The right way to Guest-Network


Network Positioning

Get off my LAN!

Ideally a separate line completely, consider a guest network provider, let them install some kit, let them worry about it, but that’s only part of the problem and if you want more control or visibility, consider running another line for the guest network on kit that doesn’t touch corporate networks.

Registration portal

Name, email, business and a person or purpose they are  visiting is all the information you really need, check with your DPO/GDPR guru to how that information is kept and handled, but look for a system that can provide an open wifi that will only allow visitors to login or register, then internet is granted, this is better than a pre-shared key because what happens is the visitor provides their Name and who they’re visiting, that could then be sent to the person they’re visiting and that person can enable wifi for that person for a duration of time. there is a whole bunch of accountability going on here, goodie.

You wont have to worry about attacks on your pre-shared key because the network will be open to join but access needs to be granted to use ‘the net’, and the only way to have access granted is to have it approved by a member of staff or someone with a corp email address you get some good network data if you want to do logic on MAC address / User patterns or set up some alerting for things that are worth investigating such as multiple users on one MAC address, or vice-versa, whatever.

While the registration portal might sound  like a bit of ball-ache, it will be worth it once it’s singing and dancing, all users in certain groups can grant visitor access for a maximum of time and if the visitor is visiting a user not in those groups they can fill out a guest form that goes to an Infosec/network access approver. … this also means your AD has to be in shape, SHUT UP I DIDNT MAKE THE RULES.

Client Isolation

This is the biggy, if there is one thing you can only do out of all this stuff, it’s client isolation, guest networks need internet access, they dont need to see their neighbours, they dont need to be able to explore subnets, dont let them, it will be a huge benefit to their security, it will thwart attackers and keep client safer from other possible network aware infections / worms / internet badness.

If you let corp machines on guest, soon you’ll let guest machines on the corp

I’ve been Pentesting and doing security problems for over 10 years now and there hasn’t been one time that I’ve joined a guest network and not seen corporate systems on there… hacking usually goes like this;

Crack the guest network or join the guest network via a registration portal, enumerate the subnet, poison the machines that look like they’re following a asset naming convention get da credz, and or compromise the host

With creds your path is ; what can I authenticate against with these creds to get me a network foothold  or an authenticated resource ?

With a compromised host you can rinse the box, enumerate the tech for attacking other systems on the corp … if you wanted to be an asshole you could remove the wireless driver once you’d implanted forcing them to look for a docking station or a cat5 … anyway, options.

Corp staff will use the guest network if they can, because the guest network offers less restrictions, it probably lets them use that site they can’t go on when they’re on corp, or maybe it’s just easier for technical reasons they dont understand

Once they know how to get on the wireless network you have that problem … and the bridging problem, if a system has two interfaces online the cat5 and the wifi that’s real useful to an attacker to egress more seamlessly out of the wireless interface so that those cool network-span style defence appliances dont see that traffic … hmmm *cough* Darktrace *cough* or less conveniently detecting when the machine is off-domain and then beginning exile of output whatever that may be … (slower)

You could block machines from joining specific wireless networks but they’re gonna be at risk on other wireless networks anyway … such as home/airport/… any other network ever … but what’s going to be better is if you have a VPN client that detects off-domain networks and dials in, guest network aside, you want your staff to be able to work at any time at any location, if they chose too.

So we’re moving to a defensive position now where all corp portables VPN back into the network to do corpy things. good. they will once VPN’d back in, fall under the same network controls as the rest of the corp devices. sleep well!


Got you thinking ?

Think about the attack path, think about if it negates expensive security controls that at this point might just be lip service to make people shut up or feel safe, if this scenario resinates or makes you feel nervous get in touch with your friendly security company, if I’m busy I’d be happy to recommend some probably-better-than-me-security-experts that would never admit they where expert.

Other important things to consider are, making sure your registration portal get’s absolutely smashed in by application security professionals (see pentesters) and before buying or choosing a provider make sure that they give a shit about security.


*There may be some residual client side attack surface, that will depend on your software and configuration subject status to attack and exploit availability terms and conditions apply.