Maintaining A Healthy Security Posture
In dealing with my healthcare clients, one of the things that I find most dangerous is their idea that a public wireless (offered to patients and their friends or relatives) is something they aren’t responsible for, and should therefore, be left unchecked and completely open, even.
There are several reasons why this isn’t just wrong, but plain dangerous.
First of all, you’ll most likely offer this through your ISP (yes, using a separate IP address), but still within your Internet range. You are, therefore, responsible for anything that goes out of that IP address. And yes, your lawyers have crafted that very nice initial statement which your users need to agree to; but do you really think that’ll be enough protection when your ISP or the FBI come knocking on your door because someone conducted illicit activities through your public, unchecked, network?
I can understand a similar position in a hotel. You give me internet in the room; what I do with it is my business and the hotel isn’t responsible for what I do. They know exactly who I am, which room I’m occupying. Should I break the law, it’s relatively easy to find me.
But in the lobby of a hospital, who knows me? I can connect, and start browsing, and doing whatever I want. If that means something illegal, who’s going to know? All you have is most likely my MAC address, but if I’m long gone, how are you going to find me? Don’t believe the movies; you won’t find me unless you know who I am.
So what could happen?
Well, I could steal PIIs and send them out via the public wireless. Hence, even though your network’s very protected, your PIIs are still going out, right from your lobby. Or I could set up shop and start browsing porno, or anything unsavory; or even start hacking someone and, oops, forget to wipe my tracks because, who cares, it’s your IP anyway. By the time you realize something’s up, I’m already gone.
I could go and on with this. Fact of the matter is, when you provide an internet access to someone, you’re responsible for what travels over it. So the last thing you want to do is allow open access without any control.
Open port 80 and 443, but apply a proxy. Ensure you block certain categories of websites. You do not want to allow pornography, violence, tasteless sites. And if you log the MAC address of someone attempting to break that control, put it in a blacklist and never allow that computer anymore access to the internet.
You’ll need to open UDP/53, otherwise no internet will work. Maybe also TCP/53. NTP? I’m on the fence but it shouldn’t be too dangerous. You _might_ want to consider certain ports for VPN. I’m sure you know which ports are necessary for which VPN.
In 2008, I remember being in a hospital in Houston where they had the guest wireless very well controlled. Port UDP/1194 was blocked; I called their support and they were very kind ~ they opened that port and I was able to use my SSL VPN. Coincidentally, I was back in that same hospital 6 years later, and found that same port already open. I really appreciated that they never closed it back but I also appreciated their point of view in keeping things locked up and tight. That’s the way public wireless should be handled in a place that isn’t really public.
You aren’t managing a public library, where freedom of speech and expression may force you to open even pornography. Yours is actually a private network, and you have the right, and in my opinion, the duty to keep it clean. To prevent possible illicit uses of a network which belongs to you. Otherwise, you may very well pay the consequences, for whatever leaks out of that network.