Guest Wireless Internet Firewall Rules

John Capobianco · ‎01-07-2014

Good morning -

I am hoping to find a sample, guide, best practices, and practical example of a set of Internet firewall rules for wireless guest users. Common current services and applications for tablets (Skype, Apple services, etc) must work and I would also like to identify commonly blocked outbound ports for wireless guest users. The service should have a more open ruleset but still be secure. Even if I could find a good starting point.

Thanks!

Stephen Rodriguez · ‎01-07-2014

There really isn't one a sample nor best practices for this.

It all depends on what you are looking to do.

IMO, the guest network should only be blocked from reaching to the internal network. Other than that leave it open, but maybe QoS/AVC and mark them as lower priority so they can't utilize a lot of your interwebz bandwidth.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

John Capobianco · ‎01-07-2014

Thank you for the reply. We are using the WLC to rate limit guest bandwidth and are approaching this to have a near-wide-open access to the internet on the guest network. Just trying to see if there are commonly blocked ports or blocked services applied or if we simply use Layer-7 aware / application aware services to block things like Torrents but allow Skype for example.

Stephen Rodriguez · ‎01-07-2014

I'd stick with Layer 7 aware services. That way you can drop or mark down bandwidth hogs, but still let the users get where they need to.

The problem with FW/ACL is you never know what a user is going to need. I had a customer years ago that had changed the ports her VPN used. If you didn't know what they were, they never would be able to connect.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered