Guest PA Bear Posted July 25, 2007 Posted July 25, 2007 Forwarded to Security and IE Security newsgroups via crosspost. -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE, OE, Security, Shell/User) AumHa VSOP & Admin DTS-L.org Marcus wrote: > I realise this is probably not the right place to ask this , however Im > trying to find out what the best practice is to allow company visitors to > gain access to the internet. > > Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK > [TKIP]). The subject has come up on how I should manage Internet access > for > visitors. So I was wondering what the best practice is for this ? > > Options :- > > 1) Give them wireless access (but that would mean giving them our Wireless > key) > 2) Give them wired access that would mean they require a lead, and are > connected to our main switches and would be assigned ip etc.. > 3) Provide them with a laptop and a visitor login > 4) Internet access is not an option > > Any Advice or point in the direction appreciated > > Many Thanks > > Marcus Quote
Guest Steve Riley [MSFT] Posted July 25, 2007 Posted July 25, 2007 I like #4 -- if visitors don't require Internet access when in your office, don't provide it. But if they do, then my preference is to use a separate wireless network. Position this outside your firewall so that it's connected only to the Internet. And don't worry about putting any WEP or WPA(2) on it. Treat it like a public network at a café or hotel, and make sure your visitors know this. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley "PA Bear" <PABearMVP@gmail.com> wrote in message news:#7JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl... > Forwarded to Security and IE Security newsgroups via crosspost. > -- > ~Robear Dyer (PA Bear) > MS MVP-Windows (IE, OE, Security, Shell/User) > AumHa VSOP & Admin DTS-L.org > > Marcus wrote: >> I realise this is probably not the right place to ask this , however Im >> trying to find out what the best practice is to allow company visitors to >> gain access to the internet. >> >> Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK >> [TKIP]). The subject has come up on how I should manage Internet access >> for >> visitors. So I was wondering what the best practice is for this ? >> >> Options :- >> >> 1) Give them wireless access (but that would mean giving them our >> Wireless >> key) >> 2) Give them wired access that would mean they require a lead, and are >> connected to our main switches and would be assigned ip etc.. >> 3) Provide them with a laptop and a visitor login >> 4) Internet access is not an option >> >> Any Advice or point in the direction appreciated >> >> Many Thanks >> >> Marcus > Quote
Guest James Matthews Posted July 25, 2007 Posted July 25, 2007 I Would recommend hiding the SSID broadcast -- http://www.goldwatches.com/Watches.asp?Brand=55 "PA Bear" <PABearMVP@gmail.com> wrote in message news:%237JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl... > Forwarded to Security and IE Security newsgroups via crosspost. > -- > ~Robear Dyer (PA Bear) > MS MVP-Windows (IE, OE, Security, Shell/User) > AumHa VSOP & Admin DTS-L.org > > Marcus wrote: >> I realise this is probably not the right place to ask this , however Im >> trying to find out what the best practice is to allow company visitors to >> gain access to the internet. >> >> Currently we have wired ADSL/SDSL and we have a Wireless network (WPA-PSK >> [TKIP]). The subject has come up on how I should manage Internet access >> for >> visitors. So I was wondering what the best practice is for this ? >> >> Options :- >> >> 1) Give them wireless access (but that would mean giving them our >> Wireless >> key) >> 2) Give them wired access that would mean they require a lead, and are >> connected to our main switches and would be assigned ip etc.. >> 3) Provide them with a laptop and a visitor login >> 4) Internet access is not an option >> >> Any Advice or point in the direction appreciated >> >> Many Thanks >> >> Marcus > Quote
Guest Malke Posted July 25, 2007 Posted July 25, 2007 James Matthews wrote: > I Would recommend hiding the SSID broadcast > That isn't a good security solution since the idea is to protect the company network. The OP's #4 option as expanded upon by Steve Riley is the best answer. Malke -- Elephant Boy Computers http://www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User Quote
Guest Steve Riley [MSFT] Posted July 26, 2007 Posted July 26, 2007 If the goal of the visitor network is to make it available for visitors, then hiding the SSID is counterproductive. It's also not appropriate for networks that you *do* want to secure. Whenever a station (client) wants to connect to an access point, it issues a clear-text network association frame. This is part of the 802.11 specification. Contained within this frame is the SSID of the network the station wants to join. So anyone with a wireless sniffer can easily obtain the SSID just by capturing association frames. SSIDs are network names, not passwords. Since they weren't designed to be secret, methods of trying to keep them secret will fail. See my TechNet Magazine article at http://www.microsoft.com/technet/technetmag/issues/2005/11/SecurityWatch/default.aspx for the right way to secure wireless networks. Of course, none of that is appropriate for the poster's visitor network. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley "Malke" <notreally@invalid.invalid> wrote in message news:#PGMgWxzHHA.1204@TK2MSFTNGP03.phx.gbl... > James Matthews wrote: >> I Would recommend hiding the SSID broadcast >> > > That isn't a good security solution since the idea is to protect the > company network. The OP's #4 option as expanded upon by Steve Riley is the > best answer. > > > Malke > -- > Elephant Boy Computers > http://www.elephantboycomputers.com > "Don't Panic!" > MS-MVP Windows - Shell/User Quote
Guest S. Pidgorny Posted July 26, 2007 Posted July 26, 2007 The public access network is quite easy to set up with any modern wireless infrastructure - use separate SSID with no security, place on a separate VLAN, route outside of the corporate network. All same access points and controllers are used. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message news:EC2B6F41-F2A7-404D-BFDC-B8840102FC5C@microsoft.com... >I like #4 -- if visitors don't require Internet access when in your office, >don't provide it. > > But if they do, then my preference is to use a separate wireless network. > Position this outside your firewall so that it's connected only to the > Internet. And don't worry about putting any WEP or WPA(2) on it. Treat it > like a public network at a café or hotel, and make sure your visitors know > this. > > Steve Riley > steve.riley@microsoft.com > http://blogs.technet.com/steriley > > > "PA Bear" <PABearMVP@gmail.com> wrote in message > news:#7JxR7szHHA.5484@TK2MSFTNGP03.phx.gbl... >> Forwarded to Security and IE Security newsgroups via crosspost. >> -- >> ~Robear Dyer (PA Bear) >> MS MVP-Windows (IE, OE, Security, Shell/User) >> AumHa VSOP & Admin DTS-L.org >> >> Marcus wrote: >>> I realise this is probably not the right place to ask this , however Im >>> trying to find out what the best practice is to allow company visitors >>> to >>> gain access to the internet. >>> >>> Currently we have wired ADSL/SDSL and we have a Wireless network >>> (WPA-PSK >>> [TKIP]). The subject has come up on how I should manage Internet access >>> for >>> visitors. So I was wondering what the best practice is for this ? >>> >>> Options :- >>> >>> 1) Give them wireless access (but that would mean giving them our >>> Wireless >>> key) >>> 2) Give them wired access that would mean they require a lead, and are >>> connected to our main switches and would be assigned ip etc.. >>> 3) Provide them with a laptop and a visitor login >>> 4) Internet access is not an option >>> >>> Any Advice or point in the direction appreciated >>> >>> Many Thanks >>> >>> Marcus >> Quote
Guest S. Pidgorny Posted July 26, 2007 Posted July 26, 2007 G'day: "James Matthews" <jamesmatt18@gmail.com> wrote in message news:9CECAE39-9044-4500-9362-99BF3641A695@microsoft.com... >I Would recommend hiding the SSID broadcast This is a classic example of security theatre. SSID gets repeatedly transmitted every time the network is used, so the only people you're hiding from are those not looking - and legitimate users. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.