Adding Public Wireless Internet to our existing private business LAN
I would like to add public wireless access points through our building for private parties and individuals to use our internet connection. However, I do not want to put these people directly on our LAN and share the same address space.
I also realize somebody has to hand out IP addresses for these wireless victims. I don't want my Domain Controller doing this...
My question is, not only I don't want to share the same address space, I do not want to share the same "wire". So, are my choices correct:
A.) get a firewall that supports at least 3 Fast Ethernet ports (1 to Gateway router, 1 to Private LAN, 1 to Public Wireless Lan)
B.) get a firewall that supports 2 ports (1 to Gateway Router, 1 to Private LAN). Then take another router and place it from the Private LAN to the Public Wireless LAN?
C.) Put a HUB between the Gateway Router and a 2 port firewall. Then connect the public people at the hub with another router.
Option A is more expensive, firewall's with more ports seem to be $2500++
Option B seems like it would be quite easy, but am I missing anything in my security thought process?
The moral of this story is:
I need to buy a firewall. I'm budgeted for a PIX 506. Can I accomplish what I need to do with a 506 without jumping to a 515?
Thank you in advance,
Deacon Eisenhart
I also realize somebody has to hand out IP addresses for these wireless victims. I don't want my Domain Controller doing this...
My question is, not only I don't want to share the same address space, I do not want to share the same "wire". So, are my choices correct:
A.) get a firewall that supports at least 3 Fast Ethernet ports (1 to Gateway router, 1 to Private LAN, 1 to Public Wireless Lan)
B.) get a firewall that supports 2 ports (1 to Gateway Router, 1 to Private LAN). Then take another router and place it from the Private LAN to the Public Wireless LAN?
C.) Put a HUB between the Gateway Router and a 2 port firewall. Then connect the public people at the hub with another router.
Option A is more expensive, firewall's with more ports seem to be $2500++
Option B seems like it would be quite easy, but am I missing anything in my security thought process?
The moral of this story is:
I need to buy a firewall. I'm budgeted for a PIX 506. Can I accomplish what I need to do with a 506 without jumping to a 515?
Thank you in advance,
Deacon Eisenhart
ASKER
If I had a VLAN capable switch, would I need all VLAN switches of just the main switch that feeds the other switches?
Is a VLAN like a substitute for a router?
Is addressing different between different VLANs?
Who hands out IP addresses on a VLAN?
As always -- thank you,
Deacon
Is a VLAN like a substitute for a router?
Is addressing different between different VLANs?
Who hands out IP addresses on a VLAN?
As always -- thank you,
Deacon
Think of a VLAN as if it is a physically separate switch.
Take one switch and devide the ports into two VLAN's and you have "virtually" two physically separate switches.
If you want/need to distribute this switch through the organization, then yes, all switches need to know how to VLAN.
Once it is all set up, and all switches learn which vlans are available (VTP), then any port on any switch can be a member of either vlan.
Vlan's are typically different IP subnets.
It is not a substitute for a router, rather a substitute for a parallel switch infrastructure
Since there is virtual physical separation between VLAN's, you can have whatever you want providing DHCP for each one. You can have your own Windows DHCP server handing out IP addresses for the majority of the LAN, and some other device-router/firewall- handing out DHCP addresses for the Wireless VLAN.
Take one switch and devide the ports into two VLAN's and you have "virtually" two physically separate switches.
If you want/need to distribute this switch through the organization, then yes, all switches need to know how to VLAN.
Once it is all set up, and all switches learn which vlans are available (VTP), then any port on any switch can be a member of either vlan.
Vlan's are typically different IP subnets.
It is not a substitute for a router, rather a substitute for a parallel switch infrastructure
Since there is virtual physical separation between VLAN's, you can have whatever you want providing DHCP for each one. You can have your own Windows DHCP server handing out IP addresses for the majority of the LAN, and some other device-router/firewall- handing out DHCP addresses for the Wireless VLAN.
ASKER
Do you think for simplicity I should just get a firewall with more ports and treat the problem that way? I have about 5 24 port switches in the building, all unmanaged basic layer 2 switches from Nortel, Kingston, and Linksys. To to VLAN correctly, it seems that I would need to replace them. Sounds like it would be cheaper to buy a Pix 515 or higher, then support separate networks from it. (PRIVATE LAN, PUBLIC WIRELESS)
1. I can afford to buy a PIX 515 from Ebay, but I do not think I will get Cisco support with Smartnet, etc. Is that something to be concerned about?
2. If I bought one VLAN switch and place it at the TOP of the network (like at the main switch), I can then divide the switch there and support two different segments from the main switch. The rest of my switches go through the main switch, so they wouldn't necessarily need the intelligence of the Vlan. With the few WAP's I plan on installing, I was going to run dedicated cabling from the server closet to them, not placing them on the current backbone. Can I get away with this?
Thanks
Deacon
1. I can afford to buy a PIX 515 from Ebay, but I do not think I will get Cisco support with Smartnet, etc. Is that something to be concerned about?
2. If I bought one VLAN switch and place it at the TOP of the network (like at the main switch), I can then divide the switch there and support two different segments from the main switch. The rest of my switches go through the main switch, so they wouldn't necessarily need the intelligence of the Vlan. With the few WAP's I plan on installing, I was going to run dedicated cabling from the server closet to them, not placing them on the current backbone. Can I get away with this?
Thanks
Deacon
>With the few WAP's I plan on installing, I was going to run dedicated cabling from the server closet to them, not placing them on the current backbone. Can I get away with this?
Actually, yes, this is a very viable option, but I would certainly reconsider buying a PIX off ebay without support or maintenance. Any software release that fixes future security issues or upgrades will not be available to you, unless you already have a CCO account for other equipment.
I like the idea of a physical DMZ interface on the firewall as opposed to moving to vlan capable switches and the 506. You might want to take a look at the Linksys RV0x2 series. It has features not even the 506 can touch, including designating a physical DMZ interface..
Actually, yes, this is a very viable option, but I would certainly reconsider buying a PIX off ebay without support or maintenance. Any software release that fixes future security issues or upgrades will not be available to you, unless you already have a CCO account for other equipment.
I like the idea of a physical DMZ interface on the firewall as opposed to moving to vlan capable switches and the 506. You might want to take a look at the Linksys RV0x2 series. It has features not even the 506 can touch, including designating a physical DMZ interface..
ASKER
Would the DMZ be an appropriate place to connect a HUB/Switch to supply the WAP's that I will add? What about if I add a webserver down the road, can I place that on the same DMZ port as the WAP's?
I guess my problem is there are so many ways to set this situation up. When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router. Everything from external IP is just forwarded to the internal ip address.
Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?
Thanks,
Deacon
I guess my problem is there are so many ways to set this situation up. When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router. Everything from external IP is just forwarded to the internal ip address.
Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?
Thanks,
Deacon
>Would the DMZ be an appropriate place to connect a HUB/Switch to supply the WAP's that I will add? What about if I add a webserver down the road, can I place that on the same DMZ port as the WAP's?
Only if you don't care about the web servers sharing an unsecured subnet with the Wireless clients. Else you might think about a separate DMZ interface.
>I guess my problem is there are so many ways to set this situation up. When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router. Everything from external IP is just forwarded to the internal ip address.
Not necessarily. A DMZ is more simply a protected "service lan" that is firewalled, but has public access to specific ports, as well as having a firewall separating this "service LAN" from the internal network.
>Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?
Yes, but only if you want them to, and only with restrictions
Only if you don't care about the web servers sharing an unsecured subnet with the Wireless clients. Else you might think about a separate DMZ interface.
>I guess my problem is there are so many ways to set this situation up. When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router. Everything from external IP is just forwarded to the internal ip address.
Not necessarily. A DMZ is more simply a protected "service lan" that is firewalled, but has public access to specific ports, as well as having a firewall separating this "service LAN" from the internal network.
>Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?
Yes, but only if you want them to, and only with restrictions
ASKER
What is the difference between a firewall with 3 Fast Ethernet Ports, and A firewall with 2 Fast Ethernet Ports and 1 DMZ port?
Deacon
Deacon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.dlink.com/products/?sec=0&pid=402
Else, with the 506, you'll need a VLAN capable switch, set up VLAN's on the PIX and keep the wireless on one vlan, with your inside LAN on a different VLAN firewalled off from the public Wireless..