Public Internet Access

We are a hospital that has a wireless network configured but only for our
wireless devices, not for public use. We would like to setup internet access
for our patients/visitors wirelessly but do not want to put our network at
risk. Can I have some ideas on how to go about implementing this? Any help
would be greatly appreciated!

Sure buy more access points and set them up their own network, put a good
firewall between them and the hospital's network. If you give the public
access to the hospital's network it is just a question of time till someone
is into something they shouldn't be.

--
David Hettel

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

DISCLAIMER: This posting is provided "AS IS" with no warranties, and
confers no rights


"Joel" <(E-Mail Removed)> wrote in message
news:1A68FB99-D791-4560-944E-(E-Mail Removed)...
> We are a hospital that has a wireless network configured but only for our
> wireless devices, not for public use. We would like to setup internet
> access
> for our patients/visitors wirelessly but do not want to put our network at
> risk. Can I have some ideas on how to go about implementing this? Any help
> would be greatly appreciated!

Hi
The solution greatly depends on how the hospital Network is configured.
The best protection would be a segregated Network + Strong software
security.
This page describes the principle of Segregated Network,
http://www.ezlan.net/shield.html
Jack (MVP-Networking).

"Joel" <(E-Mail Removed)> wrote in message
news:1A68FB99-D791-4560-944E-(E-Mail Removed)...
> We are a hospital that has a wireless network configured but only for our
> wireless devices, not for public use. We would like to setup internet
> access
> for our patients/visitors wirelessly but do not want to put our network at
> risk. Can I have some ideas on how to go about implementing this? Any help
> would be greatly appreciated!

Can I control authentication/bandwith with our public access? Would I need
IAS and an account in Active Directory?


"David Hettel" wrote:

> Sure buy more access points and set them up their own network, put a good
> firewall between them and the hospital's network. If you give the public
> access to the hospital's network it is just a question of time till someone
> is into something they shouldn't be.
>
> --
> David Hettel
>
> Please post any reply as a follow-up message in the news group
> for everyone to see. I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> confers no rights
>
>
> "Joel" <(E-Mail Removed)> wrote in message
> news:1A68FB99-D791-4560-944E-(E-Mail Removed)...
> > We are a hospital that has a wireless network configured but only for our
> > wireless devices, not for public use. We would like to setup internet
> > access
> > for our patients/visitors wirelessly but do not want to put our network at
> > risk. Can I have some ideas on how to go about implementing this? Any help
> > would be greatly appreciated!
>
>
>

What you can control depends on the hardware and software that you have, in
a public setting you have no real control over either the software, or the
hardware that the public uses. All you can hope to control is a minimum
required level to connect. There is nothing to prevent the "public" from
bringing any tools they like to crack your network.

In a hospital setting, you are dealing with private records that most would
not want made public, the strongest defense is to not let the public into
the private network (LAN) at all. That's why I recommended a separate (or
segregated LAN) network for the public.

--
David Hettel

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

DISCLAIMER: This posting is provided "AS IS" with no warranties, and
confers no rights


"Joel" <(E-Mail Removed)> wrote in message
news:B51F7FF9-9AB1-4B48-8CF0-(E-Mail Removed)...
> Can I control authentication/bandwith with our public access? Would I need
> IAS and an account in Active Directory?
>
>
> "David Hettel" wrote:
>
>> Sure buy more access points and set them up their own network, put a good
>> firewall between them and the hospital's network. If you give the public
>> access to the hospital's network it is just a question of time till
>> someone
>> is into something they shouldn't be.
>>
>> --
>> David Hettel
>>
>> Please post any reply as a follow-up message in the news group
>> for everyone to see. I'm sorry, but I don't answer questions
>> addressed directly to me in E-mail or news groups.
>>
>> Microsoft Most Valuable Professional Program
>> http://mvp.support.microsoft.com
>>
>> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
>> confers no rights
>>
>>
>> "Joel" <(E-Mail Removed)> wrote in message
>> news:1A68FB99-D791-4560-944E-(E-Mail Removed)...
>> > We are a hospital that has a wireless network configured but only for
>> > our
>> > wireless devices, not for public use. We would like to setup internet
>> > access
>> > for our patients/visitors wirelessly but do not want to put our network
>> > at
>> > risk. Can I have some ideas on how to go about implementing this? Any
>> > help
>> > would be greatly appreciated!
>>
>>
>>

I understand the importance of having the segregated LANs but thought I could
get away with having one AP, VLANed and then configuring security on our
switches (Cisco 3750s). The public VLAN would have no access to other VLANs
(our internal network). My director is a control freak and would like to
limit bandwith to the public so that it does not affect our employees
bandwith. If I configured these VLANs, I could then implement an IAS solution
so I could "monitor" internet activity? Or am I missing the boat?

"David Hettel" wrote:

> What you can control depends on the hardware and software that you have, in
> a public setting you have no real control over either the software, or the
> hardware that the public uses. All you can hope to control is a minimum
> required level to connect. There is nothing to prevent the "public" from
> bringing any tools they like to crack your network.
>
> In a hospital setting, you are dealing with private records that most would
> not want made public, the strongest defense is to not let the public into
> the private network (LAN) at all. That's why I recommended a separate (or
> segregated LAN) network for the public.
>
> --
> David Hettel
>
> Please post any reply as a follow-up message in the news group
> for everyone to see. I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> confers no rights
>
>
> "Joel" <(E-Mail Removed)> wrote in message
> news:B51F7FF9-9AB1-4B48-8CF0-(E-Mail Removed)...
> > Can I control authentication/bandwith with our public access? Would I need
> > IAS and an account in Active Directory?
> >
> >
> > "David Hettel" wrote:
> >
> >> Sure buy more access points and set them up their own network, put a good
> >> firewall between them and the hospital's network. If you give the public
> >> access to the hospital's network it is just a question of time till
> >> someone
> >> is into something they shouldn't be.
> >>
> >> --
> >> David Hettel
> >>
> >> Please post any reply as a follow-up message in the news group
> >> for everyone to see. I'm sorry, but I don't answer questions
> >> addressed directly to me in E-mail or news groups.
> >>
> >> Microsoft Most Valuable Professional Program
> >> http://mvp.support.microsoft.com
> >>
> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> >> confers no rights
> >>
> >>
> >> "Joel" <(E-Mail Removed)> wrote in message
> >> news:1A68FB99-D791-4560-944E-(E-Mail Removed)...
> >> > We are a hospital that has a wireless network configured but only for
> >> > our
> >> > wireless devices, not for public use. We would like to setup internet
> >> > access
> >> > for our patients/visitors wirelessly but do not want to put our network
> >> > at
> >> > risk. Can I have some ideas on how to go about implementing this? Any
> >> > help
> >> > would be greatly appreciated!
> >>
> >>
> >>
>
>
>

Joel wrote:

> We are a hospital that has a wireless network configured but only for our
> wireless devices, not for public use. We would like to setup internet
> access for our patients/visitors wirelessly but do not want to put our
> network at risk. Can I have some ideas on how to go about implementing
> this? Any help would be greatly appreciated!

You should have a separate network used exclusively for public access that
cannot be routed to your employee network and attach your public APs to
this network instead.

Please don't quote backwards.
http://ursine.ca/Top_Posting

David Hettel wrote:

> Sure buy more access points and set them up their own network, put a good
> firewall between them and the hospital's network.

No, a "firewall" is not a magic fix.
http://www.samspade.org/d/firewalls.html

You need to actually know something about networking and using
routers (and not those POS home routers, either, the real Cisco thing)
to solve this problem in a way that satisfies HIPAA.

Internet connection should go into a DMZ zone consisting of only
routers, and these routers should not allow any traffic to pass from
the public to the employee network and vice versa, and nothing from
the outside to the employee network. At minimum, you're going to need
to divide things up into four zones: Internet (which should just be
the connection to the outside world), Employees (for employee access
to the hospital's IT functions and internal servers), Public (for just
public internet access, properly secured to prevent abuse as a spam
and network abuse vector vector (ie, port 25 and 119 blocked or
filtered for outgoing spam, etc), and DMZ (containing the network's
common routers between zones, as well as any servers that need to be
accessable from the outside as well as the inside, such as the
hospital's web and email servers).

If you're not sure how to accomplish this and you're the one in charge
of implementing it, now is probably the time to start shopping for a
network security consultant to come in and give you some pointers.

> If you give the public access to the hospital's network it is just a
> question of time till someone is into something they shouldn't be.

This can't happen if you know anything about network design and apply
it.

Please do not backwards quote.
http://ursine.ca/Top_Posting

Joel wrote:

> My director is a control freak and would like to limit bandwith to the
> public so that it does not affect our employees bandwith.

Since you mentioned you have Ciscos, you should be able to play with QoS to
give packets from the public wifi a priority lower than all other traffic.
This should cause the public to use whatever bandwidth isn't being used by
the hospital in most cases.