Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Wireless Networking > What security risk is a GUEST VLAN?

Reply
Thread Tools

What security risk is a GUEST VLAN?

 
 
Mike Webb
Guest
Posts: n/a
 
      07-03-2007
I have 802.11q appliances (AP's, switch, and internal NIC on server). I
want to provide Guest access to the internet, and LAN access to staff and
designated others (to whom I'd give a domain account). I don't have the H/W
to set up separate WLAN's - one for the LAN on the internal side and a GUEST
on the external side.

So ... can I setup the AP's as domain clients, locking them down with WPA
and RADIUS, but still provide GUEST access via a VLAN and appropriate SSID?

[The appliances: D-Link products - DWL-2200AP as the access points, and
DES-3828 as the switch.]

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization


 
Reply With Quote
 
 
 
 
Gary Harmon
Guest
Posts: n/a
 
      07-04-2007
On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
<(E-Mail Removed)> wrote:

>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
>want to provide Guest access to the internet, and LAN access to staff and
>designated others (to whom I'd give a domain account). I don't have the H/W
>to set up separate WLAN's - one for the LAN on the internal side and a GUEST
>on the external side.
>
>So ... can I setup the AP's as domain clients, locking them down with WPA
>and RADIUS, but still provide GUEST access via a VLAN and appropriate SSID?
>
>[The appliances: D-Link products - DWL-2200AP as the access points, and
>DES-3828 as the switch.]


Not knowing what brands and models of wireless equipment you have no.

You can however put the WLAN on it's own VLAN and route it to the
Internet only. Then on your firewall allow VPN out and back in (
called looping ) then configure the 2003 server for VPN for your
users.

The other way is to replace the APs with a wireless router that will
take the DD-WRT firmware then you can configure two SSIDs on VLANs and
then set your firewall up for that.

Give more information and maybe we can come up with a solution.

I have a wireless mesh network setup running 3 SSIDs and VLANs at my
work. The equipment is expensive but worth every penny ( Strix Systems
http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
block outside and 600,000 sq ft building w/2 floors.

At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
has access to my 2003 server and the other only Internet access for
guests. The guest SSID has a login page that comes up when you try to
access the Internet. Total cost $50.00 about.

Things that we need to know are:

Brand and model of your APs D-Link DWL-2200AP
DD-WRT only seems to support routers but I've heard of it working
on some APs. You can check the web site for routers that have been
tested. http://www.dd-wrt.com. Routers can be had for around $50.00

Firewall make and model

The 2003 will have to setup with ISA to get Radius. The APs or Routers
will have to support Radius also (WPA-Enterprise).

Hope this helps some

Gary Harmon

 
Reply With Quote
 
 
 
 
Mike Webb
Guest
Posts: n/a
 
      07-05-2007
Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
run across the term/acronym DD-WRT so I'll look it up to see what you are
referring to. As for the firewall, It's Microsoft's ISA 2004, fully patched.
The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
com,pliant with 802.11q.

Mike
"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
news:(E-Mail Removed)...
> On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
> <(E-Mail Removed)> wrote:
>
>>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
>>want to provide Guest access to the internet, and LAN access to staff and
>>designated others (to whom I'd give a domain account). I don't have the
>>H/W
>>to set up separate WLAN's - one for the LAN on the internal side and a
>>GUEST
>>on the external side.
>>
>>So ... can I setup the AP's as domain clients, locking them down with WPA
>>and RADIUS, but still provide GUEST access via a VLAN and appropriate
>>SSID?
>>
>>[The appliances: D-Link products - DWL-2200AP as the access points, and
>>DES-3828 as the switch.]

>
> Not knowing what brands and models of wireless equipment you have no.
>
> You can however put the WLAN on it's own VLAN and route it to the
> Internet only. Then on your firewall allow VPN out and back in (
> called looping ) then configure the 2003 server for VPN for your
> users.
>
> The other way is to replace the APs with a wireless router that will
> take the DD-WRT firmware then you can configure two SSIDs on VLANs and
> then set your firewall up for that.
>
> Give more information and maybe we can come up with a solution.
>
> I have a wireless mesh network setup running 3 SSIDs and VLANs at my
> work. The equipment is expensive but worth every penny ( Strix Systems
> http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
> block outside and 600,000 sq ft building w/2 floors.
>
> At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
> has access to my 2003 server and the other only Internet access for
> guests. The guest SSID has a login page that comes up when you try to
> access the Internet. Total cost $50.00 about.
>
> Things that we need to know are:
>
> Brand and model of your APs D-Link DWL-2200AP
> DD-WRT only seems to support routers but I've heard of it working
> on some APs. You can check the web site for routers that have been
> tested. http://www.dd-wrt.com. Routers can be had for around $50.00
>
> Firewall make and model
>
> The 2003 will have to setup with ISA to get Radius. The APs or Routers
> will have to support Radius also (WPA-Enterprise).
>
> Hope this helps some
>
> Gary Harmon
>



 
Reply With Quote
 
Gary Harmon
Guest
Posts: n/a
 
      07-06-2007
I had to get on the web and do some research on the D-Link stuff, I
have not used D-Link for a few years. I couldn't find out how to
configure the VLans in the APs but D-Link's web site lead me to
beleive that you can do VLans on the DWL-2200AP's but did not say
anything about being capable of 2 or more SSIDs. Worst case is use a
dedicated AP for the guest SSID and configure a VLAN for it and route
it to the internet only.

Maybe some else has seen the DWL2200AP that can shed some light.



On Thu, 5 Jul 2007 07:56:56 -0500, "Mike Webb"
<(E-Mail Removed)> wrote:

>Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
>run across the term/acronym DD-WRT so I'll look it up to see what you are
>referring to. As for the firewall, It's Microsoft's ISA 2004, fully patched.
>The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
>mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
>com,pliant with 802.11q.
>
>Mike
>"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
>news:(E-Mail Removed).. .
>> On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
>> <(E-Mail Removed)> wrote:
>>
>>>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
>>>want to provide Guest access to the internet, and LAN access to staff and
>>>designated others (to whom I'd give a domain account). I don't have the
>>>H/W
>>>to set up separate WLAN's - one for the LAN on the internal side and a
>>>GUEST
>>>on the external side.
>>>
>>>So ... can I setup the AP's as domain clients, locking them down with WPA
>>>and RADIUS, but still provide GUEST access via a VLAN and appropriate
>>>SSID?
>>>
>>>[The appliances: D-Link products - DWL-2200AP as the access points, and
>>>DES-3828 as the switch.]

>>
>> Not knowing what brands and models of wireless equipment you have no.
>>
>> You can however put the WLAN on it's own VLAN and route it to the
>> Internet only. Then on your firewall allow VPN out and back in (
>> called looping ) then configure the 2003 server for VPN for your
>> users.
>>
>> The other way is to replace the APs with a wireless router that will
>> take the DD-WRT firmware then you can configure two SSIDs on VLANs and
>> then set your firewall up for that.
>>
>> Give more information and maybe we can come up with a solution.
>>
>> I have a wireless mesh network setup running 3 SSIDs and VLANs at my
>> work. The equipment is expensive but worth every penny ( Strix Systems
>> http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
>> block outside and 600,000 sq ft building w/2 floors.
>>
>> At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
>> has access to my 2003 server and the other only Internet access for
>> guests. The guest SSID has a login page that comes up when you try to
>> access the Internet. Total cost $50.00 about.
>>
>> Things that we need to know are:
>>
>> Brand and model of your APs D-Link DWL-2200AP
>> DD-WRT only seems to support routers but I've heard of it working
>> on some APs. You can check the web site for routers that have been
>> tested. http://www.dd-wrt.com. Routers can be had for around $50.00
>>
>> Firewall make and model
>>
>> The 2003 will have to setup with ISA to get Radius. The APs or Routers
>> will have to support Radius also (WPA-Enterprise).
>>
>> Hope this helps some
>>
>> Gary Harmon
>>

>

 
Reply With Quote
 
Mike Webb
Guest
Posts: n/a
 
      07-09-2007
Thanks.

"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
news:(E-Mail Removed)...
>I had to get on the web and do some research on the D-Link stuff, I
> have not used D-Link for a few years. I couldn't find out how to
> configure the VLans in the APs but D-Link's web site lead me to
> beleive that you can do VLans on the DWL-2200AP's but did not say
> anything about being capable of 2 or more SSIDs. Worst case is use a
> dedicated AP for the guest SSID and configure a VLAN for it and route
> it to the internet only.
>
> Maybe some else has seen the DWL2200AP that can shed some light.
>
>
>
> On Thu, 5 Jul 2007 07:56:56 -0500, "Mike Webb"
> <(E-Mail Removed)> wrote:
>
>>Thanks. The router is a "no-name" brand frm Amer.com, model BR4. Haven't
>>run across the term/acronym DD-WRT so I'll look it up to see what you are
>>referring to. As for the firewall, It's Microsoft's ISA 2004, fully
>>patched.
>>The AP's are D-Link DWL-2200AP's, the switch is D-Link DES-3828, wireless
>>mode supported - 802.11b and 802.11g. AP's, switch and internal NIC are
>>com,pliant with 802.11q.
>>
>>Mike
>>"Gary Harmon" <gharmon1@(REMOVE)kc.rr.com> wrote in message
>>news:(E-Mail Removed). ..
>>> On Tue, 3 Jul 2007 13:40:48 -0500, "Mike Webb"
>>> <(E-Mail Removed)> wrote:
>>>
>>>>I have 802.11q appliances (AP's, switch, and internal NIC on server). I
>>>>want to provide Guest access to the internet, and LAN access to staff
>>>>and
>>>>designated others (to whom I'd give a domain account). I don't have the
>>>>H/W
>>>>to set up separate WLAN's - one for the LAN on the internal side and a
>>>>GUEST
>>>>on the external side.
>>>>
>>>>So ... can I setup the AP's as domain clients, locking them down with
>>>>WPA
>>>>and RADIUS, but still provide GUEST access via a VLAN and appropriate
>>>>SSID?
>>>>
>>>>[The appliances: D-Link products - DWL-2200AP as the access points, and
>>>>DES-3828 as the switch.]
>>>
>>> Not knowing what brands and models of wireless equipment you have no.
>>>
>>> You can however put the WLAN on it's own VLAN and route it to the
>>> Internet only. Then on your firewall allow VPN out and back in (
>>> called looping ) then configure the 2003 server for VPN for your
>>> users.
>>>
>>> The other way is to replace the APs with a wireless router that will
>>> take the DD-WRT firmware then you can configure two SSIDs on VLANs and
>>> then set your firewall up for that.
>>>
>>> Give more information and maybe we can come up with a solution.
>>>
>>> I have a wireless mesh network setup running 3 SSIDs and VLANs at my
>>> work. The equipment is expensive but worth every penny ( Strix Systems
>>> http://www.strixsystems.com ). Total cost $60,000.00 to cover 1 city
>>> block outside and 600,000 sq ft building w/2 floors.
>>>
>>> At home I use a Linksys WRT54G with DD-WRT set up with 2 SSIDs. 1 SSID
>>> has access to my 2003 server and the other only Internet access for
>>> guests. The guest SSID has a login page that comes up when you try to
>>> access the Internet. Total cost $50.00 about.
>>>
>>> Things that we need to know are:
>>>
>>> Brand and model of your APs D-Link DWL-2200AP
>>> DD-WRT only seems to support routers but I've heard of it working
>>> on some APs. You can check the web site for routers that have been
>>> tested. http://www.dd-wrt.com. Routers can be had for around $50.00
>>>
>>> Firewall make and model
>>>
>>> The 2003 will have to setup with ISA to get Radius. The APs or Routers
>>> will have to support Radius also (WPA-Enterprise).
>>>
>>> Hope this helps some
>>>
>>> Gary Harmon
>>>

>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Query string variables security risk Thirsty Traveler ASP .Net 7 04-09-2006 03:24 PM
HTTP content-length a security risk? Roedy Green Java 2 02-14-2006 02:07 PM
REVIEW: "Information Security Risk Analysis", Thomas R. Peltier Rob Slade, doting grandpa of Ryan and Trevor Computer Security 0 06-21-2004 05:55 PM
Wireless Devices - Security Risk? b1377@worldnet.att.net Computer Security 1 06-09-2004 06:46 AM
Windows Media Player 9 is a security risk Steve Young Digital Photography 230 11-10-2003 09:22 PM



Advertisments