Providing Guest Wifi on a VLAN

Providing Guest Wifi on a VLAN

Everyone at your office probably owns a smartphone. Maybe several of them are on a company plan. Even if they aren't chances are all users would appreciate being able to place their mobile devices on the company network, but you don't want the IT overhead of managing and securing all these "BYOD" or "Bring Your Own Devices". Still, wouldn't it be nice if they didn't have to eat up their data plans?

Maybe also you have regular visitors to your office that you need to give Internet access to for sales presentations or the like. Again, this increases the number of unsecured devices that need to talk across your network. As an IT Security professional, I can say that I don't want unsecured random devices on my corporate network.

Enter the VLAN

This is where VLAN's come into play. In the past we'd provided a guest wireless network just for the conference room, but I wanted to allow employees to stream music to their cellphones from anywhere in the building, not just near the conference room. In order to do that I could either configure a new separate network segment and buy new WAP's for that segment that offered the guest wifi in a larger geographical area, or I could implement VLAN support and do the same process, but "virtually."

For the VLAN route, I found that all of my existing wireless access points both supported multiple SSID's and they also supported VLAN's. Configuring a guest wifi simply included the following steps:

  • Add VLAN support to all the switches on my network, allowing for a new "tagged" VLAN for the guest WIFI on the ports that connected the switches (VLAN Trunking) and the ports connected to the WAP's and the firewall
  • Ensure that the guest VLAN was excluded from all other ports on the switches
  • Add a second SSID to each WAP for the guest wireless
  • Set the primary SSID on each WAP to the default 0 VLAN
  • Set the guest WIFI SSID on each WAP to the guest VLAN id
  • Set up a DHCP server specifically for the guest VLAN on a separate subnet
  • Ensure that the perimeter firewall that brings the guest VLAN and the main network together for Internet access keeps the two separate.

Our primary network requires RADIUS authentication with pre-installed certificates. The guest WIFI still has WPA2 enabled with a strong password, but that password is given to the employees and our guests for them to be able to get basic Internet access.

Now, you still need to be concerned about security for the guest wireless. We take a couple of extra steps here, such as setting client separation in the WAP's for that SSID (one laptop can't scan another on the guest wifi) along with still monitoring that traffic and limiting the services the guest wireless can talk with. Basic web browsing and email are all that's provided, and the device history is logged.

One common security mistake network administrators will make with this kind of setup is then allowing the guest network to talk to DNS on the internal LAN. You don't want to allow ANY contact between the two. Have your guest wifi use Google's DNS servers and don't let the guest traffic cross into the main network. If you expose your internal DNS servers on the guest wifi, that allows an attacker to gain more intelligence on your network before they've even broken into the primary network.

Posted by Tony on Apr 27, 2015 | Network Security