall and HTTP
    requests get them to a system that lets them buy time with a CC. Maybe
    something like that? You'd still need a completely separate WLAN, of
    course.

    Jim

    -- 
    Note: My mail server employs *very* aggressive anti-spam
    filtering.  If you reply to this email and your email is
    rejected, please accept my apologies and let me know via my
    web form at <http://jimsun.linxnet.com/scform.php>.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: James Paterson: "[fw-wiz] The Death Of A Firewall"

    Relevant Pages

    • Re: [opensuse] Im stumped! : 13.1 + WLAN + laptop
      ... this morning I have no WLAN connection :-( . ... I have installed 13.1 on an older Asus notebook, I have both an ethernet & wireless connection, for the last couple of days I have stuck with ethernet for a range of downloads, and haven't needed to use the wireless. ... I had a look at my Yast Network Settings, it shows the ethernet controller with my fixed ip address and the wireles wifi as DHCP. ... Drove me absolutely bonkers for a couple days until I discovered that somehow the switch had gotten turned off. ...
      (SuSE)
    • Re: Wireless Modems
      ... so your spam filters and/or visual inspection is so perfect that ... Hex? ... Try to read what I said - my WiFi is 'untrusted' (under normal ... my main firewall and the ADSL router, which has it own firewall - ...
      (uk.telecom.broadband)
    • Re: Firewalls
      ... What about MAC filtering to control which machines can ... access WiFi or wired, can reject at the router and again in ... a software firewall. ... If you name your workgroup ...
      (microsoft.public.windowsxp.basics)
    • Re: [opensuse] Im stumped! : 13.1 + WLAN + laptop
      ... this morning I have no WLAN connection :-( . ... I have installed 13.1 on an older Asus notebook, I have both an ethernet & wireless connection, for the last couple of days I have stuck with ethernet for a range of downloads, and haven't needed to use the wireless. ... I had a look at my Yast Network Settings, it shows the ethernet controller with my fixed ip address and the wireles wifi as DHCP. ...
      (SuSE)
    • FOAK:"ICF" seems to be blocking WiFi HotSpots, but on a Win 2000 laptop !!!
      ... roaming WiFi spots, which I thought sharing here might prove worthwhile. ... build) however it is Windows 2000 SP4, IBM T41 using IBM Access Connections ... The affect of this firewall seems to be blocked pings when in the prescence ... affect ability to access the hotspot. ...
      (uk.rec.motorcycles)