This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jason_Smith3
Participant
‎2017-10-13 08:42 AM

Guest Ports opened for outbound internet access

We currently have the basic ports open for outbound internet access (80, 443, etc.).  I am concerned about security of opening a lot of things for what ends up being temporary access, but lately guests and auditors seem to have a need for VPN access that is being blocked.

Just wondering what others are doing for outbound guest access port security. And if you are opening VPN access, what ports and do you think you've compromised security or it is safe to do?

Thanks, 

Jason

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2017-10-13 10:15 AM

In terms of guest/visitor networks, my approach is to always keep those separate from production.

If they need to have connectivity to your internal resources, let them come-in via VPN for application access or, to VDIs setup for those who really need those.

Since you have no control over their equipment and its security, allowing them to connect to your resources behind perimeter, even on dedicated zone, simply increasing probability of compromise, imposing additional stress on your resources and, in some instances, (i.e. if you enforce HTTPS inspection), increasing your liability.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2017-10-13 12:16 PM

In addition to previous comment (fully isolated network from your company network but with unlimited access to internet port wise) I would recommend to filter your guest traffic via some sort of cloud or on premises proxy to avoid situations where your company public IPs may get associated with or involved in disputes regarding access to not-so-nice sites i.e containing child abuse, drugs etc. Be smart! This day and age you trust no one. 

0 Kudos
Jason_Dance
Collaborator
‎2017-10-13 12:30 PM

We mandate the use of our own equipment on our network, and all other non-firm owned equipment be on a Guest Network.  Our Guest Network is a separate connection and completely isolated from all other networks.

0 Kudos
Jason_Smith3
Participant
‎2017-10-13 12:54 PM

My true apologies.  I guess I should have elaborated more.  Guest traffic is on it's own VLAN and has it's own IP range.  it is filtered more stringently than our county network throught FW, app control,  and threat prevention policies.

My question was already based on guest traffic being separated.  I was just wondering how much traffic others were allowing outbound from their guest networks.  Other than the basic access, I have seen the need now for VPN traffic which is getting blocked.  Just wondering what you are allowing outbound and if you see it as "just part of doing business" or found something that you thought needed opened, and was actually a bad idea.

Thanks, again

0 Kudos
Vladimir
Champion
Champion
‎2017-10-13 03:25 PM
In response to Jason_Smith3

Jason,

Unless you have dedicated firewall or cluster filtering this traffic, even on its' own VLAN with separate private IP range, it is still going through your production infrastructure imposing undue load on it.

Point being, that there is no compelling reason monitoring your visitors or guests egress traffic. As Kaspars have mentioned in his comment, the only thing you care about is limiting access to the inappropriate sites, and various hacking-related activities, (i.e. network and port scans, etc).

Generally, the rest of the traffic from the guest network could be left alone.

I've used a separate ISP link and WiFi access points for the guest networks, as 802.1X authentication on these segments is often impractical, URLF blocking some of the categories and restricting per-user bandwidth to something reasonable.

I'm more concerned with inbound connections from these user categories, if such are warranted.

What is the reason for you to enforce stricter controls for the guest/visitor network?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events