<div>
the weakest point need to be identified and likely it is the device that bridges the external to intranet. i have seen the wireless controller falling into such state and risk is in not able to harden and subjected to attack with the BYOD untrusted setup. ideally it is to separate and have separate controller and Wireless and wired are physically separated as the wireless internet should not be 'mixed' with the wired LAN. The FW before coming is alright but still there is logical connectivity and FW not able to handle encrypted traffic hence the pass through. So below may be worth to strengthen the detection and reduce attack surface with early sign.<br><br><blockquote><em>Employing active <strong>WIDS/WIPS</strong> enables network administrators to create and enforce wireless security by monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified threats. Some <em><strong>common threats mitigated by WIPS</strong> are rogue access points, misconfigured access points, client misassociation, unauthorized as</em>sociation, man-in-the-middle attacks, ad-hoc networks, Media Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.</em></blockquote><br><blockquote><em><br>The following list includes best practices to secure WIDS/WIPS sensor networks. Administrators should tailor these practices based on local considerations and applicable compliance requirements. For more in-depth guidance, see <a href="https://csrc.nist.gov/publications/detail/sp/800-153/final" rel="ugc">Guidelines for Securing Wireless Local Area Networks</a>.</em><ul><li><em>Use a rogue detection process capability. This capability should detect Wi-Fi access via a rogue client or WAP, regardless of the authentication or encryption techniques used by the offending device (e.g., network address translation, encrypted, soft WAPs).</em></li><li><em>Set the WIDS/WIPS sensors to</em><ul><li><em>Detect 802.11a/b/g/n/ac devices connected to the wired or wireless network and</em></li><li><em>Detect and block multiple WAPs from a single sensor device over multiple wireless channels.</em></li></ul></li><li><em>Enforce a “no Wi-Fi” policy per subnet and across multiple subnets.</em></li><li><em>Provide minimal secure communications between sensor and server, and identify a specific minimum allowable Kbps―the system shall provide automatic classification of clients and WAPs based upon enterprise policy and governance.</em></li><li><em>Provide automated (event-triggered) and scheduled reporting that is customizable.</em></li><li><em>Segment reporting and administration based on enterprise requirements.</em></li><li><em>Produce event logs and live packet captures over the air and display these directly on analyst workstations.</em></li><li><em>Import site drawings for site planning and location tracking requirements.</em></li><li><em>Manually create simple building layouts with auto-scale capability within the application.</em></li><li><em>Place sensors and WAPs electronically on building maps to maintain accurate records of sensor placement and future locations.</em></li><li><em>Have at least four different levels of permissions allowing WIPS administrators to delegate specific view and administrator privileges to other administrators.</em></li><li><em>Meet all applicable standards and, if Federal Government, comply with the Federal Acquisition Regulation.</em></li></ul></blockquote><br>
</div>


<div>
Routers, AP's usually allow you to configure a "Guest" Lan. I'd suggest setting that up for devices that don't belong to the Company.<br>For company owned devices also the internal connection should be OK, as long as you are sure they are sufficiently locked down &amp; no untrusted software is / can be installed.<br><br>
</div>


<div>
Hey BTAN<br><br>Thanks for the response. &nbsp;I guess there is a lot I dont know. I am not familiar with <em><strong>WIDS/WIPS</strong></em><strong>. &nbsp;</strong>The WAPS are managed by Ruckus cloud mgmt/controller. The WAPs &nbsp;are on the internal network. &nbsp;The initial plan with the build out was for the users in the factory to be able to access data on the servers via handheld, but then you introduce people with personal cells connecting wirelessly which concerns me. &nbsp;Are you saying there may be additinal security config I can put in place possibly via the Ruckus cloud mgmt? &nbsp;They are not about to invest $$$$ at this time, so just trying to do my best to make things secure.<br><br>So if I do understand you correctly - unless they had a totally separate modem/router not integrated in anyway to their internal network EVEN having the WAPS OUTSIDE the firewall instead of inside won't make much of a difference. - correct?<br><br>Thanks so much!
</div>


<div>
Hey Rindi<br><br>How are you? &nbsp;Thanks for the reminder I think the WAPs have a guest option even though they are on the internal network. &nbsp;What I understand is, is they are the same physical WAPS on the same internal network, so what is to prevent an infected phone connected to guest from infiltrating the WAP because it is one and the same device. &nbsp;<br>You never know I guess if someone installs a game/app on their phones, if personal. &nbsp;They are not going to provide locked down phones to employees.
</div>


<div>
My wifi LAN and wireless have always been kept separate because one is to internet directly thru the Wifi. We control our internal LAN to go thru internet via another internet gateway for managed device. We don't allow BYOD to join the internal managed network and can get messy if the BYOD come to the picture. We already has issue managing issued device posture so BYOD is just a good to have and anyway, it is for surfing hence that is the simple need rather than touching internal resource - our policy only allow managed device to access after the proper check. WIDS/WIPS are more like surveillance sensor to see any anomalous traffic and try to alert fast for response.&nbsp;
</div>


LICOMPGUY

<div>
Hey Btan<br><br>So to be clear you really have two separate ISPs, one specifically allowing access (IE cellphones, guest otherwise), and the other internal. &nbsp;<br>I haven't heard of phones really being the cause of compromises - but they certainly can be compromised.<br><br>The owner of the company brought in a second ISP (they have Optimum and now Verizon), they have redundant firewalls for failover, and wanted me to set auto-failover should an ISP go out. &nbsp;It is about 140.00 month for 200/200<br><br>So I guess they have two choices.<br>1. &nbsp;use the second isp as a cold standby network, should the first ISP have an extended outage, and hang all WAPS for the employees off of that (so they don't max out their data).<br>2. Prohibit (people in the factory), or company wide from connecting personal devices to the network.<br><br>Can you really see any other way?<br>Do you think there is a bit of risk with personal cells connected via wifi internally?<br>WIDSWIPS - something I should look into? Is it costly? &nbsp;Total employees factory/office &lt;35<br><br>Thanks so much
</div>


<div>
You haven't mentioned the ISP setups. &nbsp;Are these single IP address arrangements? &nbsp;Or, are they providing you with a block of IP addresses each?<br>In my opinion, the best approach is to set up a separate network using a separate public IP address. &nbsp;<br>That way, the wireless clients on that network are the same as someone in the coffee shop across the street.<br>In other words, no connection between networks in your building except the internet itself.<br>This means you don't have to trust *any* devices to isolate your public / guest network.&nbsp; You control it all.<br><br>As far as implementation, here's what I'm doing (with a block of IP addresses):<br>1) bring the internet service into an unmanaged switch.<br>2) plug in all the devices needing public IP addresses into that switch (can be firewalls, etc.) &nbsp;All of these devices use static public IP addresses on the WAN/Internet side.<br>3) plug the "guest" network router WAN/internet port into that same switch. &nbsp;This should be reasonably safe as the switch is like a mini-internet with all of its dangers of which you will be well aware.<br>4) run this "guest" network as if it's in the coffee shop across the street.
</div>


<div>
Interesting<br>That may be another option, 5 static addresses, can in theory use one of the ports on the router from verizon - to an unmanaged switch hand the APs off of that, the IP of that interface "shouldn't" be able to have access to the gateway then on the firewall. &nbsp;The only time that could become an issues is if some of the employees REQUIRE access to the internal resources.<br><br>In talking to you -I just realized, (I was not thinking of this), that essentially every phone - connected to the WAPs on the internal network (&lt;30), all traffic, is for lack of a better word, managed/limited by the configuration of the firewall.<br>For example, all malicious sites are blocked, all countries are blocked unless the business requires access to specific countries, blacklisted sites are blocked.<br>So basically with the exception of possibly not having End Point protection on the phones, all traffic requests from a phone has to make it through the firewall, that being said, I guess they are a bit more secure than I was thinking.<br><br>No one else has access, complex passwords in place.<br><br>
</div>


<div>
<blockquote>can in theory use one of the ports on the router from verizon - to an unmanaged switch hand the APs off of that</blockquote>If I understand then, not exactly. &nbsp;There needs to be one device with a public IP address that's in your assigned block.<br>So, you'd need a router with NAT to serve the APs with IP addresses.<br>The unmanaged switch I as talking about would be just downstream of the Verizon. &nbsp;I have no idea what it is doing with those ports. &nbsp;I'm used to having an ISP device that acts as an internet gateway to the assigned block of addresses.<br>Like this:<br>Let's say the block has 6 usable addresses total -1 for the ISP's gateway device and 5 for your devices.<br>So you connect all 6 up to an unmanaged switch if there isn't one built into the ISP device.<br>And, each of your devices is set up with a static public IP in the block of 5.<br>If you only use 1 IP address for the "public" wireless for phones then it would be on the WAN/Internet side of a router with NAT.<br>Then the APs would get private IP addresses from that router.<br><br><br>
</div>


<div>
Thanks so much.<br>I think we are good. Any/all phones - connected via wifi - are subjected to the same blacklists/av/geo-filtering as all other nodes on the network. &nbsp;That being said, can probably leave things as they are. &nbsp;Malicious sites are blocked as well.<br><br>Thank you so very much for your time, and helping me beat this one up.
</div>


<div>
Using two separate WiFi networks is inefficient in a corporate environment. You can securely share the same infrastructure for both trusted and untrusted endpoints if you have the right equipment. As an example, you can logically separate corporate users from guests in different VRFs (virtual routing domains) using the same firewall to allow internet access via the same internet links.
</div>


<div>
Hey Someone<br><br>After reviewing what is in place and doing some testing, I think we are okay. &nbsp;The firewall should suffice I just spoke with a couple of engineers at Sonicwall as well.<br><br>Thanks so much
</div>


<div>
<div class="content wysiwyg-content fr-view">
Hi all<br><br>If there is truly concern with employees using their personal cell phones to connect wirelessly to the corporate network WAPS? &nbsp;Should we beef up the standard and suggest even the principles of the company no longer connect wirelessly?<br>By allowing these devices on the corporate network, do the servers on the network have more exposure to malware/ransomware/malicious contact from employee phones? &nbsp;How are others handling this?<br><br>What if I were to have a separate router from another ISP, hang switches off that, and then hang the WAPS off of that before the Router (second ISP is for redundancy), feeds into an un unmanaged switch which feeds into the firewall. &nbsp;Meaning any wifi connected would be technically outside the actual firewall. &nbsp;Is it really worth the effort if it could be accomplished?<br><br>What about in smaller companies where they have only 1 ISP, one cable modem etc?<br><br>Again, just wondering what the consensus is out there, the world is getting compromised, trying to do what we can to keep the network safe<br>Thanks!<br><br><br>
</div>
</div>



Hi all
If there is truly concern with employees using their personal cell phones to connect wirelessly to the corporate network WAPS?  Should we beef up the standard and suggest even the principles of the company no longer connect wirelessly?
By allowing these devices on the corporate network, do the servers on the network have more exposure to malware/ransomware/malicious contact from employee phones?  How are others handling this?
What if I were to have a separate router from another ISP, hang switches off that, and then hang the WAPS off of that before the Router (second ISP is for redundancy), feeds into an un unmanaged switch which feeds into the firewall.  Meaning any wifi connected would be technically outside the actual firewall.  Is it really worth the effort if it could be accomplished?
What about in smaller companies where they have only 1 ISP, one cable modem etc?
Again, just wondering what the consensus is out there, the world is getting compromised, trying to do what we can to keep the network safe
Thanks!

Cell phones via wifi on corporate networks - security concerns....

Wireless networking is anything related to the transfer of data between two (or more) devices without the use of a physical connection, ranging from getting advice on a new Bluetooth headset to configuring sophisticated enterprise level networks.

Wireless Networking

A cellular phone (also known as a mobile phone, cell phone, hand phone, or simply a phone) is a telephone that can make and receive telephone calls over a radio link while moving around a wide geographic area by connecting to a cellular network provided by a mobile phone operator, allowing access to the public telephone network. Mobile phones that offer services such as text messaging, email, Internet access, business applications, gaming, photography and more general computing capabilities are referred to as smartphones.

Cell Phones

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.