Wireless Network Security: Isolating Users with VLANs
Virtual local area networks (VLANs) are a wonderful wireless network security tool by enabling its separation technology. You can implement VLANs in several ways when working with your wireless LAN. VLANs allow you to
Separate different types of traffic based on the SSID to which they connect.
Provide isolation between more secure and less secure clients when required to support clients that do not support the maximum security settings of the WLAN. A less secure SSID can be used only for the lower security clients; ACLs can then be used on the routers and firewalls to control their access.
Provide guest Internet access out of your office while keeping these clients from accessing internal resources. These clients may get their access through a separate interface on your firewall, a separate firewall, or a secondary Internet service provider (ISP) connection rather than your main connection.
Provide access to the management interfaces on network devices. Because most network devices allow for management to be conducted over a separate VLAN, thereby keep this traffic away from less secured VLANs.
If you follow the flow from the wireless clients at the bottom of of the illustration to the Internet connections at the top, you can see that
Each wireless computer has a connection to a different SSID.
All SSIDs are hosted on the same LWAPP, but each SSID is associated with a different VLAN because the traffic on VLANs can be passed to the controller using a network connection.
Traffic is passed in separate VLANs to the controller. The controller takes care of functions, such as decrypting WPA2 data and passing the data frames onto the wired network.
Still on separate VLANs and using a single network connection, the traffic is passed onto a switch where VLAN traffic is separated into virtual networks, each with their own servers and network resources.
All three of these virtual networks get their outside access through an ASA firewall, which can split the traffic from different VLANs through dual connections to two ISPs. This is done for load balancing for fault tolerant services.