How should I secure a corporate wireless network?

We are implementing a new WiFi network at my work, and I am trying to think through a design of the security for the network.

Use case 1: guests. We will have a captive portal setup, guests will accept an acceptable use policy and will be restricted to only the Internet, no access to LAN. Simple enough, we will let the firewall block dangerous ports and not much to worry about since they can't touch our primary network.

Use case 2: employees with BYOD and company owned laptops that might spend months offsite before being brought in to the office. Mix of Windows and OSX. They will authenticate with WPA2-Enterprise to our AD/RADIUS. Is there a good way to give these folks secure LAN access to internal servers?

My thought was that just giving these folks unrestricted access to the LAN is problematic. If they are domain-joined, they will eventually receive security updates from WSUS, but not necessarily before they connect. Anti-Virus is also not guaranteed. With the wired network we have in place now, this is minor, but I can see BYOD growing with the addition of a wifi network, particularly for our large crop of summer interns.

I have looked into Microsoft Network Access Protection to enforce security settings and quarantine non-compliant devices, but I am not sure how it will work with OS X (the only agent I could find, the UNET one, has some broken links on the website and pricing is unclear). It also seems to be pretty complex.

Is this overkill? In the real world, how do others handle this scenario? Is there a simpler Network Access Control solution folks like?


I have a School District Customer who has a similar setup to what you're talking about.

  • Public access is run over a separate VLAN with dedicated Linux-based DHCP and DNS and no access to the corporate network except thru the edge firewall (effectively putting the public wifi "outside" the firewall-- so VPN access, and access to DMZ-hosted servers works from the public wifi). The "Child Internet Protection Act" requires that we heavily filter this connection, so the public gets the most restrictive policy. (If I could run this over a dedicated physical LAN and separate Internet connection I would. Money says otherwise.)

  • Student-owned devices authenticate to WPA-RADIUS and have access to the Internet. DHCP and DNS are provided by LAN-based servers. AP-based firewall rules (we are running Ruckus ZoneFlex APs, which have a Linux-based iptables firewall in each AP) prevent access to the LAN except for specific services (HTTP to the "learning management system" and a few other web servers). There is a default deny policy for access to the LAN subnets.

I feel like there is a strong distinction between Employee-owned and District-owned devices, from a management policy perspective, so I reflected that in the operational configuration.

  • Employee-owned devices are exactly the same as student, except that there's a different Internet filtering policy and employees get RDP access to the LAN subnets where desktop PCs live. There is still a default deny policy for access to the LAN subnets. The number of services offered to employee-owned devices by LAN-based servers is very limited and, frankly, I want to keep it that way. I will try my hardest to insure that we keep a default deny policy w/ exceptions between the "BYOD" subnets and the LAN subnets. I've had some disagreements with people about this, but I am of the opinion that "BYOD" devices can't ever be trustworthy to the degree that District-owned devices can.

  • District-owned devices, including laptop computers, get their own SSID with WPA-RADIUS authentication for members of the "Domain Computers" group only. There is a wide open policy of access to the LAN. No users have Administrator rights on their computers, and I'm reasonably happy in deluding myself into thinking that the devices are mostly trustworthy. If I were a bit more paranoid I'd deploy Bitlocker using the TPMs on all the laptop computers to prevent offline modification of the OS by the users. That last bit w/ full disk encryption, would be all that I would need to make me feel reasonably certain that the district-owned devices are at least somewhat trustworthy. We have only Windows clients but, for a Mac environment, I believe suitable similar capabilities to guarantee integrity of the trusted computing base from boot are available.

We don't have machines that stay off-site for months. If I did, I'd host an Internet-facing WSUS server and have the clients look there for updates even when they're off-site. Depending on your anti-virus software you may be able to get it to function this way, too.

It's not that I think NAC / NAP is "overkill"-- I think it's a fundamentally flawed idea. Some people argue belt-and-suspenders as being a reason to use NAC / NAP, but I have a hard time trusting an untrusted client to assess its own "health". I'm all for performing vulnerability scans against machines from a trusted host, but asking an untrustworthy host to make a trustable statement about itself seems very flawed to me.