I'm going to start out by saying I'm a coder, not a network professional. I do know what VLANs and VPNs are and what they do, but I probably couldn't connect to a Cisco router and manage it without a lot of help.
The network I'm dealing with has various VLANs. The one that is connected to multiple WAPs has some shared storage, domain servers, printers, and an exchange server. The Wireless password is always changing and each managed device somehow gets the password. I'm guessing through the MDM on Android devices and I have no idea how Windows laptops get the new password. I imagine its through the domain controller.
I received a new Pixel 3 that is managed by the IT department and it connected to the WAP just fine. I was playing around with the phone and turned on the hotspot. I noticed that wifi didn't shut off. I connected a laptop to the hotspot and sure enough, the laptop had access to all the network resources on that VLAN. I brought to my IT department's attention and I guess I opened up can of worms. With the latest version of Android, it appears that hotspotting can't be turned off at the carrier. Wifi sharing is now the standard and the only way to turn off tethering is to buy an even more expensive enterprise level MDM subscription. Even then, sometimes hotspotting is necessary and shutting it off isn't the best option. I also think IT would shut off all the WAPs before they pony up the cash just to shut off hotspotting.
I did notice a few VPN features that might fix the problem. On Android, VPN connections cannot be shared without root and only one VPN can run at a time on an Android phone. This is great, because if an unauthorized user gained access to the hotspot from a mobile device, they couldn't use the VPN unless they installed the VPN on their own device had supplied the correct credentials.
Is there a way to setup a VPN that acts as a gateway? I don't want internal traffic going out to a remote VPN server then coming back to the VLAN. If I could setup a VPN that keeps internal traffic in the VLAN and allows external traffic to access the internet when needed, that would be great. The issue with using an external VPN is network traffic would be insane with the number of mobile devices accessing it and the amount of VPN accounts would add greatly to the cost.
I guess a basic network diagram would be:
Phone ----> WAP ------> VPN? -----> VLAN
No comments:
Post a Comment