WiFi Segmentation: Do You Need VLANs?

TL;DR

Using Virtual LANs (VLANs) is highly recommended for separating WiFi SSIDs to improve cyber security. While not strictly *required*, it’s the best practice and offers significant protection against lateral movement if one SSID is compromised. Without VLANs, all traffic from different WiFi networks travels on the same network segment, making a breach much more damaging.

Understanding the Problem

Imagine you have separate WiFi networks: one for guests, one for employees, and maybe one for IoT devices. Without proper separation, if a hacker gets onto your guest network, they could potentially access resources on your employee network. VLANs prevent this.

Solution: Implementing WiFi Segmentation with VLANs

1. Plan Your VLANs: Decide which SSIDs will be on which VLANs.
   • VLAN 10: Guests
   • VLAN 20: Employees
   • VLAN 30: IoT Devices
2. Router/Firewall Configuration: You’ll need a router or firewall that supports VLANs. Most business-grade devices do.
   • Access the configuration interface (usually via a web browser).
   • Navigate to the VLAN settings. The exact location varies by manufacturer, but look for ‘VLAN’, ‘Wireless Segmentation’, or similar options.
   • Create each VLAN with its assigned ID (e.g., 10, 20, 30).
3. Assign SSIDs to VLANs: This is the crucial step.
   • For each SSID you want to segment:
     1. Edit the WiFi settings for that SSID.
     2. Specify the VLAN ID it should be associated with (e.g., assign ‘GuestWiFi’ to VLAN 10).
4. Inter-VLAN Routing Control: This is where you lock things down.
   • By default, VLANs often allow communication between them. You need to block this unless specifically required.
     1. Configure firewall rules to deny traffic between the VLANs. For example:

        iptables -A FORWARD -i eth0 -o eth1 -j DROP

        (This is a Linux example; Windows Firewall or your router’s interface will have similar options.)

     2. Allow only necessary traffic (e.g., employees might need access to a printer on the IoT VLAN). Be very specific with these rules!
5. DHCP Server Configuration: Each VLAN needs its own DHCP server or DHCP scope.
   • Configure your router to provide different IP address ranges for each VLAN. This prevents conflicts and helps with identification.
     1. VLAN 10 (Guests): 192.168.10.0/24
     2. VLAN 20 (Employees): 192.168.20.0/24
     3. VLAN 30 (IoT): 192.168.30.0/24
6. Testing: Thoroughly test the segmentation.
   • Connect devices to each SSID and verify they can access the internet but cannot access resources on other VLANs.
   • Use ping or network scanning tools (e.g., nmap) to confirm isolation.

Alternatives (and why they’re not as good)

• Separate Routers: Using separate physical routers for each SSID is an option, but it’s more expensive and harder to manage.
• Guest Network Isolation: Many routers offer a ‘guest network isolation’ feature. This is better than nothing, but often isn’t as robust or configurable as VLANs. It typically only prevents devices on the guest network from seeing each other, not from accessing your main network.