Best Practices for Restricting Outbound Internet Access
My company has asked me to setup a wireless network for employees so they can use their personal phones to access a time keeping app and to make WiFi enabled phone calls as needed, but nothing else. I have the wireless network setup on a VLAN and has a dedicated interface (currently set to a type of Trusted) on the firewall. The problem I am having is coming up with the best way to do this. Application Control, WebBlocker or Proxies. The more I look into this, the more concerned (and confused) I get about setting this up correctly.
So, are there any examples, suggestions or best practices that someone would willing to share?
Thx,
Mark
Best Answer
-
Hey Mark,
I would start by changing the network interface from Trusted to Optional or VLAN if that is really how it's configured.
Next I would set up two outbound policies for the Wi-Fi (Optional) network, one for DNS and the other an tcp-udp any from the Wi-Fi (Optional) to any External and enable logging.
Now test on your own device what ports and IP address the time app uses, and also the ports and IP address for Wi-Fi calling and document all of it.
Once you know where everything is going, create proxy policies for both the time app and wi-fi calling (ports, IP address) and enable logging on those.
Lastly disable the tcp-udp any policy once all traffic is running through the proxy polices you made earlier.
Now allow your users access to the wi-fi.Hope that helps,
- Doug
It's usually something simple.
5
Answers
A quick search of the ports needed for wi-fi calling shows some different ports needed for different cell service providers.
And some of those ports are used for VPN too.
https://www.att.com/support/article/wireless/KM1114459/
https://www.t-mobile.com/support/coverage/wi-fi-calling-on-a-corporate-network
So you could not easily prevent IKE VPN if you allow the ports needed for wi-fi.
Thanks guys. I'm going to take this info and figure this out.
Thanks again,
Mark
This is actually an interesting discussion.
We have VLAN Guest (it's own dedicated IP block). It is routed via policy as VLAN Guest --> External (Port = ANY). I'm assuming that is a bit open? (Guest is Optional and External is -- well, the built in External).
The idea is that guest can browse, download files if needed, and check their personal mail. HOWEVER, I am fine forcing them to use a browser for email access.
If you have an Any policy allowing this Guest access, then all access is allowed to the Internet - all TCP & UDP port as well as all protocol types such as ICMP etc.
So it would be WIDE open.
You need to identify if you have a corpoarte policy as to what type of Internet access you want to allow Guests to access.
Since they are using your external public IP addr, are there any web site types or applications that access to should not be allowed?
If so, then you should implement the firewall policies to try to restrict such access.