Application Note Secure Enterprise Guest Access August 2004



Similar documents
White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Copyright 2011 Nomadix, Inc. All Rights Reserved Agoura Road Suite 102 Agoura Hills, CA USA White Paper

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Edgewater Routers User Guide

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

Edgewater Routers User Guide

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Network Security Topologies. Chapter 11

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Installation of the On Site Server (OSS)

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Using a VPN with Niagara Systems. v0.3 6, July 2013

Protecting the Home Network (Firewall)

Chapter 9 Monitoring System Performance

Network Configuration Settings

CTS2134 Introduction to Networking. Module Network Security

Best Practices: Pass-Through w/bypass (Bridge Mode)

Controller Management

SSL VPN Technical Primer

Using a VPN with CentraLine AX Systems

Figure 41-1 IP Filter Rules

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Best Practices for Outdoor Wireless Security

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Automatic Hotspot Logon

UAG Series. Application Note. Unified Access Gateway. Version 4.00 Edition 1, 04/2014. Copyright 2014 ZyXEL Communications Corporation

University of Hawaii at Manoa Professor: Kazuo Sugihara

ZyWALL USG ZLD 3.0 Support Notes

Step-by-Step Configuration

Chapter 6 Using Network Monitoring Tools

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

For extra services running behind your router. What to do after IP change

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

The Use of Mikrotik Router Boards With Radius Server for ISPs.

Cisco Virtual Office Express

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Mobility, Network Access Control and Convergence for Voice, Video and Data Applications on Corporate Wireless & Wired Networks. UCOPIA White Paper

Security Technology: Firewalls and VPNs

Network Virtualization Network Admission Control Deployment Guide

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Multi-Homing Security Gateway

Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Cisco AnyConnect Secure Mobility Solution Guide

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

User Manual. Page 2 of 38

DSL-2600U. User Manual V 1.0

Chapter 4 Managing Your Network

Design and Implementation Guide. Apple iphone Compatibility

Chapter 6 Using Network Monitoring Tools

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

Gigabit Content Security Router

Mikrotik Router OS - Setup and Configuration Guide for Aradial Radius Server

Developing Network Security Strategies

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

On-boarding and Provisioning with Cisco Identity Services Engine

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Chapter 4 Customizing Your Network Settings

The Importance of Wireless Security

Particularities of security design for wireless networks in small and medium business (SMB)

D-Link Central WiFiManager Configuration Guide

Cisco TrustSec How-To Guide: Guest Services

Niagara IT Manager s Guide

Palo Alto Networks User-ID Services. Unified Visitor Management

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Barracuda Link Balancer

MSC-131. Design and Deploy AirDefense Solutions Exam.

Innominate mguard Version 6

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Chapter 1 Configuring Internet Connectivity

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Enterprise Wireless LAN. Key Features. Benefits. Hotspot/Service Gateway Series

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Chapter 15: Advanced Networks

Chapter 5. Data Communication And Internet Technology

Recommended IP Telephony Architecture

your Gateway Windows network installationguide b wireless series Router model WBR-100 Configuring Installing

UAG4100 Support Notes

Lab Configuring Access Policies and DMZ Settings

Configuring Routers and Their Settings

Network Services Internet VPN

Seamless Roaming in a Remote Access VPN Environment

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Connecting an Android to a FortiGate with SSL VPN

Internet and Intranet Calling with Polycom PVX 8.0.1

WAN Failover Scenarios Using Digi Wireless WAN Routers

INTRODUCTION TO FIREWALL SECURITY

Chapter 3 LAN Configuration

Case Study for Layer 3 Authentication and Encryption

Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller

Chapter 2 Connecting the FVX538 to the Internet

Routing Security Server failure detection and recovery Protocol support Redundancy

Transcription:

Application Note Secure Enterprise Guest Access August 2004 Introduction More and more enterprises recognize the need to provide easy, hassle-free high speed internet access to people visiting their offices, without decreasing the security of their own Local Area Network. Examples of guests in need for a broadband Internet connection are Suppliers, Consultants, Sales managers and Employees from other branch offices. Guests want to send and check their emails, load the latest information from their file servers or search in their databases for order intake and delivery, thus making their time at your office more productive. This requires enterprise networks to provide a new class of access called Enterprise Guest Access. Enterprise Guest Access Networks present unique problems and the family of Nomadix Access Gateways provide excellent solutions to these problems, making provisioning of enterprise guest access simple and secure. Enterprise Guest Access Networks are similar to Public Access Networks in places like coffee shops in that they face the same technological challenges as are faced by public access networks. Unlike Public Access Networks however, Enterprise Guest Access Networks require unprecedented security. Enterprise networks that provide guest access to visiting customers and partners are exposed to an ever-changing user base that is typically unknown by the network administrator. Without the Nomadix gateways, provisioning access may require reconfiguring the PC s settings to match the LAN IP and proxy settings. This raises a concern about unwanted attacks, which makes network security a concern for all users on the network and the network administrator. Depending upon the size of the area and the number of simultaneous guests expected; Nomadix provides the NSE on a complete family of Access Gateways. For larger deployments Universal Subscriber Gateway (USG II) For mid-sized deployments HotSpot Gateway (HSG) For SME size deployments AG-2000w (Gateway + Access Point) Up to 2000 users Up to 150 users Up to 50 users Page 1 of 10

This document presents an overview of Guest Access Networks in an enterprise environment. It details the Nomadix advantage in such deployments. It suggests sample architectures for deployment of Guest Access Networks using a Nomadix Access Gateway and common technologies like virtual LANs and access control lists while keeping the corporate network secure. Overview While guests like to get connected during their visit to your corporate facilities there are many reasons why network administrators and IT managers do not want to enable guests to access their networks. Their main concerns are: It consumes a lot of valuable IT resources for configuring visitor notebooks for access, configuring access points or switches, configuring firewalls etc It can be a security risk since a guest can compromise confidential corporate data even without knowing it or can infect the network with a virus/worm. There could be legal issues as a guest can download or post illegal content without you knowing it. There could be bandwidth issues as a visiting user can consume a big chunk of the bandwidth available there by denying access to your internal resources. There could be connectivity problems associated with configurations on the visitor s computer. These could be the SMTP setting to send emails, DNS and proxy server settings etc. All of these concerns can be solved by using the Nomadix Access Gateways. These gateways are the brains behind offering a corporate guest access service and take care of everything from security, service provisioning, subscriber management and safeguarding your native networks. The following sections explain how IT managers can provision a Guest Access Network without reducing the overall security of their private corporate LAN. It also explains how guest s notebook PCs can be connected to the internet without a need to change their configurations like IP settings or web proxy settings. With guests connected to high speed internet they can be productive while visiting your offices. This note is also suited to build Hot-Spot sites where the local staff wants to use the broadband connection in a secure way for corporate use in addition to providing public access. Examples of Hot-Spot sites that can benefit are Hotels, Internet Cafes and Restaurants. The Nomadix Experience In a Nomadix enabled network, once connected to the Guest Access Network, the user starts the browser and is redirected to a Portal Page using the Nomadix Home Page Redirection functionality. On this portal page, the user can enter his/her Username/password provided by the enterprise (using the Hot-Spot Manager) or by a roaming partner (like PicoPoint). With the patented Dynamic Address Translation and Transparent Proxy features, Nomadix gateways support true plug and play. This guarantees that any client computer Page 2 of 10

with any configuration gets access to the network without having to reconfigure the IP, DNS, Gateway and Proxy settings. With these features even client computers with statically configured IP addresses are provisioned access on to the network. Nomadix gateways support different methods to authenticate users in an automatic fashion. UAM, 802.1x and Smart Clients can be used seamlessly. UAM Universal Access Method (Web Based authentications) Username and Password (local or RADIUS based) Credit Card XML 802.1x Using the different EAP standards. (RADIUS based) EAP (Extensible Authentication Protocol) Methods o EAP-MD5 UN/PW based authentication o EAP-SIM SIM card based authentication (such as used by GSM carriers) o EAP-TLS Certificate based authentication (such as used by SSL) EAP-TTLS Tunneled TLS supports mutual authentication and UN/PW passed authentication inside of TLS tunnel o PEAP Protected EAP, layered on EAP to provide Mutual Authentication and guard against Man-In-The-Middle attacks using TLS Smart clients Gric, Boingo, IPass After Authentication, customers can connect securely to the internet using the Nomadix features like bandwidth management per user, IP packet forwarding, inat and Session Rate Limitation. These Nomadix features are developed for access in the enterprise environment and public spaces. Nomadix Bandwidth control Up and Down The Bandwidth Management feature enables network administrators to limit bandwidth usage on a per device (MAC Address/User) basis. This ensures every user has a quality experience by placing a bandwidth ceiling (limit) on each device accessing the network. The bandwidth for each device can be defined asymmetrically for both upstream and downstream data transmissions. The Nomadix platform can also manage the WAN Link traffic providing complete bandwidth management through the edge of the network. The Bandwidth Management feature shapes traffic going through the WAN interface of the gateway to prevent its over-utilization. Using this feature the bandwidth available for public guest can be limited thereby ensuring that the corporate network always has enough bandwidth. Nomadix Session Rate limitation (SRL) Session Rate Limiting (SRL) allows administrators to throttle the number of sessions any one user can form over a given time period. If the computer exceeds this limit, all the traffic generated from that computer is dropped until the configured time interval is reached. Most of the computers infected by viruses generally try to form a large number of sessions. With this feature, the gateway essentially safeguards the network by limiting the number of sessions that can be created per user. This feature can be further enhanced by automating the process of inserting up to a certain number of violating MAC addresses into the MAC filtering table thereby blacklisting destructive clients and preventing any more drain on valuable system resources. Page 3 of 10

Nomadix SMTP Redirection Many people have referred to E-mail as the killer application of the Internet. Most people connect to the internet to send and receive E-mails. In an increasingly mobile business climate, using E-mail over broadband connections while travelling can be problematic due to the SMTP settings on the client computers. The SMTP redirection feature of the NSE recognizes attempts to send SMTP mail and redirects the outgoing mail to an available SMTP server maintained by the local ISP. Since the request to send the outgoing mail now comes from a local address, the local SMTP server allows the mail to be sent. Guest network users can send E-mail using the local SMTP server, even though their normal mail server would reject their requests. The recipient of the E-mail message is unaware that a surrogate SMTP server was utilized. To the recipient, the E-mail message looks completely normal and it can be responded to like any other message. Nomadix inat- VPN Plug and Play The benefits of inat can be summarized as follows: Dramatically increases the reusability of costly public IP addresses while forming concurrent VPN connections. Improves the success rate of VPN connectivity by mis-configured users, thus reducing customer support costs and boosting customer satisfaction. Maintains the security benefits of traditional address-translation technologies while enabling secure VPN connections for mobile workers to access corporate resources from a Public-access location. Dynamically adjusts the mode of address translation during the user s session depending on the packet type. Supports users with static private (e.g. 192.168.x.x) or public (different subnet) IP addresses without any client IP setting changes. Packet Filter Blocks traffic based on a specific Web address (DNS or IP address). In the future this will also be able to block traffic based on type of application (e-mail, FTP, Web browser, etc.), which is specified by port number thereby acting like a screening router. A Nomadix gateway is the ideal solution for all these scenarios and creates the ideal work environment for all guests who want easy to use and secure access to the internet without putting a burden on your own IT staff. Page 4 of 10

Sample Network Architectures The following section provides details on how technologies such as Virtual LANs (VLANs) and Firewalls are used to ensure security when used in conjunction with a Nomadix Access Gateways. Set-up #1 Guest access to the Public Internet Access in lobby/meeting room of the Enterprise sharing the existing Internet Connection The following diagram shows an example of the enterprise network architecture that could be deployed where the Nomadix gateway is connected to an available (unused) Ethernet interface of the internet router in order to separate the traffic of the guests from the closed enterprise network data. This separation can be done via VLAN s, access lists or firewall implementations. Most of the currently shipping Cisco routers do support all of these security implementations. Access list support is also included in the various ADSL and broadband routers as supplied by D-Link, Linksys, Allied Telesyn and Zyxel. Solution 1: The easy to deploy solution would be to use the Nomadix AG2000w (+) connected to the router. Access to the enterprise network from the guest access is prohibited using access control lists on the router. Figure 1 Page 5 of 10

Solution 2: The Nomadix AG2000w (+) uses a predefined VLAN to connect directly to the existing router. By using a VLAN switch, segregation of the traffic can be done at layer 2 and this gives a higher degree of security. Guest and enterprise traffic are on separate VLAN s and broadcast domains. Figure 2 Page 6 of 10

Solution 3: Another possibility is to connect the router to an available (not used) trunk port of a VLAN switch. The Nomadix Gateway is then also connected to the switch. The Nomadix gateway and the enterprise LAN are on separate VLAN s. In this setup traffic from the enterprise LAN is secured in an effective way at Layer 2. Figure 3 Page 7 of 10

Set-up #2 Guest access to the Public Internet Access in lobby/meeting room of the Enterprise using a separate Internet Connection In this scenario, the Nomadix Gateway is connected to the Internet using separate WAN connections. VLANS can be used on the subscriber side to segregate traffic. Again, in this setup traffic from the enterprise LAN is secured in an effective way at Layer 2. Figure 4 Page 8 of 10

Set-up #3 Public Internet Access in many locations of the Enterprise Third scenario is the combination of the Nomadix HSG/USG Gateway and third party access points that support VLANs in combination with multiple SSID s. A combination of public and private wireless VLANs are supported on the same network. Figure 5 The enterprise wireless users can transparently use 802.1x authentication in addition to UAM (Universal Access Method) for the guest users. Page 9 of 10

Guest User Experience Step 1: Guest selects the SSID of the Guest Access Network. Step 2: Guest opens browser and is redirected to the configured Portal Page. Step 3: Guest logs in by entering the username and password provided by the enterprise or the roaming partner. Step 4: Guest is connected to the internet. Summary Enterprises can provide secure Guest Access in an easy to use, transparent way that does not take up valuable IT time and resources by using the Nomadix Gateways. The network can be protected by the use of VLANs and their ability to logically separate traffic within that network. In addition, the local guest network is protected from external attacks by the use of Plug And Play (DAT), Session Rate Limitation and Bandwidth Control. With features like SMTP Redirect and inat (VPN plug and Play) the Nomadix Access Gateways guarantee a seamless and complete experience to the guest user. Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information