Re: Best Practice Internet Access Policy for Company Visitors

P

PA Bear

Forwarded to Security and IE Security newsgroups via crosspost.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin DTS-L.org

Marcus wrote:
> I realise this is probably not the right place to ask this , however Im
> trying to find out what the best practice is to allow company visitors to
> gain access to the internet.
>
> Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK
> [TKIP]). The subject has come up on how I should manage Internet access
> for
> visitors. So I was wondering what the best practice is for this ?
>
> Options :-
>
> 1) Give them wireless access (but that would mean giving them our Wireless
> key)
> 2) Give them wired access that would mean they require a lead, and are
> connected to our main switches and would be assigned ip etc..
> 3) Provide them with a laptop and a visitor login
> 4) Internet access is not an option
>
> Any Advice or point in the direction appreciated
>
> Many Thanks
>
> Marcus
 
S

Steve Riley [MSFT]

I like #4 -- if visitors don't require Internet access when in your office,
don't provide it.

But if they do, then my preference is to use a separate wireless network.
Position this outside your firewall so that it's connected only to the
Internet. And don't worry about putting any WEP or WPA(2) on it. Treat it
like a public network at a café or hotel, and make sure your visitors know
this.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


"PA Bear" <PABearMVP@gmail.com> wrote in message
news:#7JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl...
> Forwarded to Security and IE Security newsgroups via crosspost.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin DTS-L.org
>
> Marcus wrote:
>> I realise this is probably not the right place to ask this , however Im
>> trying to find out what the best practice is to allow company visitors to
>> gain access to the internet.
>>
>> Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK
>> [TKIP]). The subject has come up on how I should manage Internet access
>> for
>> visitors. So I was wondering what the best practice is for this ?
>>
>> Options :-
>>
>> 1) Give them wireless access (but that would mean giving them our
>> Wireless
>> key)
>> 2) Give them wired access that would mean they require a lead, and are
>> connected to our main switches and would be assigned ip etc..
>> 3) Provide them with a laptop and a visitor login
>> 4) Internet access is not an option
>>
>> Any Advice or point in the direction appreciated
>>
>> Many Thanks
>>
>> Marcus
>
 
J

James Matthews

I Would recommend hiding the SSID broadcast

--

http://www.goldwatches.com/Watches.asp?Brand=55
"PA Bear" <PABearMVP@gmail.com> wrote in message
news:%237JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl...
> Forwarded to Security and IE Security newsgroups via crosspost.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE, OE, Security, Shell/User)
> AumHa VSOP & Admin DTS-L.org
>
> Marcus wrote:
>> I realise this is probably not the right place to ask this , however Im
>> trying to find out what the best practice is to allow company visitors to
>> gain access to the internet.
>>
>> Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK
>> [TKIP]). The subject has come up on how I should manage Internet access
>> for
>> visitors. So I was wondering what the best practice is for this ?
>>
>> Options :-
>>
>> 1) Give them wireless access (but that would mean giving them our
>> Wireless
>> key)
>> 2) Give them wired access that would mean they require a lead, and are
>> connected to our main switches and would be assigned ip etc..
>> 3) Provide them with a laptop and a visitor login
>> 4) Internet access is not an option
>>
>> Any Advice or point in the direction appreciated
>>
>> Many Thanks
>>
>> Marcus
>
 
M

Malke

James Matthews wrote:
> I Would recommend hiding the SSID broadcast
>

That isn't a good security solution since the idea is to protect the
company network. The OP's #4 option as expanded upon by Steve Riley is
the best answer.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
S

Steve Riley [MSFT]

If the goal of the visitor network is to make it available for visitors,
then hiding the SSID is counterproductive.

It's also not appropriate for networks that you *do* want to secure.
Whenever a station (client) wants to connect to an access point, it issues a
clear-text network association frame. This is part of the 802.11
specification. Contained within this frame is the SSID of the network the
station wants to join. So anyone with a wireless sniffer can easily obtain
the SSID just by capturing association frames.

SSIDs are network names, not passwords. Since they weren't designed to be
secret, methods of trying to keep them secret will fail.

See my TechNet Magazine article at
http://www.microsoft.com/technet/technetmag/issues/2005/11/SecurityWatch/default.aspx
for the right way to secure wireless networks. Of course, none of that is
appropriate for the poster's visitor network.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


"Malke" <notreally@invalid.invalid> wrote in message
news:#PGMgWxzHHA.1204@TK2MSFTNGP03.phx.gbl...
> James Matthews wrote:
>> I Would recommend hiding the SSID broadcast
>>
>
> That isn't a good security solution since the idea is to protect the
> company network. The OP's #4 option as expanded upon by Steve Riley is the
> best answer.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
 
S

S. Pidgorny

The public access network is quite easy to set up with any modern wireless
infrastructure - use separate SSID with no security, place on a separate
VLAN, route outside of the corporate network. All same access points and
controllers are used.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:EC2B6F41-F2A7-404D-BFDC-B8840102FC5C@microsoft.com...
>I like #4 -- if visitors don't require Internet access when in your office,
>don't provide it.
>
> But if they do, then my preference is to use a separate wireless network.
> Position this outside your firewall so that it's connected only to the
> Internet. And don't worry about putting any WEP or WPA(2) on it. Treat it
> like a public network at a café or hotel, and make sure your visitors know
> this.
>
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
>
>
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:#7JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl...
>> Forwarded to Security and IE Security newsgroups via crosspost.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE, OE, Security, Shell/User)
>> AumHa VSOP & Admin DTS-L.org
>>
>> Marcus wrote:
>>> I realise this is probably not the right place to ask this , however Im
>>> trying to find out what the best practice is to allow company visitors
>>> to
>>> gain access to the internet.
>>>
>>> Currently we have wired ADSL/SDSL and we have a Wireless network
>>> (WPA-PSK
>>> [TKIP]). The subject has come up on how I should manage Internet access
>>> for
>>> visitors. So I was wondering what the best practice is for this ?
>>>
>>> Options :-
>>>
>>> 1) Give them wireless access (but that would mean giving them our
>>> Wireless
>>> key)
>>> 2) Give them wired access that would mean they require a lead, and are
>>> connected to our main switches and would be assigned ip etc..
>>> 3) Provide them with a laptop and a visitor login
>>> 4) Internet access is not an option
>>>
>>> Any Advice or point in the direction appreciated
>>>
>>> Many Thanks
>>>
>>> Marcus
>>
 
S

S. Pidgorny

G'day:

"James Matthews" <jamesmatt18@gmail.com> wrote in message
news:9CECAE39-9044-4500-9362-99BF3641A695@microsoft.com...
>I Would recommend hiding the SSID broadcast

This is a classic example of security theatre. SSID gets repeatedly
transmitted every time the network is used, so the only people you're hiding
from are those not looking - and legitimate users.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
 
You must log in or register to reply here.

Similar threads

T
AD Security groups best practice
Replies
0
Views
65
Techno Admin
T
R
  • Article
From shopping to entertaining, AI-powered Microsoft Edge helps you tackle the holiday season, while preserving the joy of it
Replies
0
Views
100
Roger Capriotti
R
B
  • Article
Announcing Windows 11 Insider Preview Build 23516
Replies
0
Views
144
Brandon LeBlanc
B
S
  • Article
Internet Explorer 11 has retired and is officially out of support—what you need to know
Replies
0
Views
372
Sean Lyndersay, General Manager, Microsoft Edge
S
M
  • Article
Inspired by challenges in your workday: latest innovations and updates from Microsoft Edge
Replies
0
Views
320
Microsoft Edge Team
M
Back
Top Bottom