Shulou(Shulou.com)06/01 Report--

Now most local area networks provide the function of wireless Internet access. Wireless is mainly used to meet the following needs:

The need for wireless office, such as wireless poser and other office equipment.

Employees' need for wireless Internet access.

Wireless Internet access for guests and guests.

This raises related security issues:

Guests may access the corporate intranet through wireless access, resulting in security risks.

Employees may surf the Internet through the guests' wireless network, thus bypassing the company's behavior management strategy and affecting work efficiency.

At present, most solutions are that guest networks and internal wireless networks use different wireless SSID and passwords. But in fact, there is a big loophole in this scheme: password leakage. Guests can directly ask for wireless passwords on the intranet, and even many wireless passwords are posted publicly. On the other hand, employees can surf the Internet directly through the guest network.

This article will combine the relevant functions of WFilter NGF to introduce more advanced solutions.

Scenario 1: IP-mac binding

The specific strategies of the scheme are as follows:

Guest network and office network are in different VLAN.

Register employees' computers and mobile phones and configure IP-mac binding.

IP-mac binding is not enabled for the guest segment.

Configure different bandwidth and Internet strategies for the office network and the guest network.

After this configuration, guests can not get IP when they connect to the office network, so they cannot enter the office network. Employees are unable to access the Internet even if they are connected to the guest network.

Screenshots of some related configurations are as follows:

1) VLAN partition

The office network and guest network are divided into different VLAN.

2) IP-mac binding

Register the office worker's mobile phone and computer for IP-MAC binding.

The office network segment is strictly restricted, and unbound devices can neither get IP nor access the Internet.

Scheme 2: user authentication

The programme is mainly composed of the following aspects:

When wireless users surf the Internet, they need to enter a user name and password to log in.

Office workers use their own usernames and passwords.

Guests use the guest's guest account.

After this configuration, even if the guests know the wireless password of the office network, they are still unable to use the wireless of the office network because they do not know the personal account password. However, the scheme has the following shortcomings:

Although guests cannot use the office wireless Internet, they can connect to the office wireless network and may access sensitive resources in the intranet.

There is still the possibility of disclosure of the username and password.

There is no way to prevent office workers from using guests' wireless.

WFilter NGF "Web authentication" function, can be used for wireless network identity authentication, Wechat Wifi authentication, SMS authentication and so on. In order to authenticate the identity of Internet personnel, record Internet content, and can be integrated with local accounts, domain accounts and mailbox accounts. As shown in the figure:

To sum up, both "IP-mac binding" and "Web authentication" can distinguish between guest users of wireless AP and normal users. It is recommended that you make a choice according to your own management needs. If you are more strict, use IP-mac binding, otherwise use Web authentication.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.