• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Adding Public Wireless Internet to our existing private business LAN

I would like to add public wireless access points through our building for private parties and individuals to use our internet connection.  However, I do not want to put these people directly on our LAN and share the same address space.

I also realize somebody has to hand out IP addresses for these wireless victims.  I don't want my Domain Controller doing this...

My question is, not only I don't want to share the same address space, I do not want to share the same "wire".  So, are my choices correct:

A.)  get a firewall that supports at least 3 Fast Ethernet ports (1 to Gateway router, 1 to Private LAN, 1 to Public Wireless Lan)

B.)  get a firewall that supports 2 ports (1 to Gateway Router, 1 to Private LAN).  Then take another router and place it from the Private LAN to the Public Wireless LAN?

C.)  Put a HUB between the Gateway Router and a 2 port firewall.  Then connect the public people at the hub with another router.

Option A is more expensive, firewall's with more ports seem to be $2500++

Option B seems like it would be quite easy, but am I missing anything in my security thought process?

The moral of this story is:

I need to buy a firewall.  I'm budgeted for a PIX 506.  Can I accomplish what I need to do with a 506 without jumping to a 515?

Thank you in advance,

Deacon Eisenhart
0
deeky
Asked:
deeky
  • 5
  • 4
1 Solution
 
lrmooreCommented:
I would look at something more along these lines:
http://www.dlink.com/products/?sec=0&pid=402

Else, with the 506, you'll need a VLAN capable switch, set up VLAN's on the PIX and keep the wireless on one vlan, with your inside LAN on a different VLAN firewalled off from the public Wireless..
0
 
deekyAuthor Commented:
If I had a VLAN capable switch, would I need all VLAN switches of just the main switch that feeds the other switches?
Is a VLAN like a substitute for a router?
Is addressing different between different VLANs?
Who hands out IP addresses on a VLAN?

As always -- thank you,

Deacon
0
 
lrmooreCommented:
Think of a VLAN as if it is a physically separate switch.
Take one switch and devide the ports into two VLAN's and you have "virtually" two physically separate switches.

If you want/need to distribute this switch through the organization, then yes, all switches need to know how to VLAN.
Once it is all set up, and all switches learn which vlans are available (VTP), then any port on any switch can be a member of either vlan.

Vlan's are typically different IP subnets.

It is not a substitute for a router, rather a substitute for a parallel switch infrastructure

Since there is virtual physical separation between VLAN's, you can have whatever you want providing DHCP for each one. You can have your own Windows DHCP server handing out IP addresses for the majority of the LAN, and some other device-router/firewall- handing out DHCP addresses for the Wireless VLAN.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
deekyAuthor Commented:
Do you think for simplicity I should just get a firewall with more ports and treat the problem that way?  I have about 5 24 port switches in the building, all unmanaged basic layer 2 switches from Nortel, Kingston, and Linksys.  To to VLAN correctly, it seems that I would need to replace them.  Sounds like it would be cheaper to buy a Pix 515 or higher, then support separate networks from it.  (PRIVATE LAN, PUBLIC WIRELESS)

1.  I can afford to buy a PIX 515 from Ebay, but I do not think I will get Cisco support with Smartnet, etc.  Is that something to be concerned about?
2.  If I bought one VLAN switch and place it at the TOP of the network (like at the main switch), I can then divide the switch there and support two different segments from the main switch.  The rest of my switches go through the main switch, so they wouldn't necessarily need the intelligence of the Vlan.  With the few WAP's I plan on installing, I was going to run dedicated cabling from the server closet to them, not placing them on the current backbone.  Can I get away with this?

Thanks

Deacon
0
 
lrmooreCommented:
>With the few WAP's I plan on installing, I was going to run dedicated cabling from the server closet to them, not placing them on the current backbone.  Can I get away with this?
Actually, yes, this is a very viable option, but I would certainly reconsider buying a PIX off ebay without support or maintenance. Any software release that fixes future security issues or upgrades will not be available to you, unless you already have a CCO account for other equipment.
I like the idea of a physical DMZ interface on the firewall as opposed to moving to vlan capable switches and the 506. You might want to take a look at the Linksys RV0x2 series. It has features not even the 506 can touch, including designating a physical DMZ interface..
0
 
deekyAuthor Commented:
Would the DMZ be an appropriate place to connect a HUB/Switch to supply the WAP's that I will add?  What about if I add a webserver down the road, can I place that on the same DMZ port as the WAP's?

I guess my problem is there are so many ways to set this situation up.  When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router.  Everything from external IP is just forwarded to the internal ip address.

Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?

Thanks,

Deacon
0
 
lrmooreCommented:
>Would the DMZ be an appropriate place to connect a HUB/Switch to supply the WAP's that I will add?  What about if I add a webserver down the road, can I place that on the same DMZ port as the WAP's?
Only if you don't care about the web servers sharing an unsecured subnet with the Wireless clients. Else you might think about a separate DMZ interface.

>I guess my problem is there are so many ways to set this situation up.  When I think of DMZ, I think of a computer that needs to speak directly with the internet without any filtering/interferance from the router.  Everything from external IP is just forwarded to the internal ip address.
Not necessarily. A DMZ is more simply a protected "service lan" that is firewalled, but has public access to specific ports, as well as having a firewall separating this "service LAN" from the internal network.

>Will computers located on the DMZ be able to communicate with computers on the LAN side of a router/firewall?
Yes, but only if you want them to, and only with restrictions

0
 
deekyAuthor Commented:
What is the difference between a firewall with 3 Fast Ethernet Ports, and A firewall with 2 Fast Ethernet Ports and 1 DMZ port?

Deacon
0
 
lrmooreCommented:
If a FW has 3 physical interfaces, it's almost always inside, outside, DMZ
A PIX 515 or better is like that, however, the little 501 has an outside interface and a 4-port switch connected to a single inside interface.
You can put up to 6 interfaces on a 515 and, with VLAN's, can have as many as 99 separate firewalled DMZ's that are as good as being physically separate except they all share the same outbound outside interface.

Some SOHO pseudo-firewalls have a "software" DMZ where you can designate a single internal host as a "DMZ" host.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now