Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Wireless Security for Guests

Posted on 2011-02-17
13
Medium Priority
?
651 Views
Last Modified: 2012-05-11
I had a general quetion about providing unsecure wireless access for guests.  I just purchased new AP's so I figured if I'm going to make changes, might as well do it with the new roll-out.  Anyway, I was talking to the company that sold them to me (cisco 1140), and they scoffed and mocked at the idea that I was giving guests unsecured wireless access on my DMZ.  Is this a big no-no now?
0
Comment
Question by:ksuchewie
  • 6
  • 2
  • 2
  • +2
13 Comments
 
LVL 9

Expert Comment

by:meko72
ID: 34917519
This is How I have my network setup at my office.

I have a 2003 SBS and Blackberry.  They are on there own Subnet

I have a Linksys setup from the switch that provides Unsecured wireless access to guest in the conference room. The Wireless has its own subnet.

I have not ran into any problems in the last year.
0
 

Author Comment

by:ksuchewie
ID: 34917571
I haven't had any problems with my guests wireless being on the DMZ for 4 years, so I'm not sure if that's the justification or not.
0
 
LVL 9

Expert Comment

by:meko72
ID: 34917639
What I think the Heckle is about is that It is a security issue because the Wireless and the Network is still on the same physical network even though they are segmented.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 10

Expert Comment

by:abbright
ID: 34917746
Well, usually your DMZ is protected from the internet by some kind of firewall. When you put your guests in the DMZ they have unrestricted access to your DMZ servers from a firewall perspective. If you don't mind doing so that's ok. Best practice would be to put your guests directly into the internet.
0
 

Author Comment

by:ksuchewie
ID: 34917787
abbright:
Do you mean dropping them into their own vlan on our network (other than DMZ network), and locking them down so they can only use ports 80 and port 443 ?  We have an ASA5520 for firewall.
0
 
LVL 10

Expert Comment

by:abbright
ID: 34917854
I mean that you should put them into their own vlan other than DMZ network and connect this network directly with the internet. You can put a firewall between to restrict the traffic to ports 80 and 443 if you want. The important part is that they should not be in a network where internal or DMZ-servers are located.
0
 
LVL 32

Accepted Solution

by:
aleghart earned 1000 total points
ID: 34918933
Their own VLAN would be best.  With firewal + routing you can limit them to a secondary WAN (not your primary) and also throttle bandwidth and limit ports.  On my SonicWall, I shunt guests to an ADSL and limit them to 50% of available bandwidth.

If you're in a populated area you could use WEP with a 10-digit key, not so much for security, but to keep passersby from mooching off your connection.  A simple sign in the conference room, or make it the office's toll-free number (a little marketing never hurts).
0
 

Author Comment

by:ksuchewie
ID: 34919234
I created a new vlan for them to use on our non dmz network.  It looks like I can do acl on the acesspoint.  It looks like I will have to make a passthrough to my mgmt vlan for dhcp.
0
 

Author Comment

by:ksuchewie
ID: 34919711
^In addition to above....

One thing I am trying to figure out a best practice for my Guest access is DHCP.  I enabled Public Secure Packet Forwarding for better security on my guest VLAN, but my dhcp server resides in my mgmt vlan.  So I think PSPF will block DHCP across my vlans? I haven't tested that yet.
 
I also created filters on the AP's and applied them to my guest SSID, ports allowed:
80 (http)
443 (https)
67 & 68 (dhcp)

Is using the AP filters secure enough or should I use the ASA?
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34919934
I use a core router/switch that can run DHCP per VLAN.  So, primary LAN, no DHCP...goes to the Windows server for that.  Guest VLAN, addresses issued via DHCP on the core router/switch.  Since it's a VLAN, there's no DHCP server confusion...nobody sees it but the proper VLAN.
0
 

Author Comment

by:ksuchewie
ID: 34919981
I forgot that my core-switch does DHCP, I'll give that a shot thanks!
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 34921685
An ACL on the AP will do you fine, and is quite easy to configure, however you've not allowed DNS on your Guest SSID, so no-one will get internet access by hostname, only by IP address.

PSPF will only block access between wireless clients on the same SSID.  To stop clients accessing servers in the DMZ on the ports you've allowed you should create entries in the ACL to deny access to each server explicitly.

0
 

Author Comment

by:ksuchewie
ID: 34921737
thanks for the update.  I opened a case with Cisco TAC but they appear to be asleep today.  I'm hoping tomorrow to do some acutal testing.
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question