Hi.
I post these question here because after a lot of searching, I stumble upon the lack of good material about this subject. In a WLC (Wireless Lan Controller) central switching scenario:
- Imagine I have a very secure (RADIUS/802.1x) lan vlan data subnet, vlan 10. Imagine my data wlan is very secure too (wpa2-entreprise/eap-peap-mschapv2 with certificates enforcing). What is the drawback of having my data lan and my data wlan share directly the same vlan 10? Saying it otherwise, what is the benefit of separating lan and wlan data subnets?
- In case of separated lan and wlan subnets, should they be separated by simple inter vlan routing ACLs, or is a firewall (Cisco ASA) a better security option. What would be the benefits of using a firewall ?
- Concerning the guest wlan, a good security design would be to have a guest-dedicated wlc, placed in the DMZ. Should it be directly terminated in the DMZ, or should a firewall (Cisco ASA) be placed between the WLC termination and the DMZ (In this latter case, that would place 2 firewalls between the WLC and Internet: the WLC firewall, then the DMZ firewall ? What would be the security benefits?
Thanks for any comment, or hint about good firewall/security zones design book to (e-)buy!!