Solved

Wireless Security for Guests

Posted on 2011-02-17
13
576 Views
Last Modified: 2012-05-11
I had a general quetion about providing unsecure wireless access for guests.  I just purchased new AP's so I figured if I'm going to make changes, might as well do it with the new roll-out.  Anyway, I was talking to the company that sold them to me (cisco 1140), and they scoffed and mocked at the idea that I was giving guests unsecured wireless access on my DMZ.  Is this a big no-no now?
0
Comment
Question by:ksuchewie
  • 6
  • 2
  • 2
  • +2
13 Comments
 
LVL 9

Expert Comment

by:meko72
ID: 34917519
This is How I have my network setup at my office.

I have a 2003 SBS and Blackberry.  They are on there own Subnet

I have a Linksys setup from the switch that provides Unsecured wireless access to guest in the conference room. The Wireless has its own subnet.

I have not ran into any problems in the last year.
0
 

Author Comment

by:ksuchewie
ID: 34917571
I haven't had any problems with my guests wireless being on the DMZ for 4 years, so I'm not sure if that's the justification or not.
0
 
LVL 9

Expert Comment

by:meko72
ID: 34917639
What I think the Heckle is about is that It is a security issue because the Wireless and the Network is still on the same physical network even though they are segmented.
0
 
LVL 10

Expert Comment

by:abbright
ID: 34917746
Well, usually your DMZ is protected from the internet by some kind of firewall. When you put your guests in the DMZ they have unrestricted access to your DMZ servers from a firewall perspective. If you don't mind doing so that's ok. Best practice would be to put your guests directly into the internet.
0
 

Author Comment

by:ksuchewie
ID: 34917787
abbright:
Do you mean dropping them into their own vlan on our network (other than DMZ network), and locking them down so they can only use ports 80 and port 443 ?  We have an ASA5520 for firewall.
0
 
LVL 10

Expert Comment

by:abbright
ID: 34917854
I mean that you should put them into their own vlan other than DMZ network and connect this network directly with the internet. You can put a firewall between to restrict the traffic to ports 80 and 443 if you want. The important part is that they should not be in a network where internal or DMZ-servers are located.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 32

Accepted Solution

by:
aleghart earned 250 total points
ID: 34918933
Their own VLAN would be best.  With firewal + routing you can limit them to a secondary WAN (not your primary) and also throttle bandwidth and limit ports.  On my SonicWall, I shunt guests to an ADSL and limit them to 50% of available bandwidth.

If you're in a populated area you could use WEP with a 10-digit key, not so much for security, but to keep passersby from mooching off your connection.  A simple sign in the conference room, or make it the office's toll-free number (a little marketing never hurts).
0
 

Author Comment

by:ksuchewie
ID: 34919234
I created a new vlan for them to use on our non dmz network.  It looks like I can do acl on the acesspoint.  It looks like I will have to make a passthrough to my mgmt vlan for dhcp.
0
 

Author Comment

by:ksuchewie
ID: 34919711
^In addition to above....

One thing I am trying to figure out a best practice for my Guest access is DHCP.  I enabled Public Secure Packet Forwarding for better security on my guest VLAN, but my dhcp server resides in my mgmt vlan.  So I think PSPF will block DHCP across my vlans? I haven't tested that yet.
 
I also created filters on the AP's and applied them to my guest SSID, ports allowed:
80 (http)
443 (https)
67 & 68 (dhcp)

Is using the AP filters secure enough or should I use the ASA?
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34919934
I use a core router/switch that can run DHCP per VLAN.  So, primary LAN, no DHCP...goes to the Windows server for that.  Guest VLAN, addresses issued via DHCP on the core router/switch.  Since it's a VLAN, there's no DHCP server confusion...nobody sees it but the proper VLAN.
0
 

Author Comment

by:ksuchewie
ID: 34919981
I forgot that my core-switch does DHCP, I'll give that a shot thanks!
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 34921685
An ACL on the AP will do you fine, and is quite easy to configure, however you've not allowed DNS on your Guest SSID, so no-one will get internet access by hostname, only by IP address.

PSPF will only block access between wireless clients on the same SSID.  To stop clients accessing servers in the DMZ on the ports you've allowed you should create entries in the ACL to deny access to each server explicitly.

0
 

Author Comment

by:ksuchewie
ID: 34921737
thanks for the update.  I opened a case with Cisco TAC but they appear to be asleep today.  I'm hoping tomorrow to do some acutal testing.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now