Netbooks, PDA and Phones Thread, A Definitive Guide ... to guest / student devices on a wireless network. in Technical; Ok, I know that there is not a definitive answer on this, and it has been discussed on many threads ...
7th April 2010, 01:40 PM #1
A Definitive Guide ... to guest / student devices on a wireless network.
Ok, I know that there is not a definitive answer on this, and it has been discussed on many threads with a number of options ... but as a way of kick-starting getting as wide a range of answers as possible would people like to post what they do and how they do it, mentioning specific technologies and suppliers if needed) and I will collate them over on the 'how-to' area.
7th April 2010, 02:16 PM #2
We use a Smoothwall UTM 1000 and segregate our wireless network away from our standard Curriculum network. All AP's are on this network and Smoothwall deals with DHCP.
I have created business size cards with a map of the school on one side with the school layout and indications of the WAP across the school and the opposite side has the security key - we don't use AD integration etc unfortunately but this is something we will look at in the future. The filtering is carried out using our Smoothwall box also which allows us to provide access to our students and guests to the sites we wish them to have access too. Students / Staff can access their MyDocuments via the Schools Learning Gateway (Sharepoint) and the Salamander MyDocuments webpart.
Thanks to Sylv3r from:
GrumbleDook (7th April 2010)
7th April 2010, 02:21 PM #3
Thanks for the info ... do you segregate the wireless and standard curriculum using VLANs or by physically separate wiring?
7th April 2010, 02:26 PM #4
We are likely to be doing this over the summer. Plan so far:
vlans segregated from general network
No encryption - 'free' access network, like cafe's
All traffic redirected to smoothwall. Http/https only, using AD authentication.
migrate all services to VLE and googlemail/docs and http access. no more shared drives hooray.
edit: almost forgot - we'll try and use web based printing using Papercut
and supply other apps over Citrix and SIMS via Sims Learning Gateway
Last edited by CyberNerd; 7th April 2010 at 02:31 PM.
Thanks to CyberNerd from:
GrumbleDook (7th April 2010)
7th April 2010, 03:04 PM #5
Forgot that bit - VLAN's.
Originally Posted by GrumbleDook
17th April 2010, 10:41 AM #6
- Rep Power
We are about to revamp our whole network. It will be costly. Although we are considering other options, we are currently are looking at the following.
Create 6 VLANs
1. Green - Staff
2. Red - students
3. Blue - VoIP
4. Yellow - Video streaming/multicasting
5. Black - Security cameras
These VLANS will be reflected in our OUs and policies.
We plan to implement the standard fibre between buildings with copper runs within the building. These copper runs will be from the IDF to the drop box with no switch between except in the case of a student computer lab.
Copper runs will be with White Sands Engineering (or Superior Essex) 6xCat5e bundled - each cat5e cable colour representing a VLAN. These will drop to a surface mount box with a 6-port faceplate with each rj45 jack a different colour representing the VLAN. Each device will plug into its appropriate VLAN.
We are examining the Wireless solutions that will allow assigning to a VLAN based on MAC or SSID, or something similar. This is not finalized.
A supposedly cheaper solution to the above is using HP MSM317 which will allow pulling only one cable instead of the bundled 6xcat5e. I do not know if it can deliver the bandwidth we anticipate. With PM Brown and Pres Obama targeting 100Mbps to the home, we believe that will become a reality. Consequently, we expect apps to be written for this bandwidth. We have this opportunity to revamp our network, so we will try to max out our capacity as much as possible. We are not sure cat 6A is needed and we are not convinced cat6 will give us much over cat5e as our environment is not very hostile.
As we expand, we do not expect to use hosted solutions. We expect to keep everything in-house and contract managed services when needed.
Thanks to Patman from:
GrumbleDook (19th April 2010)
17th April 2010, 11:52 AM #7
We have a unsecured wireless vlan, with a smoothwall UTM-1000 firewalling and connecting this to the rest of the network. I am about to look at enabling client isolation on our ruckus aps to provide client to client securitly.
Thanks to robk from:
GrumbleDook (19th April 2010)
19th April 2010, 12:41 PM #8
I got to think about this quite hard for a reference implementation last year (was a lot easier to do this kind of thinking in ye olde days of physical subnets, routers-with-ACLs or if you wanted better auditing a firewall). The basic principle is pretty straight-forward: You have separate "Private", "Public" and WAN subnetworks all plugged into a firewall with suitable policy controlling what flows between them. Unless you're rolling in cash you're almost certainly going to make subnets with VLANs on any non-trivial physical network.
The next questions are:
1) What L3 feature set do you actually have in your core switches? I wouldn't, but if the switches do serious IP ACLs you could use them instead of a dedicated firewall.
2) Do you have or are you getting managed wireless? I'm familiar with two basic approaches that you may or may not be able to do with a given vendor's kit:
a) Public wireless traffic is tagged onto the Public VLAN by the controller, Private wireless traffic (always authenticated for access) is tagged onto the Private VLAN, then those VLANs and the WAN just plug into that firewall with the policies.
b) Public traffic is dropped onto the same subnet as Private but ACLs set on the controller restrict where it can go i.e. the controller assumes the firewall role, and you don't have to use VLANs.
YMMV but in all cases subject to organisational management capability I'd certainly want some kind of access control for Public wireless too e.g. the students have to supply their MACs as a minimum.
Then there's the detail:
- Wireless client isolation is a good idea full stop i.e. for all Private/Public wireless laptops/netbooks.
- DHCP: With switches it's anyone's guess, but firewalls will inevitably serve DHCP on a given interface.
- DNS: What Private resources can they access? Do you need DNS to resolve any local names and if so how/where do they get it?
- Proxy: Do they need an explicit suitably filtered one to get to the Internet and if so how/where do they get it? Perhaps you can do transparent proxying?
- VLANs/Subnets: The usual disclaimers for L2 broadcast traffic apply here i.e. if something depends on NetBIOS broadcasts or you do WOL etc. then you need sort out ip directed broadcast, multihome a management box, or something.
- IP Addressing: This can get fiddly. Can your current address allocation from wherever accommodate being carved up into a bunch of subnets? I can't think of many reasons not to put Public behind NAT with that firewall, but the outside of that obviously needs some routable addresses. If Private is already routable I'd certainly try and keep it that way, but you might put that behind NAT as well and if so, do you know what might need R-NAT for a variety of external support providers etc?
Finally the network security:
- There's the inevitable risk of someone wreaking havoc after plugging their "device" directly into a Private netpoint and if you don't control that with 802.11X or whatever, then any arguments about things like the pro and cons of VLANs vs independent wiring seem a touch academic.
- Firewall policies and ACLs just have to be correct and should be routinely reviewed. Some people have a nasty habit of not taking these seriously enough e.g. throw in new ones at a drop of a hat, occasionally with very big inadvertent holes.
- More esoteric, less likely, but convince yourself that your kit and it's configuration is safe from VLAN hopping.
2 Thanks to PiqueABoo:
CyberNerd (19th April 2010), GrumbleDook (19th April 2010)
19th April 2010, 02:07 PM #9
Our 3com wireless-network switches (WX1200s) have the ability to have multiple SSIDs and VLANS.
So the student network exists on a guest ssid connected to its own vlan.
In this vlan is a debian no-gui dns/dhcp/squid proxy with dual nics enabling internet access (the other card connects to the "internet vlan"). This network is public without security but access to anything once connected requires details for a web login served by the wireless switches, even ping doesn't work without it.
Thanks to browolf from:
GrumbleDook (19th April 2010)
By penfold_99 in forum Virtual Learning Platforms
Last Post: 8th September 2010, 04:50 PM
By nicholab in forum Wireless Networks
Last Post: 9th October 2009, 09:27 AM
By steveo2000 in forum Internet Related/Filtering/Firewall
Last Post: 19th March 2009, 06:41 PM
By russdev in forum Blue Skies
Last Post: 20th January 2009, 10:15 PM
By penfold_99 in forum MIS Systems
Last Post: 5th January 2009, 12:53 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)