LICOMPGUY
asked on
Cell phones via wifi on corporate networks - security concerns....
Hi all
If there is truly concern with employees using their personal cell phones to connect wirelessly to the corporate network WAPS? Should we beef up the standard and suggest even the principles of the company no longer connect wirelessly?
By allowing these devices on the corporate network, do the servers on the network have more exposure to malware/ransomware/malicious contact from employee phones? How are others handling this?
What if I were to have a separate router from another ISP, hang switches off that, and then hang the WAPS off of that before the Router (second ISP is for redundancy), feeds into an un unmanaged switch which feeds into the firewall. Meaning any wifi connected would be technically outside the actual firewall. Is it really worth the effort if it could be accomplished?
What about in smaller companies where they have only 1 ISP, one cable modem etc?
Again, just wondering what the consensus is out there, the world is getting compromised, trying to do what we can to keep the network safe
Thanks!
If there is truly concern with employees using their personal cell phones to connect wirelessly to the corporate network WAPS? Should we beef up the standard and suggest even the principles of the company no longer connect wirelessly?
By allowing these devices on the corporate network, do the servers on the network have more exposure to malware/ransomware/malicious contact from employee phones? How are others handling this?
What if I were to have a separate router from another ISP, hang switches off that, and then hang the WAPS off of that before the Router (second ISP is for redundancy), feeds into an un unmanaged switch which feeds into the firewall. Meaning any wifi connected would be technically outside the actual firewall. Is it really worth the effort if it could be accomplished?
What about in smaller companies where they have only 1 ISP, one cable modem etc?
Again, just wondering what the consensus is out there, the world is getting compromised, trying to do what we can to keep the network safe
Thanks!
the weakest point need to be identified and likely it is the device that bridges the external to intranet. i have seen the wireless controller falling into such state and risk is in not able to harden and subjected to attack with the BYOD untrusted setup. ideally it is to separate and have separate controller and Wireless and wired are physically separated as the wireless internet should not be 'mixed' with the wired LAN. The FW before coming is alright but still there is logical connectivity and FW not able to handle encrypted traffic hence the pass through. So below may be worth to strengthen the detection and reduce attack surface with early sign.
Routers, AP's usually allow you to configure a "Guest" Lan. I'd suggest setting that up for devices that don't belong to the Company.
For company owned devices also the internal connection should be OK, as long as you are sure they are sufficiently locked down & no untrusted software is / can be installed.
For company owned devices also the internal connection should be OK, as long as you are sure they are sufficiently locked down & no untrusted software is / can be installed.
ASKER
Hey BTAN
Thanks for the response. I guess there is a lot I dont know. I am not familiar with WIDS/WIPS. The WAPS are managed by Ruckus cloud mgmt/controller. The WAPs are on the internal network. The initial plan with the build out was for the users in the factory to be able to access data on the servers via handheld, but then you introduce people with personal cells connecting wirelessly which concerns me. Are you saying there may be additinal security config I can put in place possibly via the Ruckus cloud mgmt? They are not about to invest $$$$ at this time, so just trying to do my best to make things secure.
So if I do understand you correctly - unless they had a totally separate modem/router not integrated in anyway to their internal network EVEN having the WAPS OUTSIDE the firewall instead of inside won't make much of a difference. - correct?
Thanks so much!
Thanks for the response. I guess there is a lot I dont know. I am not familiar with WIDS/WIPS. The WAPS are managed by Ruckus cloud mgmt/controller. The WAPs are on the internal network. The initial plan with the build out was for the users in the factory to be able to access data on the servers via handheld, but then you introduce people with personal cells connecting wirelessly which concerns me. Are you saying there may be additinal security config I can put in place possibly via the Ruckus cloud mgmt? They are not about to invest $$$$ at this time, so just trying to do my best to make things secure.
So if I do understand you correctly - unless they had a totally separate modem/router not integrated in anyway to their internal network EVEN having the WAPS OUTSIDE the firewall instead of inside won't make much of a difference. - correct?
Thanks so much!
ASKER
Hey Rindi
How are you? Thanks for the reminder I think the WAPs have a guest option even though they are on the internal network. What I understand is, is they are the same physical WAPS on the same internal network, so what is to prevent an infected phone connected to guest from infiltrating the WAP because it is one and the same device.
You never know I guess if someone installs a game/app on their phones, if personal. They are not going to provide locked down phones to employees.
How are you? Thanks for the reminder I think the WAPs have a guest option even though they are on the internal network. What I understand is, is they are the same physical WAPS on the same internal network, so what is to prevent an infected phone connected to guest from infiltrating the WAP because it is one and the same device.
You never know I guess if someone installs a game/app on their phones, if personal. They are not going to provide locked down phones to employees.
My wifi LAN and wireless have always been kept separate because one is to internet directly thru the Wifi. We control our internal LAN to go thru internet via another internet gateway for managed device. We don't allow BYOD to join the internal managed network and can get messy if the BYOD come to the picture. We already has issue managing issued device posture so BYOD is just a good to have and anyway, it is for surfing hence that is the simple need rather than touching internal resource - our policy only allow managed device to access after the proper check. WIDS/WIPS are more like surveillance sensor to see any anomalous traffic and try to alert fast for response.
ASKER
Hey Btan
So to be clear you really have two separate ISPs, one specifically allowing access (IE cellphones, guest otherwise), and the other internal.
I haven't heard of phones really being the cause of compromises - but they certainly can be compromised.
The owner of the company brought in a second ISP (they have Optimum and now Verizon), they have redundant firewalls for failover, and wanted me to set auto-failover should an ISP go out. It is about 140.00 month for 200/200
So I guess they have two choices.
1. use the second isp as a cold standby network, should the first ISP have an extended outage, and hang all WAPS for the employees off of that (so they don't max out their data).
2. Prohibit (people in the factory), or company wide from connecting personal devices to the network.
Can you really see any other way?
Do you think there is a bit of risk with personal cells connected via wifi internally?
WIDSWIPS - something I should look into? Is it costly? Total employees factory/office <35
Thanks so much
So to be clear you really have two separate ISPs, one specifically allowing access (IE cellphones, guest otherwise), and the other internal.
I haven't heard of phones really being the cause of compromises - but they certainly can be compromised.
The owner of the company brought in a second ISP (they have Optimum and now Verizon), they have redundant firewalls for failover, and wanted me to set auto-failover should an ISP go out. It is about 140.00 month for 200/200
So I guess they have two choices.
1. use the second isp as a cold standby network, should the first ISP have an extended outage, and hang all WAPS for the employees off of that (so they don't max out their data).
2. Prohibit (people in the factory), or company wide from connecting personal devices to the network.
Can you really see any other way?
Do you think there is a bit of risk with personal cells connected via wifi internally?
WIDSWIPS - something I should look into? Is it costly? Total employees factory/office <35
Thanks so much
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You haven't mentioned the ISP setups. Are these single IP address arrangements? Or, are they providing you with a block of IP addresses each?
In my opinion, the best approach is to set up a separate network using a separate public IP address.
That way, the wireless clients on that network are the same as someone in the coffee shop across the street.
In other words, no connection between networks in your building except the internet itself.
This means you don't have to trust *any* devices to isolate your public / guest network. You control it all.
As far as implementation, here's what I'm doing (with a block of IP addresses):
1) bring the internet service into an unmanaged switch.
2) plug in all the devices needing public IP addresses into that switch (can be firewalls, etc.) All of these devices use static public IP addresses on the WAN/Internet side.
3) plug the "guest" network router WAN/internet port into that same switch. This should be reasonably safe as the switch is like a mini-internet with all of its dangers of which you will be well aware.
4) run this "guest" network as if it's in the coffee shop across the street.
In my opinion, the best approach is to set up a separate network using a separate public IP address.
That way, the wireless clients on that network are the same as someone in the coffee shop across the street.
In other words, no connection between networks in your building except the internet itself.
This means you don't have to trust *any* devices to isolate your public / guest network. You control it all.
As far as implementation, here's what I'm doing (with a block of IP addresses):
1) bring the internet service into an unmanaged switch.
2) plug in all the devices needing public IP addresses into that switch (can be firewalls, etc.) All of these devices use static public IP addresses on the WAN/Internet side.
3) plug the "guest" network router WAN/internet port into that same switch. This should be reasonably safe as the switch is like a mini-internet with all of its dangers of which you will be well aware.
4) run this "guest" network as if it's in the coffee shop across the street.
ASKER
Interesting
That may be another option, 5 static addresses, can in theory use one of the ports on the router from verizon - to an unmanaged switch hand the APs off of that, the IP of that interface "shouldn't" be able to have access to the gateway then on the firewall. The only time that could become an issues is if some of the employees REQUIRE access to the internal resources.
In talking to you -I just realized, (I was not thinking of this), that essentially every phone - connected to the WAPs on the internal network (<30), all traffic, is for lack of a better word, managed/limited by the configuration of the firewall.
For example, all malicious sites are blocked, all countries are blocked unless the business requires access to specific countries, blacklisted sites are blocked.
So basically with the exception of possibly not having End Point protection on the phones, all traffic requests from a phone has to make it through the firewall, that being said, I guess they are a bit more secure than I was thinking.
No one else has access, complex passwords in place.
That may be another option, 5 static addresses, can in theory use one of the ports on the router from verizon - to an unmanaged switch hand the APs off of that, the IP of that interface "shouldn't" be able to have access to the gateway then on the firewall. The only time that could become an issues is if some of the employees REQUIRE access to the internal resources.
In talking to you -I just realized, (I was not thinking of this), that essentially every phone - connected to the WAPs on the internal network (<30), all traffic, is for lack of a better word, managed/limited by the configuration of the firewall.
For example, all malicious sites are blocked, all countries are blocked unless the business requires access to specific countries, blacklisted sites are blocked.
So basically with the exception of possibly not having End Point protection on the phones, all traffic requests from a phone has to make it through the firewall, that being said, I guess they are a bit more secure than I was thinking.
No one else has access, complex passwords in place.
can in theory use one of the ports on the router from verizon - to an unmanaged switch hand the APs off of thatIf I understand then, not exactly. There needs to be one device with a public IP address that's in your assigned block.
So, you'd need a router with NAT to serve the APs with IP addresses.
The unmanaged switch I as talking about would be just downstream of the Verizon. I have no idea what it is doing with those ports. I'm used to having an ISP device that acts as an internet gateway to the assigned block of addresses.
Like this:
Let's say the block has 6 usable addresses total -1 for the ISP's gateway device and 5 for your devices.
So you connect all 6 up to an unmanaged switch if there isn't one built into the ISP device.
And, each of your devices is set up with a static public IP in the block of 5.
If you only use 1 IP address for the "public" wireless for phones then it would be on the WAN/Internet side of a router with NAT.
Then the APs would get private IP addresses from that router.
ASKER
Thanks so much.
I think we are good. Any/all phones - connected via wifi - are subjected to the same blacklists/av/geo-filtering as all other nodes on the network. That being said, can probably leave things as they are. Malicious sites are blocked as well.
Thank you so very much for your time, and helping me beat this one up.
I think we are good. Any/all phones - connected via wifi - are subjected to the same blacklists/av/geo-filtering as all other nodes on the network. That being said, can probably leave things as they are. Malicious sites are blocked as well.
Thank you so very much for your time, and helping me beat this one up.
Using two separate WiFi networks is inefficient in a corporate environment. You can securely share the same infrastructure for both trusted and untrusted endpoints if you have the right equipment. As an example, you can logically separate corporate users from guests in different VRFs (virtual routing domains) using the same firewall to allow internet access via the same internet links.
ASKER
Hey Someone
After reviewing what is in place and doing some testing, I think we are okay. The firewall should suffice I just spoke with a couple of engineers at Sonicwall as well.
Thanks so much
After reviewing what is in place and doing some testing, I think we are okay. The firewall should suffice I just spoke with a couple of engineers at Sonicwall as well.
Thanks so much