1

So at my office we maintain our wifi on a segregated untrusted VLAN from our real network. I don’t really have any desire to change that as it makes me more comfortable an outsider is as apart as they’re going to get even if they are able to connect. However, this has caused issues with users with regards to not being able to print, not having their passwords reset properly, etc, because so many of them just show up and turn on without taking the 5 seconds to plug in. I’ve just about gotten them beat down enough with telling them that if they’re on wifi, they may be able to get to the internet, but for all practical purposes they’re disconnected, but still it’s a hassle. From my lurking I’ve definitely gotten the impression that several of you have your wifi connected directly to your corporate LAN, and if that is the case, what steps have you taken to secure it?

4 Spice ups
2

Directly on the LAN, No thats a bad idea

On a separate VLAN with like you have done yes. Keeping a firewall in the middle is also a good idea then you can control traffic and only allow things like printers, file servers and Domain controllers. this way you still have separation between the 2 should someone get access

3

Segment the wifi into a corporate side and a guest side. We use Ubuiquiti here and currently use the built in guest settings in the controller to wall off throttled guest access from the rest of our wifi.

@Ubiquiti_Inc

4

Guest wifi for BYOD. Corporate wifi for company issued smart phones, tablets, laptps etc. Job done. IT policy should cover this off with threats of the Big Chicken Dinner for non compliance. People using/storing company info on personal devices should be a big no-no.

5

Implement a Mobile Device Management (MDM) software of some sort, something like MaaS360 . In the event of BYOD being an option for employee’s, you’re going to want to have the ability to wipe their device remotely, and treat their personal device as a corporate device seeing as it is being used in a corporate environment. BUT make sure there is some sort of written and signed contractual agreement between the user and the business that if they decide to leave, or the business decides to terminate the users employment, wiping the HDD clean is an option on your end without additional consent beyond the agree’d upon contract.

This will keep your business safe from any law suits, and this will keep them on their toes. If both parties know that to gain access from a personal device onto your work network has some red tape, restrictions, and rules, then make it so.

6

Two SSID’s will do the trick, one VLAN for guest/'BYOD and another trusted VLAN to your LAN. Make sure you control access to the corp VLAN with ACL’s or 802.1x or you keep the WAP key.

7

Hello Mikepoteet,

It would be best for you to create a separate VLAN/SSID for your guest network users for security purposes. Are you using a separate access point or a built in wireless from your router?

8

VLANs without access lists are still wide open to each other. You’re only creating a separate broadcast domain.

9

But they are easy to control with a simple ACL.

10

Two SSID’s and two seperate wifi VLANS. The first (call it wifi A) has its’ own dhcp, reservations, etc, but with a routed connection to our main LAN. The second (wifi B) is guest only, goes strait to the net, but has it’s top speed capped.
As a precaution, all staff on the business wifi need to authenticate through AD for it to connect, but a radius server, or a MAC address list would also work.

11

MAC access control is far too easy to spoof to be of any use.

12

I have yet to find a case where someone gained access to my MAC list, and then had the tech skills to spoof a correct ID, all in the effort to get business network/internet.

Like I said, I use AD for primary authentication, but in our China offices, I use a third authentication factor, sometimes MAC lists. And even in China, since i’ve implemented the security process, I haven’t had an issue.

13

Sorry, completely missed the AD authentication part of that sentence! My bad.

14

Making a change would be great for my environment to allow it. Currently we are using our WAPs just on a separate nontrusted VLAN, We have clients who impose their own compliance and regulations on what all we can and cannot do, so a corp wifi tied to AD would just be a big no no. Since that’s what I’m forced to do, it’s really all the exposure I’ve had. Mainly I was just curious as to how you actually would go about properly securing wifi that’s in a trusted zone. How safe is it really, etc. Do any of you have regulatory restrictions that have gotten this past auditors, etc?

15

Since I work for a company that does a lot of WiFi-related business, we have a bunch of different wireless networks going on in our environment. Some for demo, some for testing/experimentation, some for guest access, some for business-only use. We use VLANs to control how each network interacts with our LAN. Simply put: 1 VLAN for testing, 1 VLAN for guest, 1 VLAN for business, etc. Then each VLAN is configured for its intended use. Example, Business VLAN authenticates with Active Directory, but the Guest VLAN has a Webpage for guest login.

It also depends on what WiFi equipment you have. Obviously in our environment, we have Enterprise equipment with Controllers. Some companies use SOHO equipment instead, of which your options to secure/segregate your Wireless traffic becomes limited.

16

We implement identity services forbthisbreason often. A product called ISE(identity services engine) from Cisco can do what you want. At a very basic level, you authenticate with an AD account and are assigned appropriate permissions based on the OU the account is in, along with several other authorization definitions we can assign. This definitely includes VLAN assignment and change of authorization if your switches support it.

Aerohive does something similar on a more basic level than ISE with key codes you give the users connecting, which coorellate to a defined rule set which can include VLAN. Again, very basic summary here.

Both good things to research if you’re interested.