• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Separating Wireless LAN from Wired LAN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Separating Wireless LAN from Wired LAN Page: [1]
Message << Older Topic   Newer Topic >>
Separating Wireless LAN from Wired LAN - 7.Feb.2007 1:09:56 PM   


Posts: 9
Joined: 2.Aug.2006
Status: offline
At my work we have been slowly moving over from our previous firewall/network setup over to ISA Server 2004.  Doing so has enabled us to lock down the network much more; limit users web browsing abilities and even implement a nice VPN solution.  So far we've had great success with ISA.  Recently though we've had trouble with Virus's on the network.  Mainly, the ISA Server itself got a Virus on it, which basically crippled the network for a couple days.  All of our desktops have Virus scanners on them, though I don't believe they scan as they download, only more of a passive scan.  So previously viruses would only be caught on daily or weekly scans.  I since then installed GFI Webmonitor and enabled the Virus scanner, so every file downloaded to our network now will be scanned for a Virus as it enters our network.  There still is the problem of Virus's being brought in, but that seems only likely from our employees who use the Wireless Access. 

Employees are allowed to bring in their laptops (they are Ambulance drivers) to use the wireless access when they're not on a call.  So as it stands, the network they access is the same network our entire business infrastructure runs on.  Obviously this is less than ideal, but it was like this when I got here.  We would like to separate the two networks for two reasons.  One, to block all traffic from the Wireless LAN to the Wired LAN.  This in affect would stop Virus's from spreading two and from each network as well as keeping our network safe from prying eyes. 

Now my proposal for this is to simply add a third network card to our ISA server, and then attach the Wireless AP directly to that.  I could then block all traffic from that network to our main network, but this brings up a new problem.  We have rules setup in ISA which requires all users to be authenticated.  Since those users accessing Wireless are not authenticated, we have them going through a different gateway to the internet currently.  These users also are not apart of our domain, so even if I were to install the Firewall Client on their machines, or added the proxy address to IE, they still wouldn't have the right user credentials to get through the firewall, and giving them the credentials is simply not an option. 

What I'd like to be able to do is have their traffic go through ISA, but go through unauthenticated.  Given the parameters I have to work with, my options are quite limited at the moment, at least how I'm looking at things. I suppose I could set them up in a DMZ, but I'm not sure if that would yield the results I am looking for.  My question for anyone out there is there a way of doing what I want given what I have to work with? I'll recap things below so you don't have to read through everything again.

Current Situation:
Wireless and Wired networks on same LAN.
Wireless can access all computers on wired LAN.
Wireless users access internet through different gateway than ISA server.
Wireless users are not in the domain, nor is there traffic authenticated.

What I would like:
Separate Wired and Wireless LANs, either by subnet, or using ISA to block traffic between the two.
Block traffic from wireless to wired, except for maybe printer access.
Allow wireless anonymous traffic though ISA, even though, every user now is required to give credentials, basically make an exception in this case. 

Sorry for the long post, but any suggestions would be greatly appreciated.  If you need more information, I would be happy to give them to you.  Thanks. 
Post #: 1
RE: Separating Wireless LAN from Wired LAN - 7.Feb.2007 5:31:46 PM   


Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline

check this article :

Configuring an Untrusted Wireless DMZ on the ISA Firewall: Part 1

Configuring an Untrusted Wireless DMZ on the ISA Firewall - Part 2



Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to meddlingBanter)
Post #: 2
RE: Separating Wireless LAN from Wired LAN - 7.Feb.2007 6:37:55 PM   


Posts: 9
Joined: 2.Aug.2006
Status: offline
Thanks for the article Elmajdal.  The article looks helpful, but doesn't exactly answer my question.  That article explains exactly what I was planning on doing.  The thing I'm worried about are my current firewall policy's.  Because I have rules that only apply to groups of users, this requires all traffic to be authenticated by ISA.  In other words, each user on the network whos traffic goes through ISA to and from the Internet must either have the Firewall Client installed and or a proxy setup in IE or any other browser.  From reading the article I found nothing which said how to create a DMZ that would somehow bypass or circumvent the need to authenticate all traffic through the ISA Server.  If there was something in there about that, maybe you could copy and paste that here, but I don't think that helps me in my current situation.  Thanks though.

(in reply to elmajdal)
Post #: 3
RE: Separating Wireless LAN from Wired LAN - 16.Feb.2007 6:40:50 PM   


Posts: 9
Joined: 16.Feb.2007
Status: offline
Bringing up an extra NIC  for the WLAN users is an option.

If the Wireless LAN is in a different subnet, can't you simply allow anyone comming from this subnet to access the internet (SNAT) while all connections from theWired network use intergrated authentication (ie Proxy Client)?

(in reply to meddlingBanter)
Post #: 4
RE: Separating Wireless LAN from Wired LAN - 16.Mar.2007 9:59:44 AM   


Posts: 14
Joined: 15.Mar.2007
Status: offline
Create a seperate network with your third NIC. Set the wireless users up as SecureNAT clients on this new network (ISA server is the gateway for these pc's). Then create a rule to allow anonymous traffic from this network to the internet.

(in reply to r.schreibers)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Separating Wireless LAN from Wired LAN Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts