For those using ISE for Guest user isolation, how are you approaching DNS resolution for your PSN?
To explain further, here is the general layout of the LAN:
- Trusted versus Untrusted (Guest) networks are in separate VLANS.
- Guest network is completely isolated behind a firewall, currently with absolutely no access to RFC1918 (outside of it's own subnet).
We want any and all Guest users to be presented with a Hotspot portal via ISE. We plan on having a PSN at any given location, however, the problem is security with how we will handle DNS.
-
If we allow Guest users to talk DNS with our internal DNS servers, doesn't that open up a dangerous vector for leaking information for an attacker?
-
If we create a public DNS A-record with a private IP address, doesn't that expose internal information about our LAN; i.e. if it's 192.168.2.15, one can reasonably assume our gateway is .1, it's a /24, etc.
-
Creating a DNS server and putting it on the Guest network would be a lot of work for our server folks and generally doesn't sound like it would scale well. Less than 100 locations total, but still, our teams are very small (2 people) and have many other projects.
How does your organization handle this?
No comments:
Post a Comment