Visitors using Wifi
I have had a request from a parent to be able to use our WIFI during the Christmas fair so she can use her Sagepay account.
We have a guest account (its not a seperate network) so i can just input the key and add the proxy to her LAN settings.
Now, she shouldn't be able to browse our network without some sort of account or password?
I was gonna get her to sign some sort of user agreement as well.
What should i do? :confused:
Personally I would just say No and spout security, licensing and Virus reasons. You may beleive that this parent is trustworthy, but who knows what she could find with a few tools. My feeling will be that you could be starting a dangerous precedent, but thats just my opinion.
Depends on the securty you have on stuff like server shares and if they are allowed for everyone or only domain users etc. It does put the device behind the firewall so if it has a verilant virus that could spread but from a casual level of inspection it would be secure looking and would require effort to exploit.
Depending on your setup there are all sorts of things that you could do to make it more secure but most are not simple. Depending on your internet provision one thing that you could do would be to reconfigure the key on the AP she would be using and put this on the other side of your firewall connected directly to the net. This would give them unrestricted access to the net and the school would still be secured behind the firewall but it all depends on your setup.
I posted a question here a few days ago about a suitable AP to do something similar. I'd like to allow staff to connect wirelessly to the domain and have a second SSID to which visitors can connect but go straight out to the internet without access to domain resources. I haven't received any suggestions yet though about any suitable hardware.
You could get a free turnkey router platform such as endian or smoothwall (or ipcop or m0n0wall or...) and vlan the AP to it. Set up your ACLs and away you go. We have an open access WIFI set up like this. The only ports which are open are dns and www, and even www is proxied with rules only allowing access to BBC, our VLE and samlearning iirc.
Assuming you have a virtual server ready to drop the router OS onto and you are comfortable with firewall ACLs and vLans, you should be able to get it all done in around an hour (assuming you dont have a million switches between the server cab and the AP). You should probably really have your WIFI set up in a similar fashion anyway so 2 birds with 1 stone as you are improving the security of your WIFI (obviously you'd allow smb, auth, etc to your servers for your wireless clients)
That's more useful information about attacking this question, in addition to the comments elsewhere.
I'd keep them off it completely. As mentioned before, state that it's a case of protecting the data on the network. This includes sensitive data on the children. Something, being one of the parents, means they should respect it