"Well Clients need to be able to talk to it in some way shape or form." So they can talk to me dmz segment but not the lan segment.īut my local lan network can create traffic into the wireless. The not allows them to go to anything other, like internet but not my lan network. Then they can not talk to any of lan net. So wireless clients can talk to my ntp server only for ntp. Your guest wireless network should not have access to anything and should be on its own segment, only thing guest should do is be able to use internet, and if you want specific servers on your other networks - limited to those specific IPs and those specific ports.Įxample - this is my HOME wireless segment rules You have that the wrong way ) That is the complete op of how you would normally set it up ) For example use .x for your other network segments or 10.x.x.x - now even if they set fling to scan /8 - if they are on .x never scan 172.31.14.0/24 ) They would have to know that you have such a network or really long scans ) But still why to take chances.īTW, this is what the security chairman of our company wants us to implement.Īnd what is the mask on that network, I am taking your using /22 vs /24? Have you set network size in fling to something other than /24? Fling by default scans the network it got assigned so if your saying you scanning 192.168.3 while on 192.168.0 am thinking your mask is /22 - unless you over rode that in fling settings? You want a simple solution? Just change the networks so they are not next to each other. Because one of them is entry to production though it is secured via ssh auth. We do not want them to use Fing and get idea out all the servers. > Sometimes we give guest access for some users that work on temp basis. Why are you worrying about your servers showing up on simple scans like this? I am thinking of passing all Wifi traffic via Squid so that we can have access control there.
What I am planning is to limit access to only few servers (DNS/Samba etc) from Wifi n/w. So as per the implementation, any device in n/w 192.168.0.0 can get connected to all the networks. Now 192.168.1.x.is allowed to talk with other networks too. Fing only scans the segment its on from my experience with it. I have the tool fing - notsure how you saw different vlans.
0 kommentar(er)
