[...] This started a discussion of wireless networks in schools, and Brian Crosby picked up on it. He commented that school IT departments frown on wireless access because it’s hard to secure. Ryan Collins explained how easy it is to secure wireless devices by not broadcasting SSIDs and using WPA encryption. I chimed in on Ryan’s blog about how that would make it difficult (impossible?) for users to connect their own devices to the wireless network. [...]

I prefer the approach of keeping the wireless network open. Broadcast the SSID and leave the access points totally open. Then, put that vlan behind a firewall that (a) requires authentication, (b) only allows web and dns traffic, and (c) forces transparent proxying and logs the hell out of everything.

So… An authorized user (any student or staff member with a network account) fires up any wireless device in my high school cafeteria. It won’t do anything except web browsing. If they’re not logged in, it redirects them to a login page. Once they’ve logged in, they can get filtered Internet acccess from that device for up to 24 hours. If they log in on another device, it logs them off from the first one. It provides access, but it also locks them down.

Of course, the down side is that you can’t protect the wireless users from *each other*, but it will do a pretty good job of protecting your network from malicious wireless use.

Regarding the ability of IT staff to secure wireless devices, I can see some people making a case for that. My network only has a total of nine managed switches in 22 wiring closets. The vast majority of the infrastructure is unmanaged. So to just put a wireless device on a different vlan isn’t always a reasonable option.

I think the problem is complicated by the old Airports. When they came out, people just connected them and ran with it, without thinking about security. Now that we have a past practice established, it’s hard to go back and say, “it’s not quite that easy.”