RE: [SOCALWUG] Firewall separating wireless vs internal users

[Frank Keeney]

 

How about:

 

                                 ==>Firewall==>switch==>internal PC's and servers

WAN (Internet)==Switch

                                 ==>Wireless Router~~>Wireless PC's

 

Then just abandon WEP, WPA etc and use the Firewall's VPN Client capability

 

The Firewall and Wireless Router would each have their own routable IP addresses (2 static IP addresses total). This would create complete separation between wired and wireless networks.

 

 

or:

 

 

                                 ==>Firewall==>switch==>internal PC's and servers

WAN (Internet)==Switch

                                 ==>NoCat==>Access Point~~>Wireless PC's

 

As an option, you could swap out NoCat for an IP3, Nomadix or other 'Walled garden" device. Then you could provide guest access for visitors to the office. Continue to use the Firewall VPN Client for encrypted access to the internal network.

 

A 3rd option:

 

                                ==>Firewall==>switch==>internal PC's and servers

WAN (Internet)==Switch

                                 ==>IP3==>vlan switch==>vlan Access Points~~>Wireless PC's

                                                                                                   ~~ Public SSID vlan==>Visitor/Guest wireless users

                                                                                                   ~~ Private SSID vlan==>Employee only wireless users

 

Vlan the wireless network to separate the Visitor/Guest wireless users from the Employee only wireless users. The 2nd and 3rd option is what I have been deploying for "smaller" business that have 2-7 Access Points and 7-20 users. I'm finding many smaller environments that now want features of the larger enterprises. This is a way to handle both security and guest access without breaking the bank. For the firewall, I find the PIX VPN client to be excellent with the UDP tunneling option configured. AP's that support vlans like Strix (http://www.strixsystems.com), Cisco and a few others.

 

Frank Keeney, Tel: 626-676-4761
Pasadena Networks, LLC
http://www.pasadena.net http://www.wlanparts.com

Co-Founder, Southern California Wireless User Group:
http://www.socalwug.org

---

 On Behalf Of John Freeman

Can anyone give me some ideas or directions on this situation:

In a small wired office environment, is it possible to add a wireless router AND guarantee that any wireless Internet users do NOT have any access whatsoever to the internal LAN and PC's on the internal Lan?

It seems to me that the wireless users would have IP addresses of the same subnet as the office users, and hence the office LAN would be vulnerable, and basically unsecured.  Both would have Internet access.

Maybe this is an idea?  WAN==> Wireless Router ==> Firewall ==> switch ==> internal PC's ?

Not trying to spend a fortune, but I think just getting a wireless router and "hoping" no one discovers the office network is a mistake.

Ideas?  Thanks,

John Freeman