Wireless Security: Open SSID & Dynamic VLANs

N

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,465
My Condo is considering switching wifi providers and they are telling us that everyone can have secure wifi connections without using WPAx. This was email i received below. To me this sounds like complete bullshit, but I would like someone smarter than me to provide some insight.

Our system is considered “open”, and no, not like McDonald’s or Starbucks. A computer device does not know or need to know about the security on the back end which is why it throws all those warnings you attached. We employ a hybrid vlan/virtual firewall system to each connection as soon as it connects to our network, as well as forced subnetting to each device limiting the capability of scanning the internal network. This ensures that no device can see or talk to another device. Each computer only has access to the gateway and internet, that’s it. This is all controlled by a central cloud controller system located in our data center. Then the firewall system is quite advanced that both protects the network from external intrusions and monitoring for internal hack attempts. It interfaces with our cloud controller to both detect and block any attempt from a user to breach from both intentional acts and unintentional acts from a compromised machines.

With that being said, I can encrypt the wireless signal within about 60 seconds on your call. The biggest issue when it comes to encrypting a wireless signal in a community Wi-Fi environment is compatibility with different ages of equipment.

Most equipment can only encrypt with one protocol therefore making the encryption choice difficult because you must encrypt at the lowest level to accommodate the oldest equipment on the network. Our equipment can encrypt with multiple encryption protocols simultaneously. We can encrypt in WPA1 at the same time run an independent signal for WPA2 in both AES/CCMP and TKIP all at the same time. This greatly reduces the compatibility issues from users with outdated security protocols making this change much smoother. Let me know if you want to do this.
Click to expand...
 
With this new setup, it is secure/isolated from the point it hits the AP until till it at least gets to the internet.

The wireless segment will be WIDE OPEN and can be sniffed over the air.

From his language, it is clear this guy knows what he is talking about, but he is talking around the obvious drawback. Can't blame him really... It's a bad solution, but a tricky problem.

Personally, I would create an SSID for each tenant if it's feasible and give them keys. Otherwise, WPA2-Enterprise is your only true method. Multi-tenant and segmented wifi networks are not fun.
 
The only way to be secure over an open wireless connection is run everything inside a vpn connection.
 
If the condo owners pay for the wifi it's just stupid not to be wired or treated like a wisp (ap and cpe).

Free wifi should be done with guest wifi that is very throttled on an open ssid with ap isolation, and then a private ssid with wpa and a client login portal, still with ap isolation. The private wifi should take priority over the public.

If the condo owners pay for the internet it should be treated exactly as a wisp, because thats what it is. 5ghz distribution band from access points, each condo has it's own cpe that gets a public ip. The owner can do what they want from there. Wired, wireless, doesnt matter. Doing that way would ensure that the customers who wanted privacy would get it. You could choose from many many different encryption options from the wap to the cpe.
 
Should be one (or however many lines they want to run) in a vlan for each unit. Round robin QoS.
 
You must log in or register to reply here.
Back
Top