I have signed up to these forums today specifically for advice. I am very new to the network / cisco community and hope to spend some time on these forums both learning from everyone here and hopefully in the near future providing input as well based on my experiences.
Now for my question...
My company is endeavouring the path of WiFi. The controller is a 5508. We have established the requirements for both a Guest and Corporate SSID. Our design would have the WLC have a leg out to the DMZ for the Guest network and a leg into our internal core switches for the Corporate network. Unfortunately the company I work for does not want to spend the extra money for an anchor controller.... Only trusted and company supplied devices will have access to the corporate network. Authentication is 2-factor (AD and PKI Self-signed cert)
Our security engineers have concerns with this design as they do not feel very comfortable at all that the Corporate network is inside the DMZ. They are concerned that there is no ability to filter traffic, and worry about attacks being launched from outside the building. The worry because once on the internal network there is nothing blocking or preventing the hacker from accessing our servers. They are pushing for a new design that would have the corporate SSID network in the DMZ with several firewall ports opened to our internal network. I don’t feel entirely comfortable with this approach due to the amount of firewall ports that need to be opened.
Is there a best approach or best practice for this scenario? Can someone please give me some experienced advice?
Regarding your question, here is the typical set up of WLCs in a corporate network. As you can see there is a WLC in the DMZ (outside your core seperated with a FW) to service guest traffic & few other controller(s) will be placed inside your Core to terminate corporate employee SSID. In this way you have clear seperation between your Guest traffic & Internal traffic.
If you have a single controller, but you wan to achieve best secuirity with Guest & corporate SSID it is a bit of challenge as you already encounter. Best would be again talk to your business groups, security group & explain pro/cons then go ahead with what they finally agree.
Here is a good presendation on WLAN secuirty (above snapshot is from the same presentation) you should go through.
I have large customers whom also went this route with one leg in and one leg out. This is better than placing everything in the DMZ and opening FW ports to be honest. The reason being is that you will end up opening so many ports because this group needs this and that group needs that and then your executives want everything.
With one leg into the internal and the WLC and AP's placed in the inside, you assign another port in the WLC for guest and you dump that traffic to your DMZ. This is the preferred method. The only true two factor authentication is if you have either authentication that is 802.1x, which is AD and certificates (one factor) with users that also has an RSA login (another one factor). Cisco offers a two factor if you have AnyConnect and ISE. With WPA2/AES and 802.1x, I really don't think that anyone would be able to hack into that. How do you protect your wired ports now? Can someone unplug a phone in the reception area and access the network? Can guest connect to an open port and access your network? If you want internal devices or should I say domain computers only to access the network, you would authenticate to a radius server only computers in this group. Then AD user credentials are not used and only domain computers are used. You just need to sit down and understand what will be allowed and not, because it's always the executives who want this and that and then all of a sudden, what you want isn't going to work well.
Thanks very much guys for the replies. Both are very useful. Today we discussed the design and decided to go with the leg in / leg out approach. Very similar to how you describe Scott. We are using cisco ACS for authentication. The 2 factors are AD domain users and 802.1x certs. The guest network traffic is segregated via a physical port in access mode and dumped into the DMZ.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...