At my work we have been slowly moving over from our previous firewall/network setup over to ISA Server 2004. Doing so has enabled us to lock down the network much more; limit users web browsing abilities and even implement a nice VPN solution. So far we've had great success with ISA. Recently though we've had trouble with Virus's on the network. Mainly, the ISA Server itself got a Virus on it, which basically crippled the network for a couple days. All of our desktops have Virus scanners on them, though I don't believe they scan as they download, only more of a passive scan. So previously viruses would only be caught on daily or weekly scans. I since then installed GFI Webmonitor and enabled the Virus scanner, so every file downloaded to our network now will be scanned for a Virus as it enters our network. There still is the problem of Virus's being brought in, but that seems only likely from our employees who use the Wireless Access.
Employees are allowed to bring in their laptops (they are Ambulance drivers) to use the wireless access when they're not on a call. So as it stands, the network they access is the same network our entire business infrastructure runs on. Obviously this is less than ideal, but it was like this when I got here. We would like to separate the two networks for two reasons. One, to block all traffic from the Wireless LAN to the Wired LAN. This in affect would stop Virus's from spreading two and from each network as well as keeping our network safe from prying eyes.
Now my proposal for this is to simply add a third network card to our ISA server, and then attach the Wireless AP directly to that. I could then block all traffic from that network to our main network, but this brings up a new problem. We have rules setup in ISA which requires all users to be authenticated. Since those users accessing Wireless are not authenticated, we have them going through a different gateway to the internet currently. These users also are not apart of our domain, so even if I were to install the Firewall Client on their machines, or added the proxy address to IE, they still wouldn't have the right user credentials to get through the firewall, and giving them the credentials is simply not an option.
What I'd like to be able to do is have their traffic go through ISA, but go through unauthenticated. Given the parameters I have to work with, my options are quite limited at the moment, at least how I'm looking at things. I suppose I could set them up in a DMZ, but I'm not sure if that would yield the results I am looking for. My question for anyone out there is there a way of doing what I want given what I have to work with? I'll recap things below so you don't have to read through everything again.
Wireless and Wired networks on same LAN.
Wireless can access all computers on wired LAN.
Wireless users access internet through different gateway than ISA server.
Wireless users are not in the domain, nor is there traffic authenticated.
What I would like:
Separate Wired and Wireless LANs, either by subnet, or using ISA to block traffic between the two.
Block traffic from wireless to wired, except for maybe printer access.
Allow wireless anonymous traffic though ISA, even though, every user now is required to give credentials, basically make an exception in this case.
Sorry for the long post, but any suggestions would be greatly appreciated. If you need more information, I would be happy to give them to you. Thanks.