Routing – How risky is a personal-use-only wireless subnet inside the corporate subnet

firewallieee 802.11routingSecuritywireless

My company's security policy with respect to wireless routers is to not use them at all — everyone's wired in. Devices for personal use, such as laptops or cell phones, have to use their phone's data plan, and in special circumstances, employees can use a company-provided wireless hotspot. Unfortunately, many of the employees get bad reception in the office, but we still make them use their data plan when we could be connecting over WiFi.

I'm trying to do a risk assessment of an arrangement like this, where the secured devices are given access to the LAN, and the unsecured devices are given access only to the internet via an additional router, a wireless one.

{internet} <-> [router] <-> [secured devices]

{internet} <-> [router] <-> [wireless router] <-> [unsecured devices]

My thought is that since the unsecured devices will be on their own subnet, they wouldn't pose a significant threat to the secured devices. This subnet would be for personal use only, and I'm thinking the unsecured devices would not be able to access the secured devices outside their subnet. I'm mostly speculating though, since I haven't been able to find a lot of resources on the subject. This answer points to some BYOD resources, but not a separate personal-use-only network.

I'm guessing a better option is to replace the {internet} <-> [router] with {internet} <-> [switch] to which both independent routers are connected. However, this option is a lot less feasible, so I really only want to make that kind of recommendation if the other option is too risky.

Best Answer

Merely putting personal-use internet on a different subnet is normally not sufficient unless that subnet is firewalled from the rest of the company; there are all kinds of internet vulnerabilities that hijack a users' PC and pose a threat to your company unless you are smart about protecting yourself. This is one example of a innocent-looking Wordpress compromise (CVE-2013-1949) that would be a threat to an unprotected internal network.

Personal-use Internet for BYOD is not a security risk if done correctly...

  • All personal-use wifi access should be performed with 802.1x (usually PEAP) so you can revoke wifi access credentials on a per-user basis.

    • Avoid shared credentials like WEP or WPA PSK (i.e. you're not giving internet access to the general public, so there is no need to use well-known wifi credentials)
    • Use wIPS to keep an eye out for rogue APs which spoof your SSID because PEAP clients are vulnerable to AP impersonation attacks under some circumstances
    • Disable client to client traffic (Cisco calls it "peer to peer traffic") to avoid problems with clients attacking other clients over your wifi (ARP spoofing attacks are just one example)
  • Your company is still responsible for the behavior of these users if they abuse your internet connection
    • Build a good security policy for acceptable-use of the personal-use internet connection; require users to sign and accept the policy before connecting (your corporate HR / legal departments may want to be involved here as well).
    • Proxy and log all internet access from this subnet
    • Use an IDS / IPS if-possible for the personal-use Internet DMZ
  • If the personal-use wifi AP is in autonomous mode, some possible network design options to isolate personal-use internet traffic from your corporate network:
    • The vlan for the wifi AP could be in an internet-only VRF
    • The vlan for the wifi AP could be directly attached to your internet FW (in a DMZ)
  • If the personal-use wifi AP is managed from a Wireless LAN Controller, some possible network design options to isolate personal-use internet traffic from your corporate network:
    • The WLC could direct all personal-use internet traffic to an internet-only VRF
    • The WLC could have a VLAN that is attached to your internet FW (in a DMZ)
Related Topic