Actually putting them in a DMZ is a great idea. For several reasons:
1 - no access to your corporate systems
2 - if they have a virus it will not pound your systems or networks
3 - with captive portal you control access
I would also limit their bandwidth usage. Dont want them bogging down your T1
using bit torrent or winmx.
Another suggestion for a setup like this if you are concerned is to put in
another firewall in bridged mode running snort. A bit advanced (beyond m0n0)
but for corporate networks who have a lot of "guests", i.e. vendors, etc, it is
also a good step to prevent "bad" behavior.
Quoting Mikael Bohlin <Mikael dot Bohlin at se dot flextronics dot com>:
> Good thought, and that is what I will do.
> But I also want the guest to logon from a web page, so they do not get full
> Internet access at one...
> So I'll use MonoWall for the Captive Portal and the logon page there...
> Or could I do that in any other way?
> -----Original Message-----
> From: Bryan Kohlstedt [mailto:bk at aventuremail dot com]
> Sent: den 8 juli 2004 14:41
> To: m0n0wall at lists dot m0n0 dot ch; Mikael dot Bohlin at se dot flextronics dot com
> Subject: Re: [m0n0wall] Odd kind of setup?
> Is there a reason you're not putting the visitors in a dmz? I'm doing
> something similar to you except all my visitors are going to go in the dmz
> so they have unfiltered access to the internet (wan interface) but no access
> to our machines on our network (lan interface).
> ----- Original Message -----
> From: "Mikael Bohlin" <Mikael dot Bohlin at se dot flextronics dot com>
> To: m0n0wall at lists dot m0n0 dot ch
> Sent: Thursday, July 08, 2004 02:55 AM
> Subject: [m0n0wall] Odd kind of setup?
> I'm about to test the Monowall in a slightly different scenario then what I
> guess most of you guys do.
> I am about to build a separate network for our viristors and guests. From
> this Visitor network our guests should get Internet access but no access to
> our company resources.
> On this network I connect the Monowall LAN interface, enables DHCP and DNS
> forwarding. I will also use the Captive portal function, forcing them to log
> on first.
> On my company network I connect the Monowall WAN interface.
> With this setup there pop's up a couple of questions:
> - Can I disable the Management on the LAN interface??? I do no want any
> clever visitor trying to logon to the Monowall and changing stuff.
> - When a user logs on to the Captive portal page, it performs a HTTP POST
> sending the user ID and password in clear text. Any user with a network
> sniffer will easily find the others credentials... Can this be changed into
> a HTTPS-POST??? It would add a lot of security into it.
> Mikael Bohlin
> IT Security Coordinator
> Flextronics Network Services
> Broadband ADSL starting from £19.57pm - http://www.budgetadsl.com
> AventureHost.com - Worldwide Hosting - http://www.aventurehost.com Sent from
> AventureMail.com, 2GB Free Email!
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Pitbull Technologies <http://www.pittech.com/>
Protecting your Digital Assets