This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Guest Wireless Information/Question

There was a thread on the old forum for this, but since we can't post over there anymore I am posting a new thread here:

We want to start implementing "Guest Wireless" for some customers and are in the middle of testing.  When enabling wireless protection, the wizard automatically creates a "Wireless Guest Network".  Couple things we noticed, is that a user connected to this network could still PING devices on the "Internal" network.  Under Network Protection>Firewall>ICMP we have Unchecked "Gateway forwards pings" and now the only device that resonds is the Sophos UTM, so we beleive this is all set?  The next issue we ran into is this:  Under Web Protection>Web Filtering>Global, if we add the Wireless Guest Network to the Allowed Networks, then any device on the Internal network is "reachable" from the Guest network.  But if we remove the Guest wireless Network from the allowed networks, it seems like that removes the ability for someone on the Guest network to reach a device on the Internal network.  We understand that now the Guest network isn't going through the Web Protection.  What Problems/Security issues do we potentionally have by doing this and how do we seperate the networks if both are added to the Allowed Networks tab.  We have read the document "Configure HTTP Proxy for a Network of Guests - V9.3 EN.pdf", but it seemed like most of that document was created before the wizard was put in place????



This thread was automatically locked due to age.
  • "have Unchecked "Gateway forwards pings" and now the only device that responds is the Sophos UTM, so we beleive this is all set" Yes, by having this option checked, it creates a rule allowing ping to anywhere.

    "We understand that now the Guest network isn't going through the Web Protection. What Problems/Security issues do we potentionally have by doing this and how do we seperate the networks if both are added to the Allowed Networks tab."When you have a network or host using the Web Filtering proxy, the proxy controls all available traffic and manual firewall rules will not be used. If you do not have the guest network use the proxy, then the traffic would be controlled by firewall rules, but will not be filtered or AV scanned. If you want to use Web Filtering, Just set up the guest network in a separate profile, in which you can then create a block rule to disallow access to your internal network. This is covered in the document that you reference. I haven't correlated Bob's document with the current GUI, but everything is still there, just possibly in a slightly different place. Don't get hung up on specific paths in the document if the location has changed, just take a few minutes to click through the Web Filtering sections of your UTM and you'll quickly find whatever it is.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • We have discussed NOT filtering any traffic on the Guest Network, would we then inturn leave ourselves vulnerable on the UTM/Internal Network?

    And just to make sure, if we remove the Guest Network from the Web Protection>Web Filtering>Global, Allowed Networks, does this insure complete "Seperation" of Guest and Internal Networks? We do have a Firewall Rule in place (At the Top) that Drops any traffic from Guest Network to Internal Network, but that rule is disabled at this point. And should that rule be switched to "Reject"???? Thanks for the help
  • If you are still filtering the internal network, but not the guest network, it would be fine. The firewall drop rule from Guest -->Internal should be enabled in this case.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1