Network advice needed

Posted on 2014-03-21
Last Modified: 2014-03-22
We are a small private school with a modest network infrastructure.  Specs include:
one sub domain with only one range of 255 addresses
User authentication to file servers is handled through Active Directory
Domain controller is running Server 2003
Non-authenticated users can access the network for Internet access only
Six wireless access points throughout the building

My problem is that with the influx of portable devices we are running out of IP addresses so I know that I need to increase the scope to include more IP addresses.

I have instructions on how to increase the scope, but I am wondering if this is the best approach to solve our problems.  I also am planning to implement a radius server this summer to better handle authentication.

So my question is this: is my approach the best, conservative approach or should I be considering something else?

Question by:Ken Herr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 26

Expert Comment

by:Fred Marshall
ID: 39946230
It sounds to me like you need a guest subnet that's separate.  Would that make sense?
Sounds like a LOT of IP addresses for a "small school's" operational needs.  Operational network security is at issue.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946308
I agree with fmarshall. I have always created a separate guest network for portable wireless devices. Give them internet only.

If they need internal access, then just put them on their own subnet.

I am assuming these devices are BYOD and you have no real control over them, including their virus protection.
LVL 11

Expert Comment

ID: 39946311
Is it possible to do MAC Authentication on the wireless points?
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946323
Any good wireless LAN controller (Cisco) can handle multiple SSIDs, subnets and VLANs, keeping everything separate but broadcasting over the same radios

Author Comment

by:Ken Herr
ID: 39946771
I agree that it seems like a lot of IP addresses for a small school.  However, our upper grades are cyber-students and we have 50 Chromebooks on our network so there are a lot of user devices.  Also, the rapid increase in smart phones has sucked a lot of addresses.

What is the issue with network security?  If a user does not log on to the domain, then they only have Internet access and cannot see secured areas.

How would I go about setting up a guest network?

MAC authentication on the wireless is probably unmanageable.  

Can you elaborate on your suggestion?  How can I put guests on their own subnet?  Are you suggesting that I have separate wireless networks for guest and authorized users?
LVL 31

Accepted Solution

Gareth Gudger earned 500 total points
ID: 39946796

You can either do it with separate inexpensive wireless access points, where half would be dedicated to a guest SSID and the other half to say an internal SSID.

Higher end access points, will allow multiple separate SSIDs, to be broadcast. These are typically managed by a wireless LAN controller.

The controller and attached network switches and routers would be configured for a separate VLAN. Anyone that connects to the guest SSID would be on a separate VLAN (broadcast network). Being on a separate VLAN, you can then have that VLAN assigned its own DHCP scope / IP subnet. So your guest network would be completely segmented.

With regard to guests not being on the domain, it just depends on how much separation you need. For example, domain joined file servers with network shares that have the 'Everyone' group is pretty much anonymous access to the file share. You may also have internal web servers, or, intranets that are configured for anonymous.

Also, any services using BASIC authentication are sending passwords in clear text. Anyone could bring in their own device with a packet sniffer and capture PLAIN TEXT passwords.

Just two of the areas that a segmented guest network can help with regards to BYOD.

Secondly, BYOD will equal devices on your network with highly questionable virus protection. I have seen a company hit twice by a virus in the last 12 months on a file share that was left open with 'Everyone' access.

Author Comment

by:Ken Herr
ID: 39947775
Thank you diggisaur
All good suggestions but unfortunately, I lack one thing - $$ to add hardware or infrastructure.  The perils of a private school which explains why I am still running Server 2003.

We are moving our critical file storage to the cloud so I'm not as concerned about security as I am about being able to provide connectivity for our students.  So, I guess expanding the pool of IP addresses is my only option at this point.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39947981
Hey MrKen, have you looked at purchasing software from TechSoup?

They are dirt cheap.

Or are you using Microsoft Education Licensing?

I know a there are a lot of donation/lottery programs from many hardware and software vendors as well.

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question