Re: Is a partner anchor controller and SSID secure for my IT domain?

ezisaac · ‎02-22-2024

We're establishing an internal, distinct wireless network for a research partner with multiple lab spaces and various WiFi-enabled devices, including research laptops, tablets, and wireless field devices across our campus. Our objective is to ensure that they operate autonomously within their operation domain, with no access or monitoring of their research data by us, except for network management purposes. They maintain their server room and a wired research network in their designated area. A firewall separates their research network from our IT network, facilitating necessary inter-domain data exchange while preventing public internet access.

I'm considering the addition of another "Partner" anchor controller within the Partner DMZ on our WLAN, linked back to our campus 9800 WLC via a mobility tunnel. This setup would allow the research partner to administer and operate their controller, managing user authentication independently. Furthermore, I intend to incorporate the associated SSID, directing their traffic from the anchor controller to the Partner VLAN in the firewall DMZ, permitting connectivity for their field wireless data and traffic to reach their research servers in the server room.

Could you please advise if this configuration poses any network security risks to my IT domain? Is the wireless network adequately secure for the research domain? Are there any vulnerabilities inherent in this architecture? Additionally, I would appreciate any reference design documents or comments you may offer on this proposal.

Leo Laohoo · ‎02-22-2024

@ezisaac wrote:
while preventing public internet access.

You mean "air gap"?

Unless the area where this partner works is completely sealed off with a Faraday Cage, I would never use WiFi.

ezisaac · ‎02-22-2024

No, not air gap. I aim to ascertain whether both corporate IT and research domain networks are appropriately segregated and secured. This is particularly pertinent as my IT team considers providing WiFi access to research partners, enabling their wireless devices to connect to their server (in their server room) through the 'Research Anchor Controller' via the firewall.

Rich R · ‎02-23-2024

There is no right or wrong answer.
You must have a defined security policy and then assess that design against the specified requirements of that policy.
Every organisation has slightly different (stricter/more relaxed) policies and practices.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390