RE: [fw-wiz] Discretionary WiFi Access
From: Orca (klrorca_at_hotmail.com)
Date: 07/15/05
- Previous message: Paul Melson: "RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Maybe in reply to: Dave Null: "[fw-wiz] Discretionary WiFi Access"
- Next in thread: Brian Loe: "RE: [fw-wiz] Discretionary WiFi Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Thu, 14 Jul 2005 18:30:40 -0700
I had this issue come up. What I did was feed a Wi-Fi network into a 3030
Cisco VPN concentrator. I then set up a key card access for passwords, ands
assigned multiple guest accounts. I used SB radius for AAA. I used RFC
1918
space for the DHCP so they had to NAT to get out, just to add another layer
(and use the firewall). I also made sure to kill split tunnel. I logged the
mac-address/IP address with the account login, so I had a audit trail for
forensics in case I ever needed it.
I used ACLs and physical separation for these accounts they could then
access the internet, and limited DMZ resources, but completely were cut off
from our intranet.
If a vendor needed them the receptionist would hand out a key card, the
client, log the time in and out, and make them present ID, so we knew what
account matched which guest.
I also checked the signal bleed outside the building, just to be sure, and
monitored the bandwidth with remote alerts for high bandwidth use, to watch
for abuse.
It worked very well, well enough that I did the same for employees - but
with more access.
Hope this helps.
-Steve
> >
> > Dave Null wrote:
> > > Its not firewall related, but there's some smart minds on this list.
> > > My company has started looking into campus-wide WiFi. I'll keep my
> > > personal feeling on this to myself though. One thing that keeps
> > > comming up is that one of the largest user communities that would take
> > > advantage of this would be non-employees. Vendors, Salesmen, people
> > > meeting with GMs/VPs/Execs are probably going to be the main users of
> > > this. My question is, if you currently have a similar situation in
> > > your work environment, how do you handle granting these people
> > > temp/guest WiFi access.
> > >
> > > Access controls for employees can be fairly stringent (i.e. only
> > > connect from company owned assets who's MAC is inventoried, use of 2
> > > factor authentication, etc), but a lot of this isnt applicable for
> > > temporary visitors. I know one company that would give you a WiFi card
> > > when you signed in that was in their database of 'allowed' MAC
> > > addresses (I know, dont get me started on MAC spoofing), however I
> > > would bet cash money that those cards walked away regularly. Similar
> > > thing with issuing a temporary token fob (SecureID or the like).
> > >
> > > I know the easy answer here is 'Dont give them WiFi access', but I
> > > don't think that is going to be an option. Thoughts, comments, flames?
> > >
> > > -noid
> >
> > I have setup an access point outside of our firewall for this express
> > purpose. It is wide open and I simply monitor port usage to keep an eye
> > out for any abuse, it hasn't been an issue so far.
> >
> > Josh
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Melson: "RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Maybe in reply to: Dave Null: "[fw-wiz] Discretionary WiFi Access"
- Next in thread: Brian Loe: "RE: [fw-wiz] Discretionary WiFi Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
