Advice: Secure Office Network ... On The Cheap

I am providing pro bono technology support to a UK-based charity. They started off small but have grown and now offer workspace for other local charities, circa 50 office seats. They do a lot of good work for their community and they are all volunteers themselves. Their current network comprises of a 1Gb/s leased line into a managed switch and then shared out amungst 3 x WiFi Access Points. No firewall, no network authentication, no network segregation, WiFi password written on posters pinned up around the floor!!

I need to ‘enterprise network’ them up, but my networking knowledge is rudimentary at best. Would somebody mind ‘checking my work’ by reviewing/commenting on my strategy below?

Wired v Wireless

The building they are in is fully wired up for Ethernet, they are just not using it. Strategy: move switch and fibre to floor cabinet, patch outlets to switch, encourage use of wired Ethernet but allow WiFi, setup isolated WiFi guest access (Internet only).

Authentication

Anybody and everybody can currently connect to their network. Strategy: implement 802.1X network authentication using EAP for both wired and wireless connections. How to implement plug’n’play authentication? MAC address registration too hard, self-registration via captive portal? Need RADIUS server? Implemented in switch or pfSense NUC?

Segregation

All network devices are currently connected together – data breach potential is high. Strategy: implement 802.1Q VLANs for each organisation. Organisations move around, tagging individual switch ports too hard, can VLAN be assigned via captive portal together with 802.1X authentication? Can VLANs be assigned to WiFi access?

Printing

They have a few business-class network connected printers, but no centralised management, no Active Directory Services etc. Strategy: unsure. Do universal print management services exist that can run on a switch or a NUC? Printer access can’t be restricted to any individual VLAN, how to authenticate or share across VLANs?

Cost

They have about £1.27 left from their original grant funding! Everything needs to be done on the cheap i.e. not best, just good enough.

I know that I’m asking for a man-weeks’ worth of networking consultancy here! I don’t mind doing all the research / legwork if I can just get a steer from the experts.

All advice warmly welcomed.

Welcome!

The old adage applies. Good, fast, cheap. Pick any two.

Things to ponder…

1. What is the charities IT security policy and how will they demonstrate compliance with UK privacy laws and other business laws?
2. Who will be providing long term support for security updates, security monitoring, incident response, data storage and retention, etc?

Answers to those questions will drive implementation.

Ha! Policies, compliance … that will be me then! Long term support … I currently offer 6 hours per week pro bono services to local charities but they’ll need more, I might have to recommend an outsourced MSP once everything is setup and running. Good point.

An outsourced company might not want to take over someone else’s cobbled together infrastructure, or charge an arm and a leg to do so.

I’ll try not to take that personally

You can do a lot with pfSense and FreeRADIUS, however, I’m sure on Netgates site it says there is some reason to move FreeRADIUS to its own instance. I don’t recall what the rationale is perhaps it’s just management but perhaps 50-100 users should be ok.

I think you can probably do a lot on the cheap, the main problem I suspect is that no one will have a clue how things will work. Not too sure how you over come that one.

@neogrid, great points, thank you. It would be far better to have an MSP come in to upgrade/reconfigure and then support the network but they just haven’t got anywhere near that kind of money; they can only just about afford free!

I was planning to produce a ‘Network Administrator’s Handbook’ documenting the ‘as built’ design, actually I have already started documenting the current and proposed states. I am a project manager by trade, I know the importance of good documentation, particularly when handing over to support organisations (AM). I was also planning to produce a series of How To guides for the user community, but I’d rather like to focus on making operations as transparent as possible e.g. self-service.

Documenting is good but you already know no one reads documentation.

In a past life, as a short cut, I used Camtasia to produce training materials / how-to videos, the general feedback from people where english wasn’t their mother tongue was positive. I’m sure there will be something similar you can find for linux.

Looks like we’re out of ideas. Thanks to all those who contributed.

I’ll figure it out.

I’ve played this game too. With a budget of effectively zero you really can only pick one of the three options the first poster laid out. Or you can pour a ton of your time into this and stand it all up with opensource tools on hand me down hardware. I’ve done this exact same setup you are looking for on a similar budget.

As I read this I wondered to myself who brought this idea of “enterprising the network” up, you or them? If they didn’t bring up the issue, then you may want to slowly back peddle out of this. That comes from painful experience.

LOL! They wouldn’t have the first clue that their network is sub-optimally setup. They would happily run as-is forever, so long as their people could access the Internet, that is, of course, until the first data breech occurs and with the resulting fines and reputational damage, the charity is forced to shut down.

I realise this isn’t my problem to solve, but I don’t mind supporting them, they seem like a nice group and I’ve already committed 6 hours per week to charitable endeavours … and they can wait, they have no idea what I’m doing anyway! So ‘good and cheap’ works for them and me.

I just don’t quite know what ‘good’ looks like, hence the query. I mean, I have an idea, but, as they say, a little knowledge can be dangerous.

I was just hoping somebody could validate my strategy, even if that was, “Can’t see any immediate gotchas, good luck!”

In that case I’d jump in with both feet. Six hours a week, I’m jealous.

As with anything IT, there are many ways to build this mouse trap. I used Freeradius and assigned VLAN tags per the group a user was assigned to. For dumb devices I created a second SSID with a simple password, so two SSID’s in total. Printing is trickier and depends on the printer. You can probably connect to Freeradius or just create a few user accounts on the device. Depends on how fancy you want to be and your printer. Something like Papercut can be worth the expense here.

You can certainly achieve good (or great) with opensource tools. In most regards it is second to none in this space. It just takes time and effort.