Having your network locked down to a need to know bases creates a good feeling for security professionals, but one day someone in your company hosts a meeting with an outside vendor. This outside vendor needs access to the internet during the meeting. An instant feeling of panic rushes over you because you didn’t plan for this situation. How do you provide internet service for guests at your company, without compromising your networks treasures? The following are several different options to look into before making a decision. Some of these will apply to smaller companies, but it is better to hear all the options before going forward.
Create a VLAN (Virtual Local Area Network)
Creating a VLAN to separate out guest access from employee access is a viable solution for enterprise level companies, to effectively partition out your network the broadcast traffic needs to be sent to its own appropriate VLAN ports on your switches. This is essentially creating a secure channel that is only specific to traffic over the selected ports. This method is one of the best, cost efficient ways to satisfy a guest account internet connection.
Create a second network
By creating a separate network for guest you can fully ensure that they will not have access to information that they shouldn’t. This can be accomplished fairly easily for smaller companies but it may be a bit more of a challenge at the enterprise level. By connecting additional routers off of your main router, you can specifically dedicate them for guest login. Both parties will be connecting to the same network, but based on the routers configuration, you can set it to only allow basic internet options for guests.
Install a wireless network just for your guests
This last option is a more expensive one, but it is fool proof. Creating a whole new network just like yours with a different password to confirm separation. This approach will require you to purchase access points and possibly a wireless LAN controller based on the size of your company. If you are a smaller company, connecting your new access points to your existing modem should suffice. If you find yourself in need of a separate wireless LAN controller to create a new partition, the Cisco 2100 series is a great starting point as it can manage up to 6 access points.
No matter how you do it, it is important to create that separation between your business and the general public. Keeping guests off your internal network as best as possible will better protect your company from unwanted data leaks, compliance troubles and network breaches. It is a smart option to implement this and it would be silly not to as most of the time it is a cost efficient change to make the adjustment. In the long run, the expense and effort it would take is worth the damage that could be done by attackers if you allow unregistered accounts access to your internal network services.