Options

Best Practices for Restricting Outbound Internet Access

My company has asked me to setup a wireless network for employees so they can use their personal phones to access a time keeping app and to make WiFi enabled phone calls as needed, but nothing else. I have the wireless network setup on a VLAN and has a dedicated interface (currently set to a type of Trusted) on the firewall. The problem I am having is coming up with the best way to do this. Application Control, WebBlocker or Proxies. The more I look into this, the more concerned (and confused) I get about setting this up correctly.

So, are there any examples, suggestions or best practices that someone would willing to share?

Thx,
Mark

Best Answer

Answers

  • Options

    A quick search of the ports needed for wi-fi calling shows some different ports needed for different cell service providers.

    And some of those ports are used for VPN too.
    https://www.att.com/support/article/wireless/KM1114459/
    https://www.t-mobile.com/support/coverage/wi-fi-calling-on-a-corporate-network

    So you could not easily prevent IKE VPN if you allow the ports needed for wi-fi.

  • Options

    Thanks guys. I'm going to take this info and figure this out.

    Thanks again,
    Mark

  • Options

    This is actually an interesting discussion.

    We have VLAN Guest (it's own dedicated IP block). It is routed via policy as VLAN Guest --> External (Port = ANY). I'm assuming that is a bit open? (Guest is Optional and External is -- well, the built in External).

    The idea is that guest can browse, download files if needed, and check their personal mail. HOWEVER, I am fine forcing them to use a browser for email access.

  • Options

    If you have an Any policy allowing this Guest access, then all access is allowed to the Internet - all TCP & UDP port as well as all protocol types such as ICMP etc.
    So it would be WIDE open.

    You need to identify if you have a corpoarte policy as to what type of Internet access you want to allow Guests to access.
    Since they are using your external public IP addr, are there any web site types or applications that access to should not be allowed?
    If so, then you should implement the firewall policies to try to restrict such access.

Sign In to comment.