Solved

Network advice needed

Posted on 2014-03-21
8
292 Views
Last Modified: 2014-03-22
We are a small private school with a modest network infrastructure.  Specs include:
one sub domain with only one range of 255 addresses
User authentication to file servers is handled through Active Directory
Domain controller is running Server 2003
Non-authenticated users can access the network for Internet access only
Six wireless access points throughout the building

My problem is that with the influx of portable devices we are running out of IP addresses so I know that I need to increase the scope to include more IP addresses.

I have instructions on how to increase the scope, but I am wondering if this is the best approach to solve our problems.  I also am planning to implement a radius server this summer to better handle authentication.

So my question is this: is my approach the best, conservative approach or should I be considering something else?

Thanks
0
Comment
Question by:mrken46
8 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39946230
It sounds to me like you need a guest subnet that's separate.  Would that make sense?
Sounds like a LOT of IP addresses for a "small school's" operational needs.  Operational network security is at issue.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946308
I agree with fmarshall. I have always created a separate guest network for portable wireless devices. Give them internet only.

If they need internal access, then just put them on their own subnet.

I am assuming these devices are BYOD and you have no real control over them, including their virus protection.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39946311
Is it possible to do MAC Authentication on the wireless points?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39946323
Any good wireless LAN controller (Cisco) can handle multiple SSIDs, subnets and VLANs, keeping everything separate but broadcasting over the same radios
0
 

Author Comment

by:mrken46
ID: 39946771
I agree that it seems like a lot of IP addresses for a small school.  However, our upper grades are cyber-students and we have 50 Chromebooks on our network so there are a lot of user devices.  Also, the rapid increase in smart phones has sucked a lot of addresses.

What is the issue with network security?  If a user does not log on to the domain, then they only have Internet access and cannot see secured areas.

How would I go about setting up a guest network?

MAC authentication on the wireless is probably unmanageable.  

diggisaur,
Can you elaborate on your suggestion?  How can I put guests on their own subnet?  Are you suggesting that I have separate wireless networks for guest and authorized users?
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 39946796
Yep.

You can either do it with separate inexpensive wireless access points, where half would be dedicated to a guest SSID and the other half to say an internal SSID.

Higher end access points, will allow multiple separate SSIDs, to be broadcast. These are typically managed by a wireless LAN controller.

The controller and attached network switches and routers would be configured for a separate VLAN. Anyone that connects to the guest SSID would be on a separate VLAN (broadcast network). Being on a separate VLAN, you can then have that VLAN assigned its own DHCP scope / IP subnet. So your guest network would be completely segmented.

With regard to guests not being on the domain, it just depends on how much separation you need. For example, domain joined file servers with network shares that have the 'Everyone' group is pretty much anonymous access to the file share. You may also have internal web servers, or, intranets that are configured for anonymous.

Also, any services using BASIC authentication are sending passwords in clear text. Anyone could bring in their own device with a packet sniffer and capture PLAIN TEXT passwords.

Just two of the areas that a segmented guest network can help with regards to BYOD.

Secondly, BYOD will equal devices on your network with highly questionable virus protection. I have seen a company hit twice by a virus in the last 12 months on a file share that was left open with 'Everyone' access.
0
 

Author Comment

by:mrken46
ID: 39947775
Thank you diggisaur
All good suggestions but unfortunately, I lack one thing - $$ to add hardware or infrastructure.  The perils of a private school which explains why I am still running Server 2003.

We are moving our critical file storage to the cloud so I'm not as concerned about security as I am about being able to provide connectivity for our students.  So, I guess expanding the pool of IP addresses is my only option at this point.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39947981
Hey MrKen, have you looked at purchasing software from TechSoup?
http://www.techsoup.org/

They are dirt cheap.

Or are you using Microsoft Education Licensing?

I know a there are a lot of donation/lottery programs from many hardware and software vendors as well.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question