Forum

Hi dianewalker,

I would set up the network to be synergistically secure for the wireless side as you do the wired side. They are both complimentary to each other. Perimeter and Core need similar defenses.

We have the private users on the trusted side, doing port based authentication with PEAP.

There are no firewall rules blocking those IPs right now, there are blocks of IP strategically allocated off the DHCP servers, based on the building, floor and controller of the associated WAP to client.

There are other additions we will add to the wireless and wired LAN on both trusted and untrusted, that will secure the endpoints even the more... a NAC (clean access server) is one of those nice to have, that I think makes much sense.

Blocking an internal IP, will most likely occur if we detect something on the (wired and/or wireless)IDS that leads us to un-trust the supplicant, authenticator or authenticating server.

Then, we have the Public/Guest WLAN, a quasi- untrusted side of the wired LAN sharing the same WAN connection as the private. Here the users are not authenticated through 802.1X , so there is less control. But there are firewalls and rules defined that keep them from crossing into our private LAN.

Hope this helps.