Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Discretionary WiFi Access (Josh Welch)
2. Re: Discretionary WiFi Access (Brenno Hiemstra)
3. RE: Discretionary WiFi Access (StefanDorn@bankcib.com)
4. Re: Discretionary WiFi Access (Tom Carmichael)
5. Re: Discretionary WiFi Access (Chris Byrd)
6. Re: Discretionary WiFi Access (Jim Seymour)
--__--__--
Message: 1
Date: Fri, 08 Jul 2005 09:40:24 -0500
From: Josh Welch <jwelch@buffalowildwings.com>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Dave Null wrote:
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my
> personal feeling on this to myself though. One thing that keeps
> comming up is that one of the largest user communities that would take
> advantage of this would be non-employees. Vendors, Salesmen, people
> meeting with GMs/VPs/Execs are probably going to be the main users of
> this. My question is, if you currently have a similar situation in
> your work environment, how do you handle granting these people
> temp/guest WiFi access.
>
> Access controls for employees can be fairly stringent (i.e. only
> connect from company owned assets who's MAC is inventoried, use of 2
> factor authentication, etc), but a lot of this isnt applicable for
> temporary visitors. I know one company that would give you a WiFi card
> when you signed in that was in their database of 'allowed' MAC
> addresses (I know, dont get me started on MAC spoofing), however I
> would bet cash money that those cards walked away regularly. Similar
> thing with issuing a temporary token fob (SecureID or the like).
>
> I know the easy answer here is 'Dont give them WiFi access', but I
> don't think that is going to be an option. Thoughts, comments, flames?
>
> -noid
I have setup an access point outside of our firewall for this express
purpose. It is wide open and I simply monitor port usage to keep an eye
out for any abuse, it hasn't been an issue so far.
Josh
--__--__--
Message: 2
Date: Fri, 8 Jul 2005 17:42:25 +0200
From: Brenno Hiemstra <brenno.hiemstra@gmail.com>
Reply-To: Brenno Hiemstra <brenno.hiemstra@gmail.com>
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Read this overview:
http://www.netcraftsmen.net/welcher/papers/wlandesign02.html
I think this describes some technologies that could be applicable for your =
case.
Brenno.
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dave Null
> Sent: Friday, July 08, 2005 2:17 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Discretionary WiFi Access
>=20
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my person=
al
> feeling on this to myself though. One thing that keeps comming up is that
> one of the largest user communities that would take advantage of this wou=
ld
> be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs ar=
e
> probably going to be the main users of this. My question is, if you
> currently have a similar situation in your work environment, how do you
> handle granting these people temp/guest WiFi access.
>=20
> Access controls for employees can be fairly stringent (i.e. only connect
> from company owned assets who's MAC is inventoried, use of 2 factor
> authentication, etc), but a lot of this isnt applicable for temporary
> visitors. I know one company that would give you a WiFi card when you sig=
ned
> in that was in their database of 'allowed' MAC addresses (I know, dont ge=
t
> me started on MAC spoofing), however I would bet cash money that those ca=
rds
> walked away regularly. Similar thing with issuing a temporary token fob
> (SecureID or the like).
>=20
> I know the easy answer here is 'Dont give them WiFi access', but I don't
> think that is going to be an option. Thoughts, comments, flames?
>=20
> -noid
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 3
From: StefanDorn@bankcib.com
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Discretionary WiFi Access
Date: Fri, 8 Jul 2005 11:13:35 -0500
One thing to consider is that once you've set up a separate network inside
your infrastructure, how are you going to monitor it? It would be pretty
irresponsible these days to just set up a 'fire and forget' guest network,
even if it isn't connected to your main network.
Disclaimer or not, you'd need to consider logging options, and security is
still an important piece, since your guest network is a doorway for
potential information leaks. Your main network may be very secure, but
will that stop someone from transferring data by plugging in to your
unsecured network? Nope.
You also would have to consider using strong web blocking, AV, and
firewall rule sets, since you could easily damage your business image (not
to mention generate a ton of bad audit results) by running an unsecured
network within your infrastructure.
Stefan Dorn
firewall-wizards-admin@honor.icsalabs.com wrote on 07-08-2005 07:48:45 AM:
>
> Keeping it simple:Physical segregation and only Internet access
>
> Provide access points ONLY at cafeterias and conference rooms. Have
separate
> L2, L3 devices for these access points and donor interface at any point
with
> the company LAN.Limit signal strength to within your premises.
>
> Have a separate Firewall and provide outbound access, with standard
gateway
> controls like AV, URL filter .
>
> ---------------------------------------------
> Some companies implement MAC-address-locking for guests. Give your
driving
> license and take a wireless card. U always remember to take your license
> back.
>
> Jose Varghese
> Paladion Networks
>
> Application Security Magazine
> http://palisade.paladion.net
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Dave
Null
> Sent: Friday, July 08, 2005 2:17 AM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Discretionary WiFi Access
>
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my
personal
> feeling on this to myself though. One thing that keeps comming up is
that
> one of the largest user communities that would take advantage of this
would
> be non-employees. Vendors, Salesmen, people meeting with GMs/VPs/Execs
are
> probably going to be the main users of this. My question is, if you
> currently have a similar situation in your work environment, how do you
> handle granting these people temp/guest WiFi access.
>
> Access controls for employees can be fairly stringent (i.e. only connect
> from company owned assets who's MAC is inventoried, use of 2 factor
> authentication, etc), but a lot of this isnt applicable for temporary
> visitors. I know one company that would give you a WiFi card when you
signed
> in that was in their database of 'allowed' MAC addresses (I know, dont
get
> me started on MAC spoofing), however I would bet cash money that those
cards
> walked away regularly. Similar thing with issuing a temporary token fob
> (SecureID or the like).
>
> I know the easy answer here is 'Dont give them WiFi access', but I don't
> think that is going to be an option. Thoughts, comments, flames?
>
> -noid
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 4
Date: Fri, 8 Jul 2005 09:16:29 -0400
From: Tom Carmichael <tomc74@gmail.com>
Reply-To: Tom Carmichael <tomc74@gmail.com>
To: Dave Null <noid23@gmail.com>
Subject: Re: [fw-wiz] Discretionary WiFi Access
Cc: firewall-wizards@honor.icsalabs.com
> I know one company that would give you a WiFi card
> when you signed in that was in their database of 'allowed' MAC
> addresses (I know, dont get me started on MAC spoofing), however I
> would bet cash money that those cards walked away regularly. Similar
> thing with issuing a temporary token fob (SecureID or the like).
>=20
The way a former company I was at dealt with SecurID was to have the
physical token kept in our 24/7 Network Operations Center. If a
vendor needed/wanted to get in they had to call the NOC, the NOC would
check their name against a list. Assuming that was okay, the NOC
would provide the read out of the token, the vendor knew the PIN. Not
perfect, but better than just handing out tokens to every vendor that
comes along.
Tom Carmichael
--__--__--
Message: 5
Date: Fri, 8 Jul 2005 08:57:05 -0500
From: Chris Byrd <cbyrd01@gmail.com>
Reply-To: Chris Byrd <cbyrd01@gmail.com>
To: Dave Null <noid23@gmail.com>
Subject: Re: [fw-wiz] Discretionary WiFi Access
Cc: firewall-wizards@honor.icsalabs.com
Many APs support 802.1x with dynamic VLAN membership. This means that
authenticated users get into a internal access VLAN (still should be
seperated from the internal network by firewall - this is the
firewalls list after all), non-authenticated users get an Internet
access VLAN. You can use queueing techniques to rate-limit the
guests.
A captive portal would allow you to make guests sign off on acceptable
use terms before giving them access.
- Chris
On 7/7/05, Dave Null <noid23@gmail.com> wrote:
> Its not firewall related, but there's some smart minds on this list.
> My company has started looking into campus-wide WiFi. I'll keep my
> personal feeling on this to myself though. One thing that keeps
> comming up is that one of the largest user communities that would take
> advantage of this would be non-employees. Vendors, Salesmen, people
> meeting with GMs/VPs/Execs are probably going to be the main users of
> this. My question is, if you currently have a similar situation in
> your work environment, how do you handle granting these people
> temp/guest WiFi access.
>=20
> Access controls for employees can be fairly stringent (i.e. only
> connect from company owned assets who's MAC is inventoried, use of 2
> factor authentication, etc), but a lot of this isnt applicable for
> temporary visitors. I know one company that would give you a WiFi card
> when you signed in that was in their database of 'allowed' MAC
> addresses (I know, dont get me started on MAC spoofing), however I
> would bet cash money that those cards walked away regularly. Similar
> thing with issuing a temporary token fob (SecureID or the like).
>=20
> I know the easy answer here is 'Dont give them WiFi access', but I
> don't think that is going to be an option. Thoughts, comments, flames?
>=20
> -noid
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--__--__--
Message: 6
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Fri, 8 Jul 2005 09:57:56 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Dave Null <noid23@gmail.com> wrote:
>
[snip]
> My company has started looking into campus-wide WiFi. I'll keep my
> personal feeling on this to myself though.
WiFi doesn't *have* to be a problem. Use WPA for your secure WLAN.
> One thing that keeps
> comming up is that one of the largest user communities that would take
> advantage of this would be non-employees. Vendors, Salesmen, people
> meeting with GMs/VPs/Execs are probably going to be the main users of
> this. My question is, if you currently have a similar situation in
> your work environment, how do you handle granting these people
> temp/guest WiFi access.
We don't--currently. But the issue has been raised.
>
> Access controls for employees can be fairly stringent (i.e. only
> connect from company owned assets who's MAC is inventoried,
Worthless measure. I did away with MAC address ACLs when I added my
second AP. (We have a kind of "MAC access control" due to the use of
DHCP for address assignment, but, of course, that would be trivial to
get around.)
> use of 2
> factor authentication, etc), but a lot of this isnt applicable for
> temporary visitors.
Yup.
[snip]
>
> I know the easy answer here is 'Dont give them WiFi access', but I
> don't think that is going to be an option.
Of course, when it blows up in management's collective faces, they will
take responsibility for that, *and* see to it the IT dept. is
compensated for the extra time spent cleaning up, right?
> Thoughts, comments, flames?
There are a couple of ways to go, but both of them involve setting up a
completely separate WiFi network, with a completely separate (set of)
WiFi AP(s) running in "open" mode. One way is to terminate the "guest"
WLAN on a dedicated port on your existing firewall or Internet border
router. Another way would be to terminate the guest WLAN at a firewall
connecting to your existing LAN. I don't like the latter option. And
if your Internet firewall is anything like mine, your guests would
probably find the resulting 'net access largely useless, anyway. (No
IMAP/POP/SMTP or IM of any type through the firewall. ActiveTrojan
filtered/blocked. Etc., etc.)
If the idea of running an open mode WLAN scares you (it ought to), you
*could* compromise on a WEP or WPA-PSK WLAN. But those would almost
certainly involve you in tech. support for your guests. And, of
course, if anything should break coincident with whatever you did to
get them on your guest WLAN...
Airports, coffee houses and the like use some sort of system that lets
guests on the WLAN, but all traffic leads to a firewall and HTTP
requests get them to a system that lets them buy time with a CC. Maybe
something like that? You'd still need a completely separate WLAN, of
course.
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment