Best Practices for Restricting Outbound Internet Access
My company has asked me to setup a wireless network for employees so they can use their personal phones to access a time keeping app and to make WiFi enabled phone calls as needed, but nothing else. I have the wireless network setup on a VLAN and has a dedicated interface (currently set to a type of Trusted) on the firewall. The problem I am having is coming up with the best way to do this. Application Control, WebBlocker or Proxies. The more I look into this, the more concerned (and confused) I get about setting this up correctly.
So, are there any examples, suggestions or best practices that someone would willing to share?
I would start by changing the network interface from Trusted to Optional or VLAN if that is really how it's configured.
Next I would set up two outbound policies for the Wi-Fi (Optional) network, one for DNS and the other an tcp-udp any from the Wi-Fi (Optional) to any External and enable logging.
Now test on your own device what ports and IP address the time app uses, and also the ports and IP address for Wi-Fi calling and document all of it.
Once you know where everything is going, create proxy policies for both the time app and wi-fi calling (ports, IP address) and enable logging on those.
Lastly disable the tcp-udp any policy once all traffic is running through the proxy polices you made earlier.
Now allow your users access to the wi-fi.
Hope that helps,
It's usually something simple.5
A quick search of the ports needed for wi-fi calling shows some different ports needed for different cell service providers.
And some of those ports are used for VPN too.
So you could not easily prevent IKE VPN if you allow the ports needed for wi-fi.
Thanks guys. I'm going to take this info and figure this out.