The Team
It happens in almost every sport; there is a home team and a visiting team. If you watch professional sports, you will notice that many of these professionals know each other and even have relationships with some of these opponents. This all ends when the game begins; at this point both sides work hard to beat the opponent and give their team the advantage will hopefully will translate into a win.
The IT Team
This situation happens in the IT world as well. Most companies have vendors, partners, and even consultants working with them on different projects. While it is desirable to have a strong working relationship with these people, it is often too easy to forget that these people are visitors to your network and should be treated as such. There is a lot of potential for security issues stemming from these “visitors” to your corporate network.
Visitors and Malware
Without examining any malicious intent, these visitors can inadvertently introduce malware into your network simply by being a trusted resource that bypasses your corporate border security. One way that this risk can be mitigated is to have a visitor’s network.
A visitor’s network can be wired or wireless but should have these core elements:
- Usage Agreement – Employees have to sign an acceptable use policy and visitors to the corporate network must be held to the same standards. As part of any financial/work contract, a section should be devoted to requiring these visitors to uphold corporate security policies. This also makes any outside resource working on your corporate network aware of your security polices as they may differ from their own internal security policies.
- Isolated Network – This visitor network should be on a network segment that is isolated from the corporate network. This network can exist in a DMZ or within the corporate network with the inability to route to corporate resources. By isolating visitors from corporate resources, you can offer the ability for visitors to access the Internet or even their corporate mail resources.
- Printing – While this may not seem like a security issue, some clients have stated that the reason for placing visitors within the corporate network is the necessity for these visitors to print. A simple network printer is a lot less expensive than a large clean-up effort due to a worm or virus outbreak.
- Firewall – A firewall may be the method used to isolate the visitor network. If it is not, a firewall should be used to protect corporate resources from being compromised as well as protect your visitors who may be working on corporate documents from compromise as well.
- Auditing – Internet usage of this network must be audited. The corporation owns the network and is as liable for this network as it is for the main corporate network. This network can simply be audited by using a proxy server and reviewing the logs.
Additionally for wireless networks:
- Hidden SSID – Hiding the SSID of a wireless will prevent interlopers from attaching to the corporate wireless network by discovering it using many of the available scanning tools as well as reducing the ability for corporate users to leverage this network to bypass corporate security controls.
- Secure the Wireless Connection – It is unlikely that you will be able to install software on visitor’s computers but you can still leverage many of the wireless security levels offered by vendors today.
- Rotate the Wireless Security Key Frequently – In event that internal users do discover the SSID and the network key, rotating the wireless security key will reduce abuse of this network by inhibiting a user’s ability to attach to this network.
- MAC Filtering/Corp Asset Auditing – Use MAC address filtering on the wireless router if the frequency of visitors to the network is low. MAC address filtering could be cumbersome if the number or frequency of visitors is high. In this case rely on auditing of connections to the wireless network and auditing of Internet access logs to ensure that corporate users do not attach corporately controlled assets to this network in an attempt to bypass security controls.
Conclusion
Corporate Security spends a great deal of time keeping users secure as they navigate the Internet and even more time preventing external threats from garnering access into the corporate network. Setting up a properly planned visitor’s network will prevent this work from going to waste by inviting threats into your network and keeping them outside of the network you are trying to defend.
