More or less secure

anything I don't mind · 13 May 2010 at 19:27

hey

We have this problem at work where floors 5 and 6 have no patch panels in the basement for those floors. There is only fiber coming down from the fifth to the basement. We have been asked to put the adsl line which we use for a guest wireless. It is not on our main network. We have been asked to install that on the sixth floor. But we can't patch it up there. I suggested creating a vlan and running it through the main network infrastructure but my boss did not want to put the other internet on the main network as it is a security risk. So which is worse, creating a vlan for it or putting a wireless on the main network with wpa2 ?

They both have risks but not sure which one is better, i think it is only temp solution. maybe neither of them ?

bigredshark · 13 May 2010 at 19:32

Wireless should never ever go on your main network, separate firewall zone with internet access only and VPN if you need access to internal stuff, then secure it with WPA2 as well and radius if you feel the need.

Running a vlan, well it's not in any way a security risk if you know what you're doing, even if you don't you'd need to screw up pretty badly to make it one. Providing your not doing anything silly like using the native vlan for anything you'd be fine...

iaind · 13 May 2010 at 20:00

VLAN is the way to go here

Most decent wireless kit will let you use multiple SSIDs for different VLANs - on mine I have an internal SSID which doesnt broadcast and uses 802.1X WPA2 enterprise and a public VLAN

paradigm · 14 May 2010 at 08:33

iaind said:
VLAN is the way to go here

Most decent wireless kit will let you use multiple SSIDs for different VLANs - on mine I have an internal SSID which doesnt broadcast and uses 802.1X WPA2 enterprise and a public VLAN

Ditto, using a Cisco 4402 Wireless LAN controller and 8 access points. Internal WiFi doesn't broadcast SSID and is RADIUS authenticated to AD. Guest wireless only has access to the www, and a special iPhone SSID which is literally used for our refurbishment department to unlock/upgrade/flash iphones and can literally only get to about 12 remote IPs.

anything I don't mind · 14 May 2010 at 11:04

I saw this one voip hacking video once.

The hack was that if you plug a laptop into a ethernet port where a voip phone was on a cisco or avaya network you run this software on the laptop and it negoiates the vlans and gives you full access to the phone system and network subnets. The program was quite nice it had the ability to intercept and record phone calls etc. off topic but you should lock stuff to mac address in ultra secure environments. But the point was the vlan negotiation.

i saw it as putting a wireless on the main network opens up the neighbours and streets to the main network, but vlaning the guest wireless would open up the entire internet to the internal network. The main internet/network has a firewall but the guest wireless only has some basic router with no SPI.

I think i might just tell them that until we can patch the guest wireless up to the sixth floor we are going to have no wireless up there.

paradigm · 14 May 2010 at 11:08

groen said:
I saw this one voip hacking video once.

The hack was that if you plug a laptop into a ethernet port where a voip phone was on a cisco or avaya network you run this software on the laptop and it negoiates the vlans and gives you full access to the phone system and network subnets. The program was quite nice it had the ability to intercept and record phone calls etc. off topic but you should lock stuff to mac address in ultra secure environments. But the point was the vlan negotiation.

I've got our Eth ports locked down by mac filtering, I'm pretty certain its secure enough for our purposes, but then I highly doubt its 100% secure.