Guest LAN - what ports to open?
-
Im just in the process of creating a guest network for visitors to use. Im curious if there are any established best practices of what to open and what not too.
currently
I block all guest traffic from guest to my other non guest subnets
I allow DNS (53) and NTP (123) to my router
I allow the following ports out:
HTTP (80 & 8080 & 443)
SMTP (587 & 465)
IMAP (143 & 993)
Ephemeral (49152:65535)Im specifically interested to hear if I should allow DNS & NTP out but would appreciate any feedback or advice as to other services I should consider providing.
thx!
-
Are you trying to prevent them from doing something specifically? If not, just open it up.
-
actually, thats a very good point, thank you. I was stuck in the mindset of keeping ports locked down unless actually needed but you raise a good point re guests - there isn't anything I don't want them doing except hacking my personal files and photos etc so I can relax and open up for them. Appreciate the pointer, thanks
-
I'd keep port 25 closed, though. ;)
-
At work, this is what we're allowing on our guest network:
TCP
www
https
ftp
smtpUDP
DNS
NTPSome small issues that have come from being so locked down:
-
No VPN (e.g. IPsec) connections can be made, so vendors are unable to make secure connections to their corporate offices
-
No IMAP connections can be made, .e.g. people trying to use the Gmail app from their phone/tablet are blocked
we have some paranoid people here, but I'm with KOM, from my perspective locking down guest wireless just creates unnecessary tickets! LoL! I mean… it's guest... it should be isolated from your production network and throttled if it's sharing your main connection. IMO... why create extra management overhead by locking it down and having to revisit syslogs and rules every time there's a question/issue?
Stick it on a separate vlan/interface, throttle it and be done. Then that's the the last you'll ever hear of it... vs. fielding questions and tickets and troubleshooting why this doesn't work and why can't we get to that, etc.
-
-
LOL
I've been employed by companies blocking everything under the sun too. Like you they probably thought no VPN connections could be made too. So I did VPN connection to home and used my own ISP connection for external access anyway. And that was even on the corporate business network, not the guest network.
If the powers that be are really concerned about guest access they should block everything and require guests to use a VPN to their own service, company, etc. But I think the real reason isn't that they are concerned about security etc. or whatever. But rather they are power and control freaks who need something to hang their hat on to justify their employment. And this also allows them to snoop and collect information on/from their guests.
-
It also depend on what you mean by 'guests'. Personal friends in your house, or paying customers at the villa?