+ Post New Thread
Results 1 to 10 of 10
Wired Networks Thread, Wired network security with public/guest access in Technical; Hi everyone, I am anticipating a request to allow our organisation to provide computer suites for public/guest access and was ...
  1. #1

    Join Date
    Nov 2006
    Location
    Redcar
    Posts
    58
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    16

    Wired network security with public/guest access

    Hi everyone,

    I am anticipating a request to allow our organisation to provide computer suites for public/guest access and was wondering if anyone had any input on how they would manage this from a network security point of view?

    I have a public access wifi network which has a seperate VLAN and is firewalled from the rest of the corporate network, but I believe this wouldn't be possible with a wired network that would be shared by guests/public/employees?

    Any suggestions on a solution to this? I am worried about zero-day vulnerabilities and tools which could easily circumvent software based security, as opposed to effectively having a physically seperate network, which isn't possible in my situation.

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    East Yorkshire
    Posts
    2,175
    Thank Post
    440
    Thanked 239 Times in 218 Posts
    Blog Entries
    2
    Rep Power
    68
    We do this, our private LAN is on an internal VLAN on its own IP range, anything else on the network does not have any access to this VLAN, we have 802.1x for unauthorized devices that can be plugged into any Ethernet port. The vlan for 802.1x is firewalled and cant access anything other than the internet. We have Wifi, one private SSID and one public. The public Wifi has captive portal on it.

    If that helps.

  3. #3

    Join Date
    Nov 2006
    Location
    Redcar
    Posts
    58
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Quote Originally Posted by cpjitservices View Post
    We do this, our private LAN is on an internal VLAN on its own IP range, anything else on the network does not have any access to this VLAN, we have 802.1x for unauthorized devices that can be plugged into any Ethernet port. The vlan for 802.1x is firewalled and cant access anything other than the internet. We have Wifi, one private SSID and one public. The public Wifi has captive portal on it.

    If that helps.
    Yep, we have a similar setup, but how do you deal with hiring out a room of computers, that ordinarily would be used by staff/students?

    They are not bringing their own devices...

  4. #4
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    East Yorkshire
    Posts
    2,175
    Thank Post
    440
    Thanked 239 Times in 218 Posts
    Blog Entries
    2
    Rep Power
    68
    If we need to control guest access we give them one time code which will work with captive portal, after a period of time that code no longer works so that is how we control access to our wife. If its computers then we designate ports on the switch into a VLAN, usually a guest or restricted VLAN. This ensures that whatever they try and access they cant get to the main internal network.

    We also have network accounts setup, so if a user logs onto a PC using the wrong VLAN, they can just open up VPN and dial into the main part of the network which they need to reach.

  5. #5

    Join Date
    Nov 2006
    Location
    Redcar
    Posts
    58
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Quote Originally Posted by cpjitservices View Post
    If its computers then we designate ports on the switch into a VLAN, usually a guest or restricted VLAN. This ensures that whatever they try and access they cant get to the main internal network.
    This is where my problem lies... I have a computer room that is ordinarily used by teachers/students, which my organisation now wants to hire out for public use.

    How do I dynamically manage vlan assignment for these computers so they are secure when the public use them, but have network access when teachers/students want to use them?

  6. #6

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,995
    Thank Post
    590
    Thanked 1,499 Times in 1,345 Posts
    Rep Power
    398
    You need to provide suitably locked down user accounts for public use that don't have access to sensitive internal resources.

    Or if you knew they only needed internet you could change the shell to iexplore.exe or if they only needed word the same could apply.

    Ben

  7. #7

    Join Date
    Nov 2006
    Location
    Redcar
    Posts
    58
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Quote Originally Posted by plexer View Post
    You need to provide suitably locked down user accounts for public use that don't have access to sensitive internal resources.

    Or if you knew they only needed internet you could change the shell to iexplore.exe or if they only needed word the same could apply.

    Ben
    The users will be restricted, but i'm concerned that isn't enough. I would prefer hardware security in form of a firewall/acl between the computers in question and the main network when in use by guests.

    Basically the same as captive portal, but wired.

  8. #8

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,995
    Thank Post
    590
    Thanked 1,499 Times in 1,345 Posts
    Rep Power
    398
    You would have to look at 802.1x auth on your wired network as well then and to see if that can be configure for dynamic vlan assignment based on windows groups.

    Ben

  9. #9

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,995
    Thank Post
    590
    Thanked 1,499 Times in 1,345 Posts
    Rep Power
    398
    Don't know what network hardware you have but this is for Procurve:

    Configuring Dynamic VLAN assignment on ProCurve switches | integrating IT

    Ben

  10. #10

    Join Date
    Nov 2006
    Location
    Redcar
    Posts
    58
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Quote Originally Posted by plexer View Post
    Don't know what network hardware you have but this is for Procurve:

    Configuring Dynamic VLAN assignment on ProCurve switches | integrating IT

    Ben
    I was looking at cisco acs, which seems to offer the functionality I might need. but seems overkill/complex!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 23rd April 2013, 09:08 AM
  2. Replies: 2
    Last Post: 10th February 2012, 03:53 PM
  3. most secure way to remote access a single dc with no vpn
    By cheeseslice in forum Windows Server 2008 R2
    Replies: 10
    Last Post: 25th May 2011, 10:05 AM
  4. Securing Wired Network
    By netadmin in forum Wireless Networks
    Replies: 2
    Last Post: 20th February 2010, 01:34 PM
  5. Securing Exchange/Outlook Web Access
    By SpuffMonkey in forum Wireless Networks
    Replies: 9
    Last Post: 6th December 2005, 10:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •