I have a question for all out there. Do any of you see any value in running IPS on a network segment that is used for Public WiFi Access?
We provide public access wifi via a vendor is provided and supported Colubrias Router. This router is connected to my switch running on a separate VLAN on the switch (not the ASG) and on this VLAN the ASG is connected via eth2. The vendor wifi gives out addresses in the 10.0.0.x space and I give the external wan port on the vendor's router an addresses in the 172.16.x.x space via eth2 on the ASG. I have rules in place on the ASG packet filters allowing the 172.16.x.x network internet access followed by a drop rule of ANY/ANY.
I currently am running IPS on this segment but with all the port scanning activity I am getting outbound. Most of these are presumably infected computers on our WiFi but we have a few locations near universities where I know these are active actions by the users trying to hack from our network.
I have limit logging enabled but each event produces 50/60 log entries and each of these are sent to my email inbox that I use to monitor network activity. I don't want to terminate all notices of port scanning because I would like to see anyone pounding on door of my internal network segments and I definitely want the ASG to drop excessive scanning to prevent us from getting complaints and to keep the abusers off our public WiFi to hack.
Opinions?
This thread was automatically locked due to age.
