Tips for Isolating WIFI ClientsBilly McKindley
Wireless Client Isolation is a security feature that prevents wireless clients from communicating with one another. This feature is useful if you want to share WIFI with the public or you have a BYOD policy in your business, client isolation adds another level of security to limit attacks and threats between devices and gives you controls to preventing clients accessing your back-office servers, equipment and resources.
This feature confines and restricts clients connected to the Wi-Fi network. They can’t interact with devices connected to the more secure wired network, nor can they communicate with each other. They can only access the Internet.
Here are two Client Isolation methods:
Bridge Mode Client Isolation
When an SSID is configured for bridge mode, clients are usually forced to a specific protected VLAN (a virtual network). Upon connection to the VLAN, clients will receive an IP address from the VLAN, these clients will effectively be sitting behind a firewall on that VLAN that prevents the clients from talking to each other and (if configured) prevents clients accessing your office networks and servers.
NAT Mode Client Isolation
SSIDs that are configured for NAT Mode also have basic client isolation. Basic Client Isolation is enabled by default when the SSID is configured for NAT mode and may not be disabled.
The implications of enabling NAT mode are as follows:
- Devices outside of the wireless network cannot initiate a connection to a wireless client.
- Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network.
NAT mode should be enabled when any of the following is true:
- Guest clients only require Internet access, not access to local wired network (LAN) and office servers.
There is no DHCP server on the LAN that can assign IP addresses to the wireless clients.
There is a DHCP server on the LAN, but it does not have enough IP addresses to assign to wireless clients.
Note: DHCP is a service that automatically assigns IP address to devices.