Hi all,
I'm managing IT for a two-branch public library system. They have three use cases for their network:
1. Staff need access to Internet, local file shares etc., just like a regular business;
2. Public Internet kiosks need access to Internet and domain controller (for group policy and integration of special public-computer-library software, etc.), but nothing else; and
3. BYOD visitors (library visitors need access to the Internet, and nothing else.
Historically, staff computers were on a Windows 2008 R2 domain, while public kiosks were net-booted from a heavily customized Linux server that also handled authentication, DHCP, DNS etc. (This server provded DHCP/DNS for guests' BYOD devices as well.) These two network segments were configured as separate subnets, with the router passing no traffic between them, creating a Chinese wall that ensured no public user was accessing staff computers. Each branch has an old, out-of-contract Cisco 5505 ASA router, with a VPN tunnel connecting the staff subnets at the two library branches. All of their switches are old unmanaged beaters, and buying new ones is an option, but I don't want to spend unnecessarily.
Although the Linux system was very elegant in many ways, it was decided that the public kiosk computers should be Windows as well, and joined to the domain. I connected all the (now-Windows) public computers to the staff subnet, unifying each branch into a single subnet (one for each branch). I tried to secure the staff computers by heavily disabling the public computers via GPO, disallowing public users from installing software, getting to the control panel, etc. etc. But, people can still bring their own laptops into the building, connect to wi-fi, and be right on our main biz network. I realize this is a big security problem, but this is the first time I've set up a network of this size--I have personal connections with the library, and am basically working as a quasi-volunteer, using the opportunity to learn how to set up these kinds of networks.
OK, now to my question: What are **best practices** for re-segregating public users from staff network resources, while still allowing the public kiosk computers to access the domain controller for administrative purposes? (I should add here that we have two nice Dell ESXi server with several NIC's--one at each branch.)
1. Do I put public computers back on a separate network and make the DC multi-homed? (Nope, can't do that--unsupported by Microsoft and apparently causes all sorts of problems.)
2. Do I put public computers back on a separate subnet and configure a router--possibly pfSense on a VM--with DHCP relay?
3. Do I buy new switches and set up VLANs rather than subnet segregation, somehow allowing the DC to service both?
4. Do I set up some clever topology where all three use cases are represented: a) staff computers on biz domain, b) kiosk computers on the domain but otherwise segregated, and c) BYOD devices that can't even see the DC?
5. How do I set up wi-fi? Do I need separate access points for public and private? (Both public BYOD and staff use wireless.) How do VLAN's work with wireless, since you can't tag ports?
Related question: Do I replace the ASA's with pfSense running in VMs? We're not going to get a new support contract, and they haven't had an update in ages. Also, I'm hobbled configuring one of them because ASDM won't load due to a certificate error, and the Cisco command line scares me. That said, the current cross-branch VPN is up and working, and replacing it will be a major task.
I'm getting fairly strong on TCP/IP fundamentals and Windows Server administration. I basically understand router rules, firewall configuration etc., but I don't know anything about routing protocols. Totally weak on VLAN's and anything to do with wi-fi, other than what you learn from setting up wi-fi access points at home.
Solid advice on best practices for this kind of setup would be profoundly appreciated. Don't bother telling me I'm an ignorant bastard, I already know that. :) Remember, this is a non-profit public library--hiring big-money consultants is not appealing. Plus, I've gotten this far (migrated off of Linux, etc.) by ingesting massive amounts of learning over the last year or so--before then, I basically knew nothing about any of this. Now I want to take it to the next level, by designing something truly durable and appropriate for their circumstance.
Looking forward to feedback. I'm also eager to provide any information I failed to provide above.
Cheers!
Aaron