Best Practices for Restricting Outbound Internet Access
My company has asked me to setup a wireless network for employees so they can use their personal phones to access a time keeping app and to make WiFi enabled phone calls as needed, but nothing else. I have the wireless network setup on a VLAN and has a dedicated interface (currently set to a type of Trusted) on the firewall. The problem I am having is coming up with the best way to do this. Application Control, WebBlocker or Proxies. The more I look into this, the more concerned (and confused) I get about setting this up correctly.
So, are there any examples, suggestions or best practices that someone would willing to share?
Thx,
Mark
Best Answer
-
Hey Mark,
I would start by changing the network interface from Trusted to Optional or VLAN if that is really how it's configured.
Next I would set up two outbound policies for the Wi-Fi (Optional) network, one for DNS and the other an tcp-udp any from the Wi-Fi (Optional) to any External and enable logging.
Now test on your own device what ports and IP address the time app uses, and also the ports and IP address for Wi-Fi calling and document all of it.
Once you know where everything is going, create proxy policies for both the time app and wi-fi calling (ports, IP address) and enable logging on those.
Lastly disable the tcp-udp any policy once all traffic is running through the proxy polices you made earlier.
Now allow your users access to the wi-fi.Hope that helps,
- Doug
It's usually something simple.
5
Answers
A quick search of the ports needed for wi-fi calling shows some different ports needed for different cell service providers.
And some of those ports are used for VPN too.
https://www.att.com/support/article/wireless/KM1114459/
https://www.t-mobile.com/support/coverage/wi-fi-calling-on-a-corporate-network
So you could not easily prevent IKE VPN if you allow the ports needed for wi-fi.
Thanks guys. I'm going to take this info and figure this out.
Thanks again,
Mark