J Wolfgang Goerlich's thoughts on Information Security
Strategies for allowing guest access

By wolfgang. 13 November 2003 12:32

From time to time, guests and other non-employees will need access to an organization’s network. This poses a bit of risk as their equipment has an unknown security posture. It is not unheard of for a vendor to bring a fast spreading worm into an organization, and give it free reign behind the firewall. Oh it is always on accident to be sure, but there is damage nonetheless.

What are some of the strategies for allowing access while minimizing risk?

Kiosks. This falls under the “don’t do it” line of thinking. Rather than allow guest access onto the network, provide guest accounts to kiosk computers thru out the facility. Pros: no risk from infected computers; controlled environment. Cons: reduced collaboration; increased equipment costs; may cause political pushback.

Trust but verify. Dispatch a support person to scan any notebooks or media the vendor is bringing in. Ensure it meets your security standards. Have the guest sign an acceptable use policy. Pros: reduced risk of infected computers brought into the environment. Cons: increased personnel costs; decreased responsiveness time (which may translate to dollars, if the consultant cannot work; may cause political pushback.

Trust but segment. Put computers not managed by the organization onto a separate network. I have seen this done two ways. Use network-level authentication and route computers onto a wired vlan. Alternatively, use network-level authentication to block all non-managed devices, and then provide guest wireless. Either way, keep the guest traffic separate from trusted traffic.

Trust but really segment. Take the last one a few notches further. I have seen separate network switches used for guests and production. The air gap is a good measure to prevent against accidental misconfiguration. I have also seen separate Internet connections, to avoid the guest traffic competing for bandwidth.

Those are some options. Are you using one that I did not cover? Let’s discuss.

Tags:

Operations Security | Systems Engineering

    Log in