Home
Join

14 Replies

  • If done correctly, you can use ACLs to limit the access the WiFi gets. You shouldn't be just routing back to the same network. I'm not sure if you're on a domain or not as this would give you at least the ability to reduce possible intrusions. 

    Either way, it's your risk to take. If that risk is so low that it's not a concern than that's a decision for you to make.

    Was this post helpful? thumb_up thumb_down
  • Probably the person who asked you read it was a good idea but didn't fully understand.

    The response is: "why would I. Adding a new address range routed to our current network offers no benefit currently as the number of wireless devices does not warrant it. It will only add complexity. Did you perhaps mean creating a separate network for wireless devices and controlling their access to the existing network?"

    If the person asking you is considering it from a security stance, other things should be factored. You need to determine if you are allowing only work devices onto the network, those that are wired now, or perhaps other devices. It is good practice to separate guest/personal devices etc

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • It really depends on how many devices you have on the network. At one time we had nearly 500+ on a single VLAN,WIFI and hardwired the same. When we upgraded our switches, we did create multiple VLANs to be able to have a guest network and enterprise WIFI network that were separate from each other. There are advantages to either way of doing it. It really depends on your needs. If you have a guest wireless network, I would for sure recommend it, but other than that. It's more about how many devices you want on the same subnet.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • So the issue with a single flat network like yours is broadcast traffic, just noise on the network. This is not a massive issue on the wired network, but on wireless it can chew up a ton of airtime and cause your wireless network to perform badly. Segmenting your wireless network into its own broadcast domain can make a huge difference, as it stops traffic from spilling over from the wired clients.

    That said, this really depends on how many clients we are talking about. If your entire network consists of less than 100 devices (wired and wireless), then it's probably not an issue, but you are talking orders of magnitude larger than that, it maybe something work looking into to. 

    Personally I would do it as a matter convention, and a way to clearly identify wireless clients from wired ones when looking into things like logs (ie if every wired client was 10.10.x.y and every wireless client was 10.20.x.y, it makes identifying where things are coming from quite a bit easier).

    But keep in mind you'd want to do more than just setup a second IP range, you'd want to break up your network into VLANs, at least one for wireless traffic and one for wired traffic, this essentially segregates them, and allows you to create access control and routing paths between the networks for better and more secure management overall.

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • When you say "their" laptops, are they company owned or BYOD? If they're BYOD then I think it would be worth separating since you don't know or have any control over what's on these computers. Also, anyone with the Wi-Fi password would have access to your internal network. Like everyone else is saying, it depends on the scale and the level of risk you're willing to take. We don't have too many wireless BYOD devices in my office, but I still separate them out of principle.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • I have seen problematic WiFi devices consume all of a DHCP scope before on more than one occasion.  Separation keeps them from filling up your wired device range.  Also when you separate them on different subnets and you are looking at traffic, you immediately know if you are looking at a wired or wireless device. 

    Do you have to do this?  Not at all.  You may run just fine and never have a problem.  When I set them up I plan on there being multiple WiFi networks, even if the customer swears up and down they will never need more than one.

    A few weeks later, "hey we get poor cell signal in a few locations and employees want to put their phones on WiFi".  Not a problem I just add a VLAN and a new subnet. 

    I see xx.xx.xx.xx hitting a malicious website, I need to find this device.  Well I can tell right away it's on the guest WiFi vs the Internal WiFi vs the wired network by looking at the subnet.

    If a customer has nothing that will route layer 3 and they genuinely have no need to separate it out, I'm not going to push them to make a capital investment just because I happen to like setting it up that way.  If their existing equipment will support it, I'd prefer just to start it out with the expectation that additional wireless networks will be added later.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • Seperate networks for Work and Guests

    Most of the times, devices for work needs access to local resources, doesn't matter if its wired or not. Databases, files, printers.... all those can be in your "corporate" network

    Guests don't really need access to those services, so a separate network is good to have. security and QOS wise. Also you can balance the bandwidth, set restrictions...

    There are several reasons to have subnets in general, but not so many reasons to not have

    The last decision is up tp you, as you are the one who knows the needs of your company

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • IT22YOU wrote:

    Am I missing some kind of security issue here?

    Yes and no. A WLAN has a larger attack vector, hence can be more vulnerable. Segmentation of networks makes it easier to limit its impact. Segmentation alone will not change security. Separation of IP ranges hence does not change security. It may make it easier to add security.

    IT22YOU wrote:

    Is there any reason to put the WiFi on a seperate range and route it back?

    It depends on your network. Currently, there does not exist a reason as you've described it as all your devices have wired network access and some have WLAN in addition.

    But if your network changes and you get devices on your network having only WLAN, like mobiles and many tablets, then a common IP range might prevent these devices reaching a wired only server, especially if it does not find such a connection in its connection cache. It would try a direct connection as it is in the same network segment but this will not succeed as the target is not on WLAN segment. The wireless device would need to route via a device being on both networks. This can be configured to add corresponding routing entries on these wireless devices. No such additional routing entry would be needed if different network segments have also different IP ranges as their default routing entry would address this situation and these wireless devices would not try to establish a direct connection, knowing to be on different network segments. So yes, if all wireless only devices need to reach every wired only server, having separate IP ranges will save you of doing as many additional routing entries as you have wired only servers on every wireless device.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • This IMO, depends on what devices are being connected.  If they are company devices, and are being authenticated on to the wirless by some means other than WEP key, then it's not such a big deal.  If they're BYOD or guest devices, or your'e only controlling access via the security key, then I would go with a separate network, firewalled from the main internal network, as Scheff says, it presents a much bigger attack vector so needs to have additional security considerations in place.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • I understand what the person is asking you to do. In Security Pro certification you are taught to set up WiFi for guests like in your lobby area. Keeping them separate from the corporate network for security reasons. And then it goes into the different security breaches. Hybrid work environment makes it different but when guests do arrive it is nice to have a nice WiFi setup for them. I could get into it more but I was just a student and we were asked to create an app that only worked on the Citrix campus. You could have ads and make a little money for Christmas parties. 😂 You could really get deep into it and make it really nice! I really enjoyed doing the Security Pro….

    To add one more thing because I was an administrative assistant sometimes guests do need access to your printers. Or to a computer but I did work more so in an open environment company.

    That sounds like fun!

    Was this post helpful? thumb_up thumb_down
  • First thing is that we are all guessing on the number of machines you have and what type of switches are you using (most modern day switches have storm control features to prevent broadcast storms).

    If you are talking about security.....is there a difference between wireless vs wired ? If your SSIDs are secured (and even hidden), they are as safe as your LAN ports. Creating VLANs and/or different subnet with routing will not solve that. Many people create many VLANs then link them together such that machines in each VLAN can ping other VLANs (no firewall in between VLANs)....so whats the point ?

    Was this post helpful? thumb_up thumb_down
  • adrian_ych wrote:

    If your SSIDs are secured (and even hidden), they are as safe as your LAN ports.

    Hiding a SSID is no means or security. It is transmitted clear text, only not displayed in client. And WPA2 and WPA3 are known to be flawed. I only did not lookup which efforts and constraints are needed to read content of other WLAN connections secured by any of these standards. And sure, a LAN port is also not safe of interception by some MITM attack but requires physical access to either port or switch whereas for WLAN, you need to be in range of WLAN. And not every company has its own campus with controlled access of visitors and 3rd-party service providers with permanent company of permanent staff.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • JRC wrote:

    So the issue with a single flat network like yours is broadcast traffic, just noise on the network. This is not a massive issue on the wired network, but on wireless it can chew up a ton of airtime and cause your wireless network to perform badly. Segmenting your wireless network into its own broadcast domain can make a huge difference, as it stops traffic from spilling over from the wired clients.

    I think JRC​ brings up an interesting point about broadcast traffic on a wireless network. I did a little research and found an interesting article that goes deeper into it:

    Why should you worry about too much multicast/broadcast traffic on your wireless network?

    • local_offer Tagged Items
    • JRCJRC
    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • ctransom wrote:

    JRC wrote:

    So the issue with a single flat network like yours is broadcast traffic, just noise on the network. This is not a massive issue on the wired network, but on wireless it can chew up a ton of airtime and cause your wireless network to perform badly. Segmenting your wireless network into its own broadcast domain can make a huge difference, as it stops traffic from spilling over from the wired clients.

    I think JRC​ brings up an interesting point about broadcast traffic on a wireless network. I did a little research and found an interesting article that goes deeper into it:

    Why should you worry about too much multicast/broadcast traffic on your wireless network?

    Not only do I bring up and interesting point, I bring up a real world issue we actually did face a while back. Our network was one large flat network, with ~1200 wireless devices and about 400 wired devices. Network congestion was terrible and we had constant connectivity issues, especially with wireless clients. We ended up carving the network into VLANs that limited the number of clients on any one broadcast domain, now I have, at most 300 wireless devices on any given subnet at any given time (real world numbers are actually more like ~150) and the difference this made has been incredible.

    I will almost certainly never not segment out wireless networks in the future, unless the network in question is very small.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down

Read these next...

  • Snap! WebView2-Cookie-Stealer, lost USB drive, tech jobs, Atari turns 50, & more

    Snap! WebView2-Cookie-Stealer, lost USB drive, tech jobs, Atari turns 50, & more

    Spiceworks Originals

    Your daily dose of tech news, in brief. Way back on this day in 1995, Spyglass went public. Not sure who they were? Spyglass was founded by students at the Illinois Supercomputing Center, which also inspired Netscape Communications Corp, and they (...

  • Do you ever interact with your co-workers/team in person?

    Do you ever interact with your co-workers/team in person?

    Spiceworks

    June 30th is work from home day and in this new age of working from home, many people only interact with their coworkers in virtual ways, particularly if they assumed their role mid-pandemic.  In fact, bizarre as it may seem, some people have never met th...

  • Burning the employment bridge

    Burning the employment bridge

    IT & Tech Careers

    Today is my last day at my current job. The company interviewed several candidates and picked the best one they could find. I had no input in this process. Not a big deal. The new guy started yesterday, and we walked through the 4 properties I manage, and...

  • Help troubleshooting Edge RAM usage

    Help troubleshooting Edge RAM usage

    Windows

    Hi, I have a Windows Server 2016 Datacenter Version 1607 build 14393.5192 server as a Hyper-V guest OS running remote desktop services that a few users access from home to access local services while off site.I am currently having an issue where Edge is u...

  • Spark! Pro Series - 27th June 2022

    Spark! Pro Series - 27th June 2022

    Spiceworks Originals

    Welcome to another new week. Here is another bundle of fun stuff to get your week off to a good start. Remember to click that Spice button!   Today in History: 27th June 2017 – NotPetya Malware knocks out syst...