Depending on what type of traffic is going over the network, it's often not feasible that an employee brings a wireless router and sets it up into your network. This is because often, they are not or poorly secured and present a backdoor into the network. What can you do to prevent rogue wireless access points being introduced into your network?
Security – How to Prevent Rogue Wireless Access Points on a Network
rogueSecuritywireless
Related Solutions
A couple of thoughts. I can go into more detail on any of these if you need me to.
-When it comes to wireless, there are two ways to plan. One is for coverage, the other is for capacity. Based on the number of devices(capacity) and space(coverage) that you describe, I believe that capacity is going to the be the bigger deciding factor. Remember that wireless is like using an old-school hub. Everyone hears everything. That also means that only one client can talk to one AP at a time. This isn't a limitation of a device (Cisco vs. Netgear) this is a limitation of the physical medium (airspace). Since you are programming for mobile devices, which will only support a single stream, you should plan on 1 dual band AP per 50 devices. If you choose to only support 2.4 or 5Ghz (airspace issues with neighbor offices for instance), then plan on 1 AP per 30 devices.
-The Cisco 887 only has a 100Mb connection. If you keep with your current plan, and do all of your L3 routing on the 887, it will become a bottleneck for anything that routes between your internal networks. Examples include: Local replication for Dropbox, Wireless synching between i-devices and itunes, Copying files from machine A to B, Time machine backups, etc. etc. This bottleneck occurs because anytime data must flow from one network to another (wlan to lan) it will need to be routed, and must go out, and then back in, from the same 100Mb interface. This might not be a big deal, but I wanted to mention it, just-in-case.
-The Wireless controllers are a good idea. The initial setup takes a little while longer, but from that point on, it becomes super easy to deploy more AP's or WLAN's. I don't know anything about them from personal experience, but I have heard good things about the Meraki AP's. It is an cloud-based controller solution, which Cisco recently bought. EDIT for clarity: I don't know anything about the Meraki solution. I know A LOT about the Cisco Wireless Controllers :-).
-How are you powering your AP's? Do you plan on using VOIP in the future? Consider both of these when considering whether or not to order a switch with PoE.
-Also, just noticed, you are planning on putting a firewall in-line after the router. That further complicates your plan to route between subnets there. I would plan on purchasing an L3 switch. That would simplify the deployment considerably.
Hope this helps. Good luck.
Merely putting personal-use internet on a different subnet is normally not sufficient unless that subnet is firewalled from the rest of the company; there are all kinds of internet vulnerabilities that hijack a users' PC and pose a threat to your company unless you are smart about protecting yourself. This is one example of a innocent-looking Wordpress compromise (CVE-2013-1949) that would be a threat to an unprotected internal network.
Personal-use Internet for BYOD is not a security risk if done correctly...
All personal-use wifi access should be performed with 802.1x (usually PEAP) so you can revoke wifi access credentials on a per-user basis.
- Avoid shared credentials like WEP or WPA PSK (i.e. you're not giving internet access to the general public, so there is no need to use well-known wifi credentials)
- Use wIPS to keep an eye out for rogue APs which spoof your SSID because PEAP clients are vulnerable to AP impersonation attacks under some circumstances
- Disable client to client traffic (Cisco calls it "peer to peer traffic") to avoid problems with clients attacking other clients over your wifi (ARP spoofing attacks are just one example)
- Your company is still responsible for the behavior of these users if they abuse your internet connection
- Build a good security policy for acceptable-use of the personal-use internet connection; require users to sign and accept the policy before connecting (your corporate HR / legal departments may want to be involved here as well).
- Proxy and log all internet access from this subnet
- Use an IDS / IPS if-possible for the personal-use Internet DMZ
- If the personal-use wifi AP is in autonomous mode, some possible network design options to isolate personal-use internet traffic from your corporate network:
- The vlan for the wifi AP could be in an internet-only VRF
- The vlan for the wifi AP could be directly attached to your internet FW (in a DMZ)
- If the personal-use wifi AP is managed from a Wireless LAN Controller, some possible network design options to isolate personal-use internet traffic from your corporate network:
- The WLC could direct all personal-use internet traffic to an internet-only VRF
- The WLC could have a VLAN that is attached to your internet FW (in a DMZ)
Best Answer
Lucas's answer above is a bit of a starting point. There are however two or three other things that must be considered. These end up being somewhat outside the scope of network engineering, but certainly have impacts for network engineering and security so here they go.
You probably want some way of preventing wireless cards in company laptops from being switched into ad hoc mode. Assuming the laptops are running Windows, you probably want to use a GPO to set to infrastructure mode only. For Linux, it is harder to fully restrict, but there are ways to do this too.
Enforcing IPSec is also a good idea, particularly with good key management and trusted enforcement. For example if you can go to X509 certs for key management this can keep unauthorized devices from communicating with the rest of your network directly. Consider key management as a core part of the infrastructure here. If you use a proxy server you may even be able to block unauthorized devices from accessing the internet.
Note the limitations of your efforts. None of these prevents a person from setting up an unsecured wireless access point connected to a USB NIC, for sole purposes of communicating with their computer, especially if the SSID is hidden (i.e. not broadcast).
Not sure how to further contain problems or if further paranoia is well past the point of insufficient returns.....