Guest Network to WAN - Firewall Security

Posted by Cheesedoff@reddit | sysadmin | View on Reddit | 6 comments

Hello, I am interested in what other orgs are allowing on their Guest Network to WAN firewall rules. We have our guest network segregated by VLAN and it cannot communicated with any other internal networks. However, our Guest to WAN (internet) firewall rule only allows HTTP/HTTPS and a few other web and email related ports. Lately we have had some people complain about certain smart phone apps not working on the guest wifi. After doing some digging I found that some apps require other ports to be allowed in order to fully work. One example is the Sonic Drive-In app, it would not allow you to get to the check out screen. When I did a packet trace it showed port 5671 was blocked. I opened it as a test and now the app works. I have a few other apps with similar connection issues. Does anyone just allow Guest to WAN with ANY service allowed? If so, do you consider this safe from a cybersecurity standpoint?

6 Comments

[-]

pdp10@reddit

You probably want to block outbound `tcp/25`, since your guests are not legitimate mail servers with DNS PTRs and SPF. Your rulebase as summarized would block IPsec (`ip/50`, `udp/500`, possibly `ip/51`) and IKEv2 (`udp/500` and `udp/4500`) VPNs, forcing users to TCP-in-TCP VPNs with concomitant risk of problems. It also blocks conventional DNS lookups on `udp/53` and `tcp/53`, which can sometimes be justifiable, except that you're not doing it explicitly and you're not blocking DoH. Likewise for `udp/123`, NTP time service.

mr_wolfwolf@reddit

I'd either open it all up or tell people to use their cell signal to get Sonic pickup ^_______^

mtopper_cw@reddit

The biggest risks are liability and IP reputation. For example, if someone starts pirating, is infected, or is used as a jump host for a threat actor. The last thing you need to deal with is your public IP being blocked from Akamai, AWS, or Cloudflare because some visitor with an infected laptop connected it to the guest network. I like to route guest traffic out its own IP when there's space for it, usually when the environment has a block of 5. There's also a very strong argument that you have the exact same risks from internal hosts, even though you do control the security posture of those endpoints and that's why you still use security services on edge devices, even in 100% SaaS environments. Also, consider what the goals are. From your example, nobody is going to spend time troubleshooting that the Sonic Drive-In app isn't working. If Zoom or Teams doesn't work on guest wi-fi that's worth troubleshooting. To answer your direct question, I find it riskier than the internal network and normally lock it down more, including bandwidth limiting. **HOWEVER** don't mistake "riskier" in the preceding for considering the LAN safe or trusted. It absolutely isn't.

Net_Admin_Mike@reddit

I have our guest network configured to use our backup WAN link for internet access on one of our ISP provided IPs, but the one we would use in a failover scenario. I don't restrict outbound traffic as far as services or ports go, but I do have pretty restrictive content filtering in place on that connection, blocking anything that might create a liability concern that could be traced to our connection as well as the typical "adult" stuff I wouldn't want people browsing while at work. And of course, that LAN cannot talk to any other LANs on my internal network.

RiffRaff028@reddit

You can drive yourself crazy trying to open specific ports for specific apps on a guest network. What I did was use our endpoint security to still block traffic by subject (adult content, gambling, etc.) and no matter what, traffic to/from China, Russia, and North Korea was always blocked, but I did open up the firewall a little more for guest devices as far as TCP ports. Even then, I made them go through a captive portal where they had to acknowledge they were on a corporate network as a guest, and that their traffic could be monitored, logged, and blocked for security purposes. So, my short answer to your question would be, you never want to just open up the floodgates for all network traffic for guests on your network, but you can loosen the restrictions a little bit with minimal risk to your own systems.

jmbpiano@reddit

It's a guest network. We treat it as just another node on the Internet. We don't trust it and we don't care what happens on it unless it starts impacting other people on the guest network.

Reply to Post

6 Comments