It’s inevitable; someone from outside your organization is invited into your corporate headquarters, either for business reasons, professional services, sales etc. and needs to access the internet without one of your standard company issued workstations (GASP!). I’m sure we’ve all been in similar positions, both entering another business and securing your own organization, but how are we to respond? Do we assume that internet access will be given to guests? We’ll at this point in time I think it’s a fair assumption that it would be, but how it’s accomplished from the hosting organization will make the difference. In this article we’ll go over a few ways to empower the business and keep it secure by allowing guests appropriate access to the internet.
There should always be a process involved when making any changes to the network. This includes tickets, change control, approvals, etc. This is just best practice and people looking to have business partners or consultants enter your network should be aware of the process. If it’s going to take a few days to get all the approvals for someone external to get approved access to the internet, make sure you educate them so they give you proper lead time in getting the access and approvals completed. If you don’t educate the business on how YOU want things to happen, don’t be upset when they don’t follow them. It’s up to you to determine how the process goes, so lay some expectation down early.
Before someone from the outside even walks in requesting internet access, we need to have some expectations regarding these guests systems. At no point should you consider one guest as “more secure” than another guest. Just because you’re having a security consultant come in to speak to you doesn’t mean they’re getting access to your internal network. We’re not playing favorites here and everyone coming in as an outsider needs to be treated with the same level of scrutiny. You don’t manage their workstations, you don’t know where they’ve been, what malware’s lurking on their laptop, or for that matter, what they’d do to your internal network if given the chance. Long story short, don’t trust them; no matter how nice they seem, or what their role is.
Now that we have the approval process and expectation of security in place, we can start building the infrastructure to protect your internal network from these guests. Here are a few steps to accomplish this:
The first thing we need to speak about is segmentation. Since most of the requests are will come from guests using laptops, I’m going to assume they’ll be asking for WiFi access first. One of first things that need to be done here is the creation of a guest WiFi network. One way this can be done is by creating a separate SSID for guests that terminate on an isolated VLAN and go out to the internet segmented from your internal networks. The goal here is to keep them isolated. The internet access can go directly out your corporate outbound internet connection, if it’s segmented, or you can have a separate circuit (DSL, cable, etc.) installed, which completely removes them from egressing out with the remainder of your internal employees. Either way works fine, just as long as they’re segmented. Make sure you firewall policy enforces your segmentation. (The latest release of the AlgoSec Suite can really help here)
Access to the guest wireless should also be locked down. Not everyone within range of the access point should be given free WiFi out of your network. Your network should be locked down with at least WPA2 using passphrases which are used to authenticate guests to the guest wireless network. Creating a captive portal with a user account that was created during the approval process is ideal. Each guest user logging into the portal with guest credentials to the wireless network will be logged. It will also help with creating timeframes of approved access to the WiFI network and removal of user accounts after a predefined date. It’s important to control the access to the WiFi network in order to police who, how and when a guest can connect to your network. Access should also be removed once the guests no longer need it.
Monitoring the traffic on the guest network should still be done, even if they’re not on your systems or hitting your internal networks. In the greater scheme of things, this is your network and you don’t want anyone doing something nefarious to other guests, trying to do something illegal from a network you own, or have malware spread to others connected to the same network. This network can be a little hairy at times, but we should still keep an eye as to what’s happening on it. Installing an IDS/IPS on the network after the traffic’s terminated into the wired network is something that needs to be done. You need to know if you see traffic sourced from the guest WiFi network that’s doing something evil. Even with segmentation in place, you need to know what’s going on. You should also put some type of web filtering in place on this network. Just because they’re guests doesn’t mean that they get full access to the internet from your network block. Remember, the world is going to see this traffic sourced as your company, not as the guest that’s sitting in your company. Don’t get yourself in trouble by allowing them to browse every site under the sun. You can put a custom policy in for your web filtering based off the guest WiFi network, but don’t just leave it open.