Wireless Security for Guests

I had a general quetion about providing unsecure wireless access for guests.  I just purchased new AP's so I figured if I'm going to make changes, might as well do it with the new roll-out.  Anyway, I was talking to the company that sold them to me (cisco 1140), and they scoffed and mocked at the idea that I was giving guests unsecured wireless access on my DMZ.  Is this a big no-no now?
ksuchewieAsked:
Who is Participating?
 
aleghartCommented:
Their own VLAN would be best.  With firewal + routing you can limit them to a secondary WAN (not your primary) and also throttle bandwidth and limit ports.  On my SonicWall, I shunt guests to an ADSL and limit them to 50% of available bandwidth.

If you're in a populated area you could use WEP with a 10-digit key, not so much for security, but to keep passersby from mooching off your connection.  A simple sign in the conference room, or make it the office's toll-free number (a little marketing never hurts).
0
 
meko72Commented:
This is How I have my network setup at my office.

I have a 2003 SBS and Blackberry.  They are on there own Subnet

I have a Linksys setup from the switch that provides Unsecured wireless access to guest in the conference room. The Wireless has its own subnet.

I have not ran into any problems in the last year.
0
 
ksuchewieAuthor Commented:
I haven't had any problems with my guests wireless being on the DMZ for 4 years, so I'm not sure if that's the justification or not.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
meko72Commented:
What I think the Heckle is about is that It is a security issue because the Wireless and the Network is still on the same physical network even though they are segmented.
0
 
abbrightCommented:
Well, usually your DMZ is protected from the internet by some kind of firewall. When you put your guests in the DMZ they have unrestricted access to your DMZ servers from a firewall perspective. If you don't mind doing so that's ok. Best practice would be to put your guests directly into the internet.
0
 
ksuchewieAuthor Commented:
abbright:
Do you mean dropping them into their own vlan on our network (other than DMZ network), and locking them down so they can only use ports 80 and port 443 ?  We have an ASA5520 for firewall.
0
 
abbrightCommented:
I mean that you should put them into their own vlan other than DMZ network and connect this network directly with the internet. You can put a firewall between to restrict the traffic to ports 80 and 443 if you want. The important part is that they should not be in a network where internal or DMZ-servers are located.
0
 
ksuchewieAuthor Commented:
I created a new vlan for them to use on our non dmz network.  It looks like I can do acl on the acesspoint.  It looks like I will have to make a passthrough to my mgmt vlan for dhcp.
0
 
ksuchewieAuthor Commented:
^In addition to above....

One thing I am trying to figure out a best practice for my Guest access is DHCP.  I enabled Public Secure Packet Forwarding for better security on my guest VLAN, but my dhcp server resides in my mgmt vlan.  So I think PSPF will block DHCP across my vlans? I haven't tested that yet.
 
I also created filters on the AP's and applied them to my guest SSID, ports allowed:
80 (http)
443 (https)
67 & 68 (dhcp)

Is using the AP filters secure enough or should I use the ASA?
0
 
aleghartCommented:
I use a core router/switch that can run DHCP per VLAN.  So, primary LAN, no DHCP...goes to the Windows server for that.  Guest VLAN, addresses issued via DHCP on the core router/switch.  Since it's a VLAN, there's no DHCP server confusion...nobody sees it but the proper VLAN.
0
 
ksuchewieAuthor Commented:
I forgot that my core-switch does DHCP, I'll give that a shot thanks!
0
 
Craig BeckCommented:
An ACL on the AP will do you fine, and is quite easy to configure, however you've not allowed DNS on your Guest SSID, so no-one will get internet access by hostname, only by IP address.

PSPF will only block access between wireless clients on the same SSID.  To stop clients accessing servers in the DMZ on the ports you've allowed you should create entries in the ACL to deny access to each server explicitly.

0
 
ksuchewieAuthor Commented:
thanks for the update.  I opened a case with Cisco TAC but they appear to be asleep today.  I'm hoping tomorrow to do some acutal testing.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.