Security practices and network protection for LPV

Large public venues which offer open guest networks in high-density areas are natural targets for casual and malevolent hackers. This list of network hardening options is considered a best practices and is recommended:

• If possible, do not configure a Layer 3 interface on wireless user subnets (including secure subnets) unless a captive portal is being used and redirect is required. The gateway or controller should be Layer 2 only on all wireless subnets into which users can be placed.

• Do not configure the gateway or controller to be the default gateway for any user subnet.

• Place the DHCP server on a Layer 3 separated subnet and use DHCP relay.

• Avoid configuring the gateway or controller as the DHCP relay for any user subnet.

• Configure the validuser ACL to allow the configured and known user subnets, and disallow those IP addresses or IP address ranges that should be protected such as default gateways for each subnet, DNS, DHCP, captive portal, etc.

• The guest role should explicitly disallow connection to network infrastructure elements via TCP ports 22 and 4343.

• The guest role should explicitly disallow telnet, SSH, and other protocols that are not required for guest services.

• Enable ARP spoof prevention on the default gateway for wireless user subnets and also on the controller if there is an L3 address on any wireless user VLANs.

• Use a dedicated infrastructure subnet to connect all Wi-Fi gateways or controllers, APs, and servers.

• Use ClearPass for administrator authentication using RADIUS and/or TACACS. Monitor the logs.

• Use an IDS solution to monitor infrastructure and user subnets for suspicious activity.

• Shutdown all unused Ethernet interfaces on the gateway/controller.

• Monitor for rogue and potential rogue devices in Central and on the gateway or controller.

• Enable “enforce-dhcp” in AAA profiles to prevent users from being able to assign static addresses and gain access to disallowed networks or spoof network resources.