Guest Networks / Access and HTTPS content inspection.

Hello all,

Just looking for some suggestion / feedback:

As we know, https proxy needs a trusted CA to inspect https traffic. How are you all handling 'guest' devices (or devices within 'guest' networks for that matter) that are behind a WG Firebox that likely do not have a suitable certificate installed? I cannot imagine having each guest device (phone, PC or otherwise) needing to install a certificate.

Maybe I am missing something obvious or over thinking?

Comments

  • For a Guest, I don't let them access anything on my network.
    They can access the Internet without restriction, with no proxies.
    As a result, they have limited firewall protections, as they would using cell service.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Most customers don't use content inspection on guest networks for the reasons you listed. We do offer the certificate portal to aid in the users getting the certificate in instances where the admin has required it.

    (Certificate Portal)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/certificate_portal_c.html

    In most circumstances, the HTTPS proxy with webblocker will attempt to work off of SNI (the plaintext name in the certificate) which is less accurate but usually provides an OK level of accuracy.

    Unfortunately, it's up to the network admin to balance usability with security. Under most circumstances, the guest network will be set up so it can't access anything on the other internal networks. Some admins will go as far as to NAT the guest traffic to a different IP or send it to a completely different WAN connection via SD-WAN.

    You can even use hotspot to force users to agree to terms:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/hotspot_configure_c.html
    (Albeit, I doubt anyone actually reads these before clicking I accept.)

    -James Carson
    WatchGuard Customer Support

  • Hi Bruce, Hi James,

    I do a similar approach by segmenting guest and production from one another via VLANs and ACLs at the switch level so they cannot access one another.

    For conversation sake:
    Consider maybe a fringe (but definitely feasible) case where a client could be attached to both networks simultaneously...i.e:

    1. A hardline connection to "Production"
    2. As a "Guest", on a WiFi provisioned guest SSID or cell phone tether.

    The client could, then, in theory, bypass https proxy and inspection (or any proxy really, assuming the Guest network were open to Bruce's point), thereby 'compromising' the Production network.

    In the age of cloud, WFH, WFA (Work from Anywhere) and maybe at best, a 50% workforce capacity in a traditional office environment; seems that more and more protection must have emphasis at the endpoint level (of course in addition to the perimeter). All obvious observations here, but just interested in community feedback.

  • The same goes for split tunnel client VPN connections - connect to the Internet directly and connection to the prod network via the VPN.

    If someone is connected to the prod network, hopefully they are an employee.
    The only real way to deal with situations such as this is to have a Personnel policy which clearly states what is not allowed, and that there are real repercussions for breaking those policies.

    Not everything can be addressed by technology.

Sign In to comment.