Re: How to setup wireless access not to cross internal vlan?

oalexis · ‎09-16-2004

hi folks,

I am about to set up a wireless network for our library users that come in from the public and bring their own laptops. We would like to have two options:

1) they can open their laptop and just jump on without any authentication. but this traffic should not cross my internal vlans. I was thinking i'd put the AP off the DMZ.

2) if they need to come inside they must create a vpn connection.

would this be considered 'secure'?

how best can i do this?

gamccall · ‎09-16-2004

Putting the AP in your DMZ is one of the classic wireless security techniques. It's quite secure in terms of protecting your private network- although there's obviously no control or security regarding unknown users accessing the public internet. Basically, you're giving free internet access to anyone who wants to use it... if this doesn't bother you and your only concern is your own private resources, go for it.

Obviously, you'd need to make sure that your VPN solution is working properly for those users who are authorized for the private net.

oalexis · ‎09-16-2004

well, the place that I will be putting the AP is deep inside our building, so you'd have to come inside to use it. The signal doesn't bleed outside, walls are too thick. and the folks that come inside are only allowed to the library or museum. I am sure I can restrict what sort of traffic goes out from the DMZ.....right?.... if i use a PIX 515? Right now we use watchguard fireboxes..... don't like them much.

many thanks for your input