My organization has a proposal from a vendor which will run 2 wireless
networks seperated by using VLAN tagging. One network is for business use
and the 2nd for guest access. The guest access communication packets will
actually traverse our physical wire through our firewalls and mulitple
security zones before leaving out to the internet. I believe this will be a
major compromise to our overall security posture but can't find
documentation to prove it.
i have found some VLAN vulnerability info but no security best practice
white papers recommending against it. Does anyone out there have a credible
source of information that could spell out the reason not to do this? Or,
any documentation on setting up a seperate wireless mesh network connected
straight to the internet for guest access? Any info would very greatly
appreciated.

"PL" <casiwito@hotmail.com> writes:

Does the vendor rhyme with Crisco? And the solution rhyme with
Flaironet?

If so, that's best of breed stuff.

You have a legitimate concern.

The security of the installation depends on the security of the
switches involved. VLAN tagging is quite strong if you can trust the
switches and devices implementing it to be up to date with updates.

Very large corporate and commercial data centers rely on vlan tagging
to work, so if there were current vulnerabilities, you should hear a
BIG stink about it in the press.

Naturally there's no harm in pushing a hungry vendor on the point and
seeing if there's a way it can be configured to use a dedicated DSL
line or whatever so that a minimum of guest traffic traverses any part
of your network, or the least possible number of devices on your
network.

Best Regards,
--
Todd H.
http://www.toddh.net/