asked on

Wireless Security for Guests

I had a general quetion about providing unsecure wireless access for guests. I just purchased new AP's so I figured if I'm going to make changes, might as well do it with the new roll-out. Anyway, I was talking to the company that sold them to me (cisco 1140), and they scoffed and mocked at the idea that I was giving guests unsecured wireless access on my DMZ. Is this a big no-no now?

meko72

This is How I have my network setup at my office.

I have a 2003 SBS and Blackberry. They are on there own Subnet

I have a Linksys setup from the switch that provides Unsecured wireless access to guest in the conference room. The Wireless has its own subnet.

I have not ran into any problems in the last year.

ksuchewie

ASKER

I haven't had any problems with my guests wireless being on the DMZ for 4 years, so I'm not sure if that's the justification or not.

meko72

What I think the Heckle is about is that It is a security issue because the Wireless and the Network is still on the same physical network even though they are segmented.

abbright

Well, usually your DMZ is protected from the internet by some kind of firewall. When you put your guests in the DMZ they have unrestricted access to your DMZ servers from a firewall perspective. If you don't mind doing so that's ok. Best practice would be to put your guests directly into the internet.

ksuchewie

ASKER

abbright:
Do you mean dropping them into their own vlan on our network (other than DMZ network), and locking them down so they can only use ports 80 and port 443 ? We have an ASA5520 for firewall.

abbright

I mean that you should put them into their own vlan other than DMZ network and connect this network directly with the internet. You can put a firewall between to restrict the traffic to ports 80 and 443 if you want. The important part is that they should not be in a network where internal or DMZ-servers are located.

ASKER CERTIFIED SOLUTION

aleghart

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ksuchewie

ASKER

I created a new vlan for them to use on our non dmz network. It looks like I can do acl on the acesspoint. It looks like I will have to make a passthrough to my mgmt vlan for dhcp.

ksuchewie

ASKER

^In addition to above....

One thing I am trying to figure out a best practice for my Guest access is DHCP. I enabled Public Secure Packet Forwarding for better security on my guest VLAN, but my dhcp server resides in my mgmt vlan. So I think PSPF will block DHCP across my vlans? I haven't tested that yet.

I also created filters on the AP's and applied them to my guest SSID, ports allowed:
80 (http)
443 (https)
67 & 68 (dhcp)

Is using the AP filters secure enough or should I use the ASA?

aleghart

I use a core router/switch that can run DHCP per VLAN. So, primary LAN, no DHCP...goes to the Windows server for that. Guest VLAN, addresses issued via DHCP on the core router/switch. Since it's a VLAN, there's no DHCP server confusion...nobody sees it but the proper VLAN.

ksuchewie

ASKER

I forgot that my core-switch does DHCP, I'll give that a shot thanks!

Craig Beck

An ACL on the AP will do you fine, and is quite easy to configure, however you've not allowed DNS on your Guest SSID, so no-one will get internet access by hostname, only by IP address.

PSPF will only block access between wireless clients on the same SSID. To stop clients accessing servers in the DMZ on the ports you've allowed you should create entries in the ACL to deny access to each server explicitly.

ksuchewie

ASKER

thanks for the update. I opened a case with Cisco TAC but they appear to be asleep today. I'm hoping tomorrow to do some acutal testing.