Wifi best practise

lisalyons · 2013-07-16T09:25:38.000Z

So I’ve been wondering what you guys think about the availability of Wifi within an office.

These days it’s becoming more and more essential that Wifi of some description is available.

For the smaller to medium business, it’s not even difficult to provide, as most ADSL providers will give you a modem that supports Wifi.

The issue with this, however, is that the Wifi access is outside your UTM (which usually is NOT the router). Therefore, do you get a separate AP and bring your Wifi inside your UTM, so that your mobile devices and laptops are all protected by your UTM, however that potentially opens up your network to the pitfalls of BYOD…

Or do you keep these mobile devices outside your UTM and say that it’s tough luck if they want to access something inside the network?

What is the preferred best practise that you guys use?

I personally keep the Wifi inside. I can then monitor the use of web sites and things like Facebook and Youtube streaming, and know if someone is causing bandwidth issues for me.

But the idea of ring-fencing every mobile device into a DMZ makes sense too.

Bryan-Young · 2013-07-16T09:48:58.000Z

I would look into the Ubiquiti line of UniFi products. Their product offers the ability to broadcast up to 4 SSIDs including guest networks that can be put on separate VLANs and kept off your corporate network.

The prices are great and there is no need for a hardware controller. If you want to use a guest portal, you will need to run the software on a server full time, but otherwise it’s pretty much just set it and forget it.

Check it out at www.ubnt.com

inb4 molan

Bryan-Young · 2013-07-16T09:50:52.000Z

Also, i recommend keeping the guest network outside of your UTM. You cannot be responsible for guest devices. Put a bandwidth cap on them, monitor usage through the access points and revoke those that abuse the use of the network.

kenlulue6851 · 2013-07-16T09:52:18.000Z

I like to use Ubiquiti UniFi APs. I can setup multiple SSIDs and have one for the laptops in the office and setup a second one that is a “guest” network that I give out the PSK for. The BYOD users can connect to the guest network and I have it set to not allow access on the local LAN, only go through the gateway. My content filter can still control the traffic, but they can’t get to the data on the servers unless I allow it.

*** TanK beat me to it ***

Bryan-Young · 2013-07-16T09:56:59.000Z

Here’s a screenshot of my current environment at one of my client’s locations.

Capture.PNG699×768 233 KB

kenlulue6851 · 2013-07-16T09:59:20.000Z

They are also great in the ability to grow. If you open another office and connect a VPN, you just add another AP in the other office and it can all be managed from one spot.

c-murgatroyd · 2013-07-16T10:11:52.000Z

how are you guys issuing IPs for the guest network?

steven-rice · 2013-07-16T10:16:00.000Z

For best practice I try to keep non corporate equipment on a separate network.

All corporate phones, tablet, laptops are connected to AP’s inside the network so they can access resource and can be monitored.

All personal equipment can connect to a separate ’ guest ’ network which is outside of the corporate network on a separate ADSL connection.

This gives you the ability to keep track on all corporate devices and keep potential security issue devices away from your main network.

Bryan-Young · 2013-07-16T10:19:21.000Z

Chris5830:

how are you guys issuing IPs for the guest network?

I have a Ubiquiti Edge Router that is hosting the DHCP server for that VLAN.

Capture.PNG1024×159 18.5 KB

stuartjohnston · 2013-07-16T10:20:33.000Z

TanK203:

Here’s a screenshot of my current environment at one of my client’s locations.

Wait a minute the road in the background says Cake, I like cake.

aj95478 · 2013-07-16T10:30:51.000Z

i like meraki and it is easy to access.

brandonyon3921 · 2013-07-16T11:01:40.000Z

If you’re looking for wireless with controllers, outside of your Ciscos and such, I’d recommend Ruckus Wireless. We have them in the office here and they work like a charm.

garfieldmaximus · 2013-07-16T11:27:22.000Z

+1 to the Unifi from Ubiquiti.

We have 2 AP’s from them to cover our whole office building and we also broadcast several SSID’s. The connection from the Wifi goes to a complete separate ADSL connection. So it is physically separated from our office network.

jimsteinbacher3405 · 2013-07-16T15:13:01.000Z

Guys, it’s not about the equipment, it’s about how you use it. :-). In terms of best practice, I would consider specializing SSIDs for particular usage (Staff, BYOD, Guests, etc) and VLAN tagging the traffic, routing the BYOD and guest traffic to a separate gateway outside the UTM. Any BYOD users that need to access corporate resources can come in through the firewall and be remediated as necessary. Approved wireless devices (Corporate owned, managed, and controlled) can be allowed on the corporate SSID only if you are using WPA2-Enterprise and managing approvals through a GPO in AD or LDAP.

Just my $0.02

tom44 · 2013-07-16T15:50:13.000Z

Some really good answers so far on WiFi in general.

You say, “it’s becoming more and more essential that Wifi of some description is available.” I am just trying to establish the basis of your “need” as the answers to these questions will help to determine a policy and plan that suits your specific need.

Why do you need it? What makes you think you need it internally? A certain number of notebook users? You want to enable employee used smartphones? What type of business is this? If this is just corporate office space then most, if not all of the use would be for business.

You mention “the pitfalls of BYOD.” Yea! The whole concept of BYOD leads to having policies and procedures in place.

Do you need WiFi as a service to your clients? Is the type of business that has visitors on a regular basis, or has client waiting rooms like a doctors office, or repair shop? If so you need to establish the bandwidth and boundaries for guest use.

I bring this up because I know there are often times someone will say there is a “need” for something without given much thought to cost. When you put that need into terms of how much will it cost versus what problem does it solve, the need all of a sudden does not seem so great.

chris0984 · 2013-07-16T18:18:42.000Z

I use Open-Mesh access points.

Keeps the public totally separated and you can assign something like Norton DNS for the public to use. That’s what I have done.

Security
198.153.192.40

Security and Pornography
198.153.192.50

Security, Pornography and “Non-Family Friendly”
198.153.192.60

My private network is private, and uses OpenDNS and my public network is private and uses Norton DNS, and the public network is isolated from the private network.

I use two different DNS servers because we block social networking sites here but we allow the guests or customers to use it (say what you want about blocking facebook, but in this small company it keeps users more productive and my users can still keep tabs on local gossip on their smart phone and or tablet, they are just doing it less frequently since they have been relegated to using it only on their smart phone and or tablet on the guest network). So using Norton DNS on the public SSID allows this while still keeping the bad sites out. Set it and forget it is what I have basically done. You can also throttle bandwidth on the public SSID, which is something I have done, I have a user who brings in their kid to work sometimes and he likes to stream Netfilx on his iPad, so he can have at it and I don’t have to worry about him hogging the bandwidth. I tried the Meraki, I like Open-Mesh better, fraction of the cost and the cloud access is free.

pbp · 2013-07-17T03:56:46.000Z

Depends on business need.

Usual tact is at least two networks: one for business use, and one for guests/visitors—

Business: Has QoS limits social sites & video streaming, but fast on “business use” sites (Salesforce, POS app, etc); Employees can print to local printers
Guest: Has bandwidth throttling in general, prohibits illegal sites, but open otherwise; Isolated from company network

Goes either way as for the guest network being completely open, or “password of the day” approach (or otherwise access limited).

tom44 · 2013-07-17T10:15:41.000Z

chris75:

I use Open-Mesh access points.

Keeps the public totally separated and you can assign something like Norton DNS for the public to use. That’s what I have done.

–>> You can also throttle bandwidth on the public SSID, which is something I have done

Open-Mesh sounds like a good product. What about bandwidth issues? You say there a way to separate and throttle bandwidth using Open-Mesh? You can allocate traffic or throttle by each segment?

chris0984 · 2013-07-17T10:23:46.000Z

Yes. The public download limit is 1.5 down. That is plenty for streaming audio on your smart phone and or tablet or even watching a video on Netflix. You can set your download and upload limits to whatever you want. I chose 1.5.

As I type this I logged into my CloudTrax and can see 8 users already on my guest network (combination of actual guests and employees using their personal devices).

I have been running like this for a while now with no complaints. The people using the guest network can do whatever they like and the private network is just like any normal private network, unthrottled and have file and print access like a normal workstation on the LAN.

jbakervt · 2013-07-17T10:47:20.000Z

Like Jim says, the equipment doesn’t really matter as much as the configuration.

Yes, bring it inside, I say. VLANs for separating traffic: one for Enterprise users, with RADIUS or LDAP authentication, and one for the "guest’ network routing to a DMZ, using WPA2 and a key that you change from time to time.

As for BYOD, make the policy now and you can avoid problems. We are finalizing ours now.