BYOD (bring your own device) has recently become a burden in the workplace. Employees, clients, and vendors are bringing in laptops, iPads, and iPhones into your workplace. Most expect a WiFi connection and this can cause serious security implications. You want to give your users (especially clients) the freedom yet at the same time, you want to protect your private internal network. We want our clients to surf the web but not be able to access file and print services.
The way to do this is to isolate WIFI traffic from the internal LAN. Preferably, place the WIFI network on its own network.
This was exactly the dilemma I faced 9 months ago. How do we provide WiFi yet make sure it is not abused? Our other consideration was cost.
We already spent a load of money on our main firewall, switches and network. We had no budget to introduce a secured "WiFi" appliance that could cost in the thousands. Yet, we needed features like QoS (Quality of Service), Proxy, advance logging, and many of the enterprise features you find on Cisco or Juniper products.
Our solution? We ended up with an open-source system called Smoothwall (http://www.smoothwall.org/). Smoothwall is a light-weight open-source firewall project.
We like it because it provided us with DHCP and Squid Proxy that worked transparently without end-user configuration.
Our WiFi users do not know they are on a Proxy unless they visit a prohibited site like Porn or bitorrent. This also allowed us to give semi-admin access to people who we trust but not enough to let them have access to the main firewall. Furthermore, with a different system from our LAN, it allows us to separate Internet logs. The logs of clients using our WiFi is not as critical as the logs used by employees on the internal LAN.
Smoothwall can run on minimal hardware. The installer ISO CD image is a mere 115 megabytes. It runs on an old Pentium 4 with 1GB of RAM and compact-flash card. Instead of junking old equipment, we constantly find new uses thanks to open-source. It has worked surprisingly well; servicing over 60 concurrent users on a daily basis.
The network topology is very simple. Like most business that provide front facing internet services, we have two network zones - Our LAN and our DMZ (De-Militarized Zone). The DMZ is where we host web servers that are isolated from our internal LAN. We could have run a third zone but prefer to keep it simple for remote VPN-in.
We placed our new Smoothwall Wifi Proxy server inside our DMZ. The main firewall already blocks traffic based on various rules. Now with the Smoothwall box, we have a second layer of firewall protection. In case someone breaks out of our Wi-Fi zone, they would have to go through two layers of firewalls to access internal LAN services. AP (Access points) are then tethered to the Smoothwall appliance. I have various base stations and repeaters connected just to the Smoothwall box.
As I mentioned earlier, Smoothwall runs nicely on older, lower spec machines. Installation is very straightforward. You set up your network zones and you are ready to go. At minimum, you need to have two : Red / Green. Red for protected traffic and Green for WAN. You will need at minimum two Ethernet cards. You could run on one card if your switch supports virtual VLANs and if you want to go through the step of extra configuration. I prefer to make it simple and stick to the two NIC method.
(look someone likes to spend time on hulu.com)
Once set-up, you can do the majority of your configuration through a web browser interface. There are some nice logging tools and configuration settings.
If you need to do anything more complicated like modify the Squid Proxy with exotic rules, you can always SSH into the console and manually configure. This is the beauty of *NIX based operating systems.
I can easily log into this box with my iPad via SSH and set rules to block users from using Facebook/Twitter at 7AM.
For non-technical users, the web interface works rather intuitively. A non-technical user can probably set rules such as QoS (Quality of Service) such as slow down the traffic for video streaming. Disable peer-to-peer traffic.
In summary, there are many good free, viable open-source solutions to BYOD. You can safely provide WIFI and secure it from your internal network. In fact, it works so well, I will be implementing a similar system at home when my children are of high-school age.
No comments:
Post a Comment