Corporate Wireless vs Guest Wireless

Started by deanwebb, June 30, 2020, 09:36:18 AM

Previous topic - Next topic

deanwebb

Gonna vent... but corporate wireless needs to be just that. Corporate devices only. No outsiders. If it's a BYOD device, it needs to be managed by an MDM.

EAP-TLS means the fewest headaches with security. PEAP with MS-CHAP means employees can add all their devices with a username and password. EAP-TLS means only devices with a company cert get on.

Outside vendors need access? Options should be either to use a corporate laptop or a VDI session or an AWS Workstation. If those don't work, consider an SSH gateway that contractors can make a secure login to and then access the internal network via a recorded SSH session.

Guest wireless is everybody else. Never should any of it touch the internal network. I won't mention names, but there's more than one company out there where I was able to join the guest wireless network and then directly access everything in the datacenter. No access to the employee subnets, ironically, but full access to the datacenter environment.

What drives me up the wall are customers that have a history of fuzzing those boundaries, who want more security but are unwilling to make stronger limits like I've outlined above.

"You want to block all unauthorized users but still allow visiting professors to be able to self-provision full access to the corporate network?"

:yeahright:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Then there's the opposite, where somebody wants to be a tech nazi, and insists on obscure pointless things like EAP chaining (well not pointless but overkill for 99% of environments) AND they don't want to hear about all the obscure proprietary things in the chain.

OFC now there's Win10 build 2004 with TEAP support, so good luck with that. God I hate NACs :)

deanwebb

Yeah, already getting questions about TEAP support. Once the feature request goes through, I'll be able to talk about that.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Seriously just use an agent, it's so complex that it's really windows and Mac only anyway so why do you care of it's an agent or standard