Network advice needed

Posted on 2014-03-21
Medium Priority
Last Modified: 2014-03-22
We are a small private school with a modest network infrastructure.  Specs include:
one sub domain with only one range of 255 addresses
User authentication to file servers is handled through Active Directory
Domain controller is running Server 2003
Non-authenticated users can access the network for Internet access only
Six wireless access points throughout the building

My problem is that with the influx of portable devices we are running out of IP addresses so I know that I need to increase the scope to include more IP addresses.

I have instructions on how to increase the scope, but I am wondering if this is the best approach to solve our problems.  I also am planning to implement a radius server this summer to better handle authentication.

So my question is this: is my approach the best, conservative approach or should I be considering something else?

Question by:Ken Herr
LVL 26

Expert Comment

by:Fred Marshall
ID: 39946230
It sounds to me like you need a guest subnet that's separate.  Would that make sense?
Sounds like a LOT of IP addresses for a "small school's" operational needs.  Operational network security is at issue.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946308
I agree with fmarshall. I have always created a separate guest network for portable wireless devices. Give them internet only.

If they need internal access, then just put them on their own subnet.

I am assuming these devices are BYOD and you have no real control over them, including their virus protection.
LVL 11

Expert Comment

ID: 39946311
Is it possible to do MAC Authentication on the wireless points?
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946323
Any good wireless LAN controller (Cisco) can handle multiple SSIDs, subnets and VLANs, keeping everything separate but broadcasting over the same radios

Author Comment

by:Ken Herr
ID: 39946771
I agree that it seems like a lot of IP addresses for a small school.  However, our upper grades are cyber-students and we have 50 Chromebooks on our network so there are a lot of user devices.  Also, the rapid increase in smart phones has sucked a lot of addresses.

What is the issue with network security?  If a user does not log on to the domain, then they only have Internet access and cannot see secured areas.

How would I go about setting up a guest network?

MAC authentication on the wireless is probably unmanageable.  

Can you elaborate on your suggestion?  How can I put guests on their own subnet?  Are you suggesting that I have separate wireless networks for guest and authorized users?
LVL 31

Accepted Solution

Gareth Gudger earned 2000 total points
ID: 39946796

You can either do it with separate inexpensive wireless access points, where half would be dedicated to a guest SSID and the other half to say an internal SSID.

Higher end access points, will allow multiple separate SSIDs, to be broadcast. These are typically managed by a wireless LAN controller.

The controller and attached network switches and routers would be configured for a separate VLAN. Anyone that connects to the guest SSID would be on a separate VLAN (broadcast network). Being on a separate VLAN, you can then have that VLAN assigned its own DHCP scope / IP subnet. So your guest network would be completely segmented.

With regard to guests not being on the domain, it just depends on how much separation you need. For example, domain joined file servers with network shares that have the 'Everyone' group is pretty much anonymous access to the file share. You may also have internal web servers, or, intranets that are configured for anonymous.

Also, any services using BASIC authentication are sending passwords in clear text. Anyone could bring in their own device with a packet sniffer and capture PLAIN TEXT passwords.

Just two of the areas that a segmented guest network can help with regards to BYOD.

Secondly, BYOD will equal devices on your network with highly questionable virus protection. I have seen a company hit twice by a virus in the last 12 months on a file share that was left open with 'Everyone' access.

Author Comment

by:Ken Herr
ID: 39947775
Thank you diggisaur
All good suggestions but unfortunately, I lack one thing - $$ to add hardware or infrastructure.  The perils of a private school which explains why I am still running Server 2003.

We are moving our critical file storage to the cloud so I'm not as concerned about security as I am about being able to provide connectivity for our students.  So, I guess expanding the pool of IP addresses is my only option at this point.
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39947981
Hey MrKen, have you looked at purchasing software from TechSoup?

They are dirt cheap.

Or are you using Microsoft Education Licensing?

I know a there are a lot of donation/lottery programs from many hardware and software vendors as well.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
The Summer 2017 Scholarship Winners have been announced!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question