Ethical Hacker Community Forums

How does everyone secure their network from insider 'outsider' access? When I say outsider, I'm talking about people giving presentations, consultants and others who are supposed to be in your office but are requesting Internet access. Do you have a strict policy to forbid them access entirely? Have some way to give them limited access? Any other policies?

We have some inventory software that scans our network and will show when other workgroups/domains have been connected. It came up recently and I brought this to the attention of our IT Director stating that some other computers had been connected to our network. She asked for some suggestions on how to control this, so I figured I'd ask here to see what everyone else does. My thoughts are to hook up a switch or wireless access point to a separate port on our firewall and just segment all the traffic off from the internal network. That way they can get access to the Internet, but nothing else. If it were my choice, I wouldn't even allow them to connect ;) but I don't think that will fly :(

BillV

I think you're best to isolate their access like you've suggested. I'd suggest against the wireless so you don't have staff connecting personal devices to it.

It might be better if you can isolate their work areas (especially if you have longer term contractors) and hardwire the connection to a switch instesd.

Thanks :)

If we do the wireless it won't be open and we'll probably change the password fairly frequently so anyone wanting access will have to come ask us. That way anyone wanting access will be required to come through us first ;D

I think that is how we handle it here. I can see several "guest" APs here that are secured and I'm more than willing to bet that that is what they are used for. Those of that work here can plug in to the corporate network from the conference rooms. Good luck, Bill.

Billv,

we have a seperate wireless system for outsiders. It runs through a proxy requiring a 'voucher' to bypass the landing page. If a third party needs internet access they get a time-limited voucher, if an employee needs access they get the (frequently changed) WPA key. Keeps the two sets isolated nicely.

Thanks for the replies guys. Sounds like that's probably where we'll focus our efforts.

Maybe for wired connections you could set up a switch connected to a restricted access vlan, then you could attach a wireless access point configured, as others have suggested, to provide a separate wireless network to this switch. That should be nice and secure.