@Marc-Andre-Quesnel said in Segmenting Public Access Point From Private LAN - VLAN VS DMZ:
Course: Network +
Episode: Network Segmentation
Episode Time: 25:30
Scenario: Company's headquarter office network has confidential data vital to the survival of its business. Administrator would like to secure the perimeter of the wireless network by creating a guest network (secured with WPA2).
The use for this guest network will be for the following users:
- Internal Employees bringing in their own devices (smartphones, tablets)
- Family/Friends visiting employee at work place
Question: What would be more secure in this scenario? Placing Access Point on VLAN and creating a conduit to/from WAN, or placing Access Point in DMZ.
Would placing the AP in the DMZ be like connecting a computer straight into the modem (Wild West)?
If all clients will not or do not need access to any internal data, then setting up the AP on another port on the firewall would give them the "wild west" without any real security breaches (DMZ). You would need strict policies governing the employee BYOD on business data access if you do it this way.
If your clients need wireless access to business data, then you may want to place an AP within your VLAN with strict controls and policies as well for only the devices that need to connect for business data on that vlan and reject all others.
So the solution is a combination of both that you mention. A Wireless network for Guests, Contractors, Vendors by itself for outside access. An AP for your business devices maybe controlled by 802.1x for authentication that also ties into some authorization scheme for data accessibility or your NAC as mentioned.
Thanks for your wisdom.
Thanks for being a member!