DConnell Member Posted January 29, 2012 Member Share Posted January 29, 2012 A few weeks ago I set up a wireless router for our clients to have free internet access while their pets are examined. I did my best to secure it, and made sure that there's no chance of someone casually stumbing upon our server. The router is attached to our main network, but I made sure the primary network is not easily accessed. I secured it with an easily-remembered WPA key. Now the boss wants the WPA key removed. Apparently the doctors aren't happy with having to enter the key, so she wants the wireless unsecured. I'd really prefer not to do this. Sure, we're making the key readily accessible to clients, and casual users aren't going to be able to see the main network, but I don't think it's a good idea to have no control over access at all. What compelling, plain language arguments can I give to dissuade her? Link to comment Share on other sites More sharing options...
NeoNut Posted January 29, 2012 Share Posted January 29, 2012 Ask here if she is OK with an FBI raid http://arstechnica.com/tech-policy/news/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks.ars Link to comment Share on other sites More sharing options...
ITOps Posted January 29, 2012 Share Posted January 29, 2012 Keyword in your post here is doctors, remind her of HIPAA/PCI requirements and more then likely there should be no wireless at all connected to the main network that clients can connect to that do not adhear to HIPPA/PCI requirements. There should be a completly seperate network for clients to connect to that should be secured using at a minimum WPA2. If the network is not secured the company would be responsible for any illegal activity that occurs and puts anyone on the network at risk that connects to it that is not using WPA2. As the responsibility of the security of the network and information systems on the network are probably your responsibility but paying the cost of anything that goes wrong including jail time would be her responsibility. Just make sure you get everything in writing as it sounds like she is incompitant of the security issues of having an unsecured network and the requirements of HIPAA/PCI. Link to comment Share on other sites More sharing options...
eXtermia Posted January 29, 2012 Share Posted January 29, 2012 Well how about first of all they my be Liable under if financial data is relases or data that could comprimise privacy of individuals in any way. (if this was humans and not pets HIPPA would also be in effect), and in such also you and your boss. Also you may be found liable if someone illegally uses your network. Even if you have locked down the main network through a vulnerability, someone could use you as a back door to infect others. there are many free wifi sniffing apps out there that can read the data going aross when unencrypted, Backtrack comes to mind, as does faceniff and others. Or one of my favorite is WIFIkill for android where i can simply just be malicious and easily deny everyone access on the wifi. Link to comment Share on other sites More sharing options...
jakem1 Posted January 29, 2012 Share Posted January 29, 2012 Keyword in your post here is doctors... They're vets, not doctors. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 29, 2012 Veteran Share Posted January 29, 2012 Here is what I would recommend, if they want internet access to all those individuals who are not a part of your network, get a second ISP or cable modem for internet only access and use that for unsecured access, open no encryption etc. Otherwise you would need to make up vlans, have the one vlan have a ACL stating that it cannot access anything other than the internet vlan. Basically 1 internet vlan, 1 secure vlan, 1 open vlan. Rules secure vlan can access all, open vlan can only access internet vlan. Or you can have ISP > Router > unsecure network > secure network in a double nat scenerio. this is probably the easiest to setup. Link to comment Share on other sites More sharing options...
farmeunit Posted January 29, 2012 Share Posted January 29, 2012 Get a router that supports WPA and has Guest (Public) access. For the vets, have it remember they network key. Then the public won't see your network, and you'll have it secured. They're not that expensive. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 29, 2012 Veteran Share Posted January 29, 2012 Get a router that supports WPA and has Guest (Public) access. For the vets, have it remember they network key. Then the public won't see your network, and you'll have it secured. They're not that expensive. There is always this, my current router has this option (quite honestly I forgot it did until farmeunit mentioned it): Link to comment Share on other sites More sharing options...
Buttus Posted January 29, 2012 Share Posted January 29, 2012 As the responsibility of the security of the network and information systems on the network are probably your responsibility but paying the cost of anything that goes wrong including jail time would be her responsibility. Just make sure you get everything in writing as it sounds like she is incompitant of the security issues of having an unsecured network and the requirements of HIPAA/PCI. That's right, get it in writing. That's also the easiest way to get them to forget about the taking the WPA key off, they'd never want to sign anything saying that they're liable! Link to comment Share on other sites More sharing options...
Rohdekill Posted January 29, 2012 Share Posted January 29, 2012 That's right, get it in writing. That's also the easiest way to get them to forget about the taking the WPA key off, they'd never want to sign anything saying that they're liable! Paranoid much? It's extremely easy to setup a guest wi-fi to internet without compromising your network integrity. Link to comment Share on other sites More sharing options...
DConnell Member Posted January 29, 2012 Author Member Share Posted January 29, 2012 thanks for all the advice. I've got some good alternatives for her now. I wish my router had the guest access capability - that sounds like just what we'd need. Link to comment Share on other sites More sharing options...
Scorbing Posted January 29, 2012 Share Posted January 29, 2012 Ask here if she is OK with an FBI raid http://arstechnica.c...fi-networks.ars That is scary Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 29, 2012 MVC Share Posted January 29, 2012 As mentioned I would NOT allow clients to access a wireless network that is tied to your regular network.. You REALLY need to isolate this!! Get a new router, go with the options sc302 laid out for you - bit more complex in doing vlans and such.. Much easier for you just just spend 50 to $100 for a router that supports your feature set or one that support 3rd party that does. As to "Apparently the doctors aren't happy with having to enter the key" I never understood this -- clearly they do not understand its a ONE time forget it sort of thing - unless your changing the psk on a rotation? You have to enter the key exactly once per device.. JFC if you can not do that then you don't need to use the service. But again - since your allowing non employees to access this network you really need to isolate it from your active systems - be it secure or not, your giving away this psk to people.. You have no idea for one what they are infected with, do you want that on your network? Nor do you have any idea what some people think is fun.. Deleting files on shares that are not secured or printing out goatse on every printer that is available is fun to some ;) edit: If you have GUEST wireless - doctors that are too lazy to enter the one time key can use the guest network and use the internet. If they need to access the office network/shares/applications/printers then they will need to AUTH!!! Which once you get the guest up an running I would look to using WPA enterprise vs psk. This allows them to just login to their machine with their user account and password. This also allows for blocking user X from accessing while user Y does not have to worry about changing their password. IE someone leaves the company, or user let their info be compromised, etc.. WPA PSK is fine for the home but once you start dealing with a company network you might want to look to better options. Do you run a Active Directory domain in the office? Or is just a bunch a computers connected share with file shares OPEN to the public sort of thing? DConnell and +LogicalApex 2 Share Link to comment Share on other sites More sharing options...
DConnell Member Posted January 29, 2012 Author Member Share Posted January 29, 2012 As mentioned I would NOT allow clients to access a wireless network that is tied to your regular network.. You REALLY need to isolate this!! Get a new router, go with the options sc302 laid out for you - bit more complex in doing vlans and such.. Much easier for you just just spend 50 to $100 for a router that supports your feature set or one that support 3rd party that does. As to "Apparently the doctors aren't happy with having to enter the key" I never understood this -- clearly they do not understand its a ONE time forget it sort of thing - unless your changing the psk on a rotation? You have to enter the key exactly once per device.. JFC if you can not do that then you don't need to use the service. But again - since your allowing non employees to access this network you really need to isolate it from your active systems - be it secure or not, your giving away this psk to people.. You have no idea for one what they are infected with, do you want that on your network? Nor do you have any idea what some people think is fun.. Deleting files on shares that are not secured or printing out goatse on every printer that is available is fun to some ;) Oh, I know. This wasn't my idea, believe me. But she wanted it done that day, and I found out after lunch, so I did the best I could with the grade-school level tools I have to work with. There's a lot I would do differently, but the boss just doesn't want to spend the money. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted January 29, 2012 MVC Share Posted January 29, 2012 I added a bit to my post, see the edit.. You really need to make sure she understands the concerns with allowing non employees access to the same network as employees. Along with the lack of controls a shared access like just a PSK allows. I would have a buddy access your network from across the street and print out goatse on your printers - and then see what she says ;) Maybe place some porn files on shares, etc.. Some people just need to be schooled in what lack of security and control can mean -- What would happen if user X comes into your network infected with worm XYZ and now your network is offline, your files are corrupted/deleted/encrypted.. That is not worth the few bucks required to isolate work network from guests uncontrolled devices? Bet you it will be first time it happens - and you will prob get blamed for not preventing it! DConnell 1 Share Link to comment Share on other sites More sharing options...
ViperAFK Posted January 29, 2012 Share Posted January 29, 2012 A few weeks ago I set up a wireless router for our clients to have free internet access while their pets are examined. I did my best to secure it, and made sure that there's no chance of someone casually stumbing upon our server. The router is attached to our main network, but I made sure the primary network is not easily accessed. I secured it with an easily-remembered WPA key. Now the boss wants the WPA key removed. Apparently the doctors aren't happy with having to enter the key, so she wants the wireless unsecured. I'd really prefer not to do this. Sure, we're making the key readily accessible to clients, and casual users aren't going to be able to see the main network, but I don't think it's a good idea to have no control over access at all. What compelling, plain language arguments can I give to dissuade her? The doctors are being ridiculous. They shouldn't even have to enter the key more than once... The computer should remember it after the first time. DConnell 1 Share Link to comment Share on other sites More sharing options...
TEX4S Posted February 1, 2012 Share Posted February 1, 2012 LOL - tell her if she had any brains - she'd be in IT & would understand the folly of her thinking - see how that strikes her ;) The second someone is outside your building & downloads some child porn, then is prosecuted - and they turnaround and sue her clinic because she didnt take steps to properly secure it - ask her what she thinks of her brilliant idea then - (I assume thats what the above story is about) But I had to scale back the signal coverage of our protected wifi we have for our visitors up @ work. (it is a standalone dedicated DSL connection for this very reason. We are right next to a neighborhood and the IT Director didnt want our signal bleeding into the houses after reading about someone getting sued by some sick ****** who likes cheez pizza - so I had to play with the power settings and then drive around the neighborhood with InSSIDer and see if I could pick it up Link to comment Share on other sites More sharing options...
SYBINX Posted February 1, 2012 Share Posted February 1, 2012 A few weeks ago I set up a wireless router for our clients to have free internet access while their pets are examined. I did my best to secure it, and made sure that there's no chance of someone casually stumbing upon our server. The router is attached to our main network, but I made sure the primary network is not easily accessed. I secured it with an easily-remembered WPA key. Now the boss wants the WPA key removed. Apparently the doctors aren't happy with having to enter the key, so she wants the wireless unsecured. I'd really prefer not to do this. Sure, we're making the key readily accessible to clients, and casual users aren't going to be able to see the main network, but I don't think it's a good idea to have no control over access at all. What compelling, plain language arguments can I give to dissuade her? Link to comment Share on other sites More sharing options...
Japlabot Posted February 1, 2012 Share Posted February 1, 2012 Agree with all the advice about proper segregation, then an open WiFi is fine as long as the know the risks that it could be misused. If I was in your situation, I would simply use a super simple password in addition to complete segregation so it least there is some security from the passer by looking for free internet to leech off or use your connection for illegal purposes. Even if it is as simple as setting the password to "animals" and printing out little cards that the practice can hand out to the vets and owners if they request access. Not that I think that anyone would be doing any secure transactions from a veterinarian practice, but it is better to use a passphrase even for public access hotspots because the passphrase adds encryption to the wireless traffic even if the key is known (well at least to my knowledge, maybe BudMan can confirm this). It is good practice for a public access hotspots to have an SSID of say "Jim's coffee shop (passphrase is: coffee)" so that the traffic is at least encrypted even though it is public access. Link to comment Share on other sites More sharing options...
SYBINX Posted February 1, 2012 Share Posted February 1, 2012 ...Cough! You should have ask your boss if they understand the meaning of the word STUPIDITY. I would have point blankly refused their request as this would be a serious and damaging consequences to the business. I would have also explained that, let it be noted, that I strongly disagree with the request, to use a non-secure connection and strongly suggest they continue with a secured connection. If there is a breech then it's on your head not mine. I've been asked this in the past, and I just tell them straight. Don't be stupid... Sorry about the double post I'm on my phone and it decided to post itself... lame excuse but its true. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted February 1, 2012 Veteran Share Posted February 1, 2012 The second someone is outside your building & downloads some child porn, then is prosecuted - and they turnaround and sue her clinic because she didnt take steps to properly secure it - ask her what she thinks of her brilliant idea then - (I assume thats what the above story is about) It isn't as simple as this. Hotels, airports, starbucks, etc would be constantly in the news if it were. Link to comment Share on other sites More sharing options...
Original Poster Posted February 1, 2012 Share Posted February 1, 2012 They're vets, not doctors. they are doctors they have just as much right to be called doctors as human doctors... in fact vets know more about biology then most human doctors .... Link to comment Share on other sites More sharing options...
Original Poster Posted February 1, 2012 Share Posted February 1, 2012 It isn't as simple as this. Hotels, airports, starbucks, etc would be constantly in the news if it were. most hotels other here use btfon/openzone meaning people have user accounts Link to comment Share on other sites More sharing options...
M_Lyons10 Posted February 1, 2012 Share Posted February 1, 2012 There is always this, my current router has this option (quite honestly I forgot it did until farmeunit mentioned it): This would be my recommendation as well. I know that my Draytek allows me to do this as well. Link to comment Share on other sites More sharing options...
(Spork) Posted February 1, 2012 Share Posted February 1, 2012 They're vets, not doctors. still a doctor Link to comment Share on other sites More sharing options...
Recommended Posts