I am wanting to securely setup two WLANs, one for Corporate Internal and one for Guest Access which will stick guests out on the dirty Internet. Is there a secure way to do this without using a second Anchor Controller in the DMZ? My budget would not allow for the second controller.
Here is the equipment I am working with:
- One 4402 Wireless Controller (Internal)
- Ten 1250 Access Points
Thanks in advance, any tips or design ideas are great appreciated.
Well, in theory you could trunk the guest access into a vlan allowed only to get to the internet.... but if you want the traffic to be in the DMZ first, I think you can trying using the two different ports on the 4402. Port 1 can plug into your LAN and port 2 can plug into the DMZ? maybe that'd work.... You'd set up your WLAN interfaces to use the individual ports on the 4402.
Thats kind of what I had in mind, basically sticking one of the 4402's ports on the inside (internal) and the other port on the outside (DMZ, or Dirty Internet). How dangerous would it be to put the second port directly on the Internet rather than in a cleaner DMZ?
I like the idea of having the Controller port protected a little in the DMZ, but I want the 'Guest' access to be uninhibited.
Well you really can't just stick it out on the internet. You're going to need some kind of NAT between your private/public addresses (unless somehow you have enough public addresses or you have some kind of router (cable/DSL?) internet connecitivity. Either of these though would generally come from some kind of device acting like a firewall that would prevent the outside world from coming in directly....
So how exactly does your internet/main firewall design look like/
Basically, as long as you don't allow anything from the outside to initiate a connection to your wireless clients, then you are basically secure.... Since your wireless clients will be on the untrust interface, your firewall should be preventing them from talking to your trusted interface so it should be fine....
However, I'm not an "expert" on the security fundamentals behind the two ports on a 4402 controller..... The bigger problem you might run in to is that the 4402 requires a Gig connection for the port to come up... so if you don't have a gig interface on your untrusted/public internet side, then i don't think the interace will come online
Actually, we DO have enough public addresses that I can just set the controller up to DHCP out the public addresses, for example 22.214.171.124-126.96.36.199 as Guest PC's.
Clients connecting to the guest network would get a public IP address (via DHCP) and use a public DNS server. There would be no protection for guest PC's from the untrusted Internet..but also no restrictions.
I would just connect port 1 of the 4402 controller to an 'outside' switch and port 2 of the 4402 would connect to the internal network switch.
Ok, so the only real concern I see is that I think you must assign an IP address to the WLAN interface of the controller (I could be wrong though...). If that is the case, then you'd have a port of your WLC with a public address and nothing preventing access to it. But I suppose you could create some kind of ACL to do that...
Anyhow, the design is reasonable in my opinion and should work, but it is definetly not the "cisco way".
I was just thinking about denying anything and everything to the IP address of the controller port. Wouldn't that basically secure anything from talking to the IP of the controller if you make an ACL deny all traffic to that IP address?