One of the most simple ways that you can create a security boundary on your wireless network is to not only logically separate the wireless clients but to also “physically” separate them as well. Most of the time we see access points setup through an environment on the same SSID so that as people walk through a building there is a seamless transition and the network is available anywhere they go. What happens when you have to add a layer of security to this environment? What happens when manufacturing wants this same functionality as the support department?
Lucky for us we can have multiple SSID’s mapped to VLAN’s quite easily…. depending on your hardware. Lets break that scenario down a little bit by going to older methods first. If your hardware doesn’t support multiple SSID’s or multiple VLAN’s then your only option is to have double, triple, etc access points in your wireless environment. Each department will be dedicated to that SSID and each access point will have a dedicated connection back to your switch which will implement the VLAN setup. Simple….ish until you have to provide for multiple departments as that increases hardware cost and additional cabling.
What about that multi-SSID access point you have? Again it depends on the level of the hardware that you have. If your access point simply allows for multiple SSID’s then that is great from a bandwidth perspective. Not so great from a security perspective as the data from those SSID’s is shared on the same subnet/network uplink from that access point. SSID ‘one’ computers would be able to directly access SSID ‘two’ computers.
Ok ok; I bought the most expensive access point from Cisco where money wasn’t an issue. Now what? Well you most likely don’t have to purchase the most expensive one to get the multi-SSID and multi-VLAN options. Even my 10 year old wireless B/G access point has software loaded on it to support the security we desire. What we are going for is quite simply a mapping of SSID ‘one’ to VLAN ‘one’ as well as SSID ‘two’ to VLAN ‘two’ on the same access point. Of course the implementation will be different from vendor to vendor but the concept is the same.
You can treat each one of these network setups as independent setups for the needs of the department by only have one or two access points for their area of the building. Why does this matter in the security realm? It matter big time. When trying to track down the source of someone breaking into your wireless network, it is a bit easier to track down one side of the building than it is to track down an intruder over a multi-acre building. It can also help with management depending on your setup. For some implementations it could be easy to say one config for 3 access points and another config for 3 other access points. This allows easier management of any ACL’s or routing that needs to happen. In other environments it may be easier to say all access points require the same config so that you only have to manage one config file.
In the end it all comes back to security in the form of layers. Sure it may be easy to setup the company on one SSID that spans the building but then you take on the security risks associated with that setup. For additional cost you can setup a robust wireless solution allowing additional bandwith as well as security from one department to the next. What level of risk are you willing to take on?
