Secure Your Guest Networks
Another one of our clients is engaged in a lawsuit because a guest, not an employee, used the “Public Internet Connection for Guests that is outside of the firewall” to engage in illegal activity. Protect yourself before it is too late.
Remember, guest access can be wirelessly through your wireless network. Guest access can also be when a computer is plugged into your network – even when you have a dedicated “guest” wired network.
1) Primarily, if you don’t absolutely need to provide guest access, then don’t provide it. Turn off and throw away, recycle, wireless access points. (If you want executive level suggestions about security your home network see the executive three-step guide to securing Wi-Fi )
2) Regularly warn employees against plugging in their own personal devices to your organization’s network. Warn them about allowing anyone else to plug into the network without checking with IT first. Make sure there are consequences for employees who break your policy. There are ways your IT professionals can prevent computers from connecting to your network – even if the computer is plugged into a cable.
3) Ask your IT professionals to take the following actions if you do plan to provide guest access:
a) There must be a separate network, outside of your other subnets, for guest access.
b) In addition to “making sure their connection is outside of your firewall,” consider using a completely separate public IP address dedicated to the guest access. Some of our clients pay for an additional Cable or DSL connection dedicated strictly to guest use.
c) Use web filtering, logging, and alerting on your guest networks to help prevent and/or detect problems.
d) Use, at the least, pre-shared keys on your guest wireless networks and change the keys often. Even some of the most inexpensive wireless access points will challenge prospective guests with a login request. WPA2 Enterprise is even better.
Please post your comments below