| ▲ | cortesoft 8 months ago | |||||||
My conclusion is that being on the corporate Wi-Fi should not give you access to anything. There should not have been any advantage to getting on the Wi-Fi, it should be treated like the public internet. A separate VPN, with MFA, should be required to access anything. | ||||||||
| ▲ | alsetmusic 8 months ago | parent | next [-] | |||||||
My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access. We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer. Wifi adapters should be disabled via Group Policy for wired devices anyway. | ||||||||
| ||||||||
| ▲ | UltraSane 8 months ago | parent | prev | next [-] | |||||||
When WiFi security was really bad I worked at a company that didn't use it at all. You connected to the WiFi without any authentication and then had to connect to a VPN server that used 2FA auth. | ||||||||
| ▲ | rocqua 8 months ago | parent | prev | next [-] | |||||||
Corporate WiFi based on a password and a device certificate is fine. For BYO devices, you have a separate WiFi network that does require a VPN to reach the corporate network. | ||||||||
| ▲ | legulere 8 months ago | parent | prev | next [-] | |||||||
Also a VPN is just another perimeter. You wouldn't want a single device like a printer getting successfully attacked leading to everything in your network getting compromised. The real solution is to use a zero trust architecture | ||||||||
| ▲ | sleepybrett 8 months ago | parent | prev [-] | |||||||
it should be a factor (defense in depth) but not the ONLY factor. | ||||||||