Solved

Network advice needed

Posted on 2014-03-21
8
288 Views
Last Modified: 2014-03-22
We are a small private school with a modest network infrastructure.  Specs include:
one sub domain with only one range of 255 addresses
User authentication to file servers is handled through Active Directory
Domain controller is running Server 2003
Non-authenticated users can access the network for Internet access only
Six wireless access points throughout the building

My problem is that with the influx of portable devices we are running out of IP addresses so I know that I need to increase the scope to include more IP addresses.

I have instructions on how to increase the scope, but I am wondering if this is the best approach to solve our problems.  I also am planning to implement a radius server this summer to better handle authentication.

So my question is this: is my approach the best, conservative approach or should I be considering something else?

Thanks
0
Comment
Question by:mrken46
8 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
It sounds to me like you need a guest subnet that's separate.  Would that make sense?
Sounds like a LOT of IP addresses for a "small school's" operational needs.  Operational network security is at issue.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
I agree with fmarshall. I have always created a separate guest network for portable wireless devices. Give them internet only.

If they need internal access, then just put them on their own subnet.

I am assuming these devices are BYOD and you have no real control over them, including their virus protection.
0
 
LVL 11

Expert Comment

by:BillBondo
Comment Utility
Is it possible to do MAC Authentication on the wireless points?
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Any good wireless LAN controller (Cisco) can handle multiple SSIDs, subnets and VLANs, keeping everything separate but broadcasting over the same radios
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:mrken46
Comment Utility
I agree that it seems like a lot of IP addresses for a small school.  However, our upper grades are cyber-students and we have 50 Chromebooks on our network so there are a lot of user devices.  Also, the rapid increase in smart phones has sucked a lot of addresses.

What is the issue with network security?  If a user does not log on to the domain, then they only have Internet access and cannot see secured areas.

How would I go about setting up a guest network?

MAC authentication on the wireless is probably unmanageable.  

diggisaur,
Can you elaborate on your suggestion?  How can I put guests on their own subnet?  Are you suggesting that I have separate wireless networks for guest and authorized users?
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
Comment Utility
Yep.

You can either do it with separate inexpensive wireless access points, where half would be dedicated to a guest SSID and the other half to say an internal SSID.

Higher end access points, will allow multiple separate SSIDs, to be broadcast. These are typically managed by a wireless LAN controller.

The controller and attached network switches and routers would be configured for a separate VLAN. Anyone that connects to the guest SSID would be on a separate VLAN (broadcast network). Being on a separate VLAN, you can then have that VLAN assigned its own DHCP scope / IP subnet. So your guest network would be completely segmented.

With regard to guests not being on the domain, it just depends on how much separation you need. For example, domain joined file servers with network shares that have the 'Everyone' group is pretty much anonymous access to the file share. You may also have internal web servers, or, intranets that are configured for anonymous.

Also, any services using BASIC authentication are sending passwords in clear text. Anyone could bring in their own device with a packet sniffer and capture PLAIN TEXT passwords.

Just two of the areas that a segmented guest network can help with regards to BYOD.

Secondly, BYOD will equal devices on your network with highly questionable virus protection. I have seen a company hit twice by a virus in the last 12 months on a file share that was left open with 'Everyone' access.
0
 

Author Comment

by:mrken46
Comment Utility
Thank you diggisaur
All good suggestions but unfortunately, I lack one thing - $$ to add hardware or infrastructure.  The perils of a private school which explains why I am still running Server 2003.

We are moving our critical file storage to the cloud so I'm not as concerned about security as I am about being able to provide connectivity for our students.  So, I guess expanding the pool of IP addresses is my only option at this point.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
Comment Utility
Hey MrKen, have you looked at purchasing software from TechSoup?
http://www.techsoup.org/

They are dirt cheap.

Or are you using Microsoft Education Licensing?

I know a there are a lot of donation/lottery programs from many hardware and software vendors as well.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now