Go Premium for a chance to win a PS4. Enter to Win


Network advice needed

Posted on 2014-03-21
Medium Priority
Last Modified: 2014-03-22
We are a small private school with a modest network infrastructure.  Specs include:
one sub domain with only one range of 255 addresses
User authentication to file servers is handled through Active Directory
Domain controller is running Server 2003
Non-authenticated users can access the network for Internet access only
Six wireless access points throughout the building

My problem is that with the influx of portable devices we are running out of IP addresses so I know that I need to increase the scope to include more IP addresses.

I have instructions on how to increase the scope, but I am wondering if this is the best approach to solve our problems.  I also am planning to implement a radius server this summer to better handle authentication.

So my question is this: is my approach the best, conservative approach or should I be considering something else?

Question by:Ken Herr
LVL 26

Expert Comment

by:Fred Marshall
ID: 39946230
It sounds to me like you need a guest subnet that's separate.  Would that make sense?
Sounds like a LOT of IP addresses for a "small school's" operational needs.  Operational network security is at issue.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946308
I agree with fmarshall. I have always created a separate guest network for portable wireless devices. Give them internet only.

If they need internal access, then just put them on their own subnet.

I am assuming these devices are BYOD and you have no real control over them, including their virus protection.
LVL 11

Expert Comment

ID: 39946311
Is it possible to do MAC Authentication on the wireless points?
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946323
Any good wireless LAN controller (Cisco) can handle multiple SSIDs, subnets and VLANs, keeping everything separate but broadcasting over the same radios

Author Comment

by:Ken Herr
ID: 39946771
I agree that it seems like a lot of IP addresses for a small school.  However, our upper grades are cyber-students and we have 50 Chromebooks on our network so there are a lot of user devices.  Also, the rapid increase in smart phones has sucked a lot of addresses.

What is the issue with network security?  If a user does not log on to the domain, then they only have Internet access and cannot see secured areas.

How would I go about setting up a guest network?

MAC authentication on the wireless is probably unmanageable.  

Can you elaborate on your suggestion?  How can I put guests on their own subnet?  Are you suggesting that I have separate wireless networks for guest and authorized users?
LVL 31

Accepted Solution

Gareth Gudger earned 2000 total points
ID: 39946796

You can either do it with separate inexpensive wireless access points, where half would be dedicated to a guest SSID and the other half to say an internal SSID.

Higher end access points, will allow multiple separate SSIDs, to be broadcast. These are typically managed by a wireless LAN controller.

The controller and attached network switches and routers would be configured for a separate VLAN. Anyone that connects to the guest SSID would be on a separate VLAN (broadcast network). Being on a separate VLAN, you can then have that VLAN assigned its own DHCP scope / IP subnet. So your guest network would be completely segmented.

With regard to guests not being on the domain, it just depends on how much separation you need. For example, domain joined file servers with network shares that have the 'Everyone' group is pretty much anonymous access to the file share. You may also have internal web servers, or, intranets that are configured for anonymous.

Also, any services using BASIC authentication are sending passwords in clear text. Anyone could bring in their own device with a packet sniffer and capture PLAIN TEXT passwords.

Just two of the areas that a segmented guest network can help with regards to BYOD.

Secondly, BYOD will equal devices on your network with highly questionable virus protection. I have seen a company hit twice by a virus in the last 12 months on a file share that was left open with 'Everyone' access.

Author Comment

by:Ken Herr
ID: 39947775
Thank you diggisaur
All good suggestions but unfortunately, I lack one thing - $$ to add hardware or infrastructure.  The perils of a private school which explains why I am still running Server 2003.

We are moving our critical file storage to the cloud so I'm not as concerned about security as I am about being able to provide connectivity for our students.  So, I guess expanding the pool of IP addresses is my only option at this point.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39947981
Hey MrKen, have you looked at purchasing software from TechSoup?

They are dirt cheap.

Or are you using Microsoft Education Licensing?

I know a there are a lot of donation/lottery programs from many hardware and software vendors as well.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question