# Office Network



## stuart.cameron (Apr 10, 2011)

After a lengthy discussion with our so called 'IT Department' at work I need some help from someone with basic networking knowledge.

I work in an office with around 50 people, in all the offices we have various ethernet ports built into the wall, we also have a wireless access point in the meeting room but it's some distance away from our office and we can't get a signal.

7 people in our office have recently got iPads as we are out of the office regulary but obviously cant get a wifi signal and get a very weak mobile data signal.

Anyway my question is.... Can I plug a wireless router/access point into one of the many ethernet ports in our office to provide us with wifi?

I was lead to believe that this would work but 'IT' have said it wont and we will need a new BT Broadband Line installed.

Cheers, Stuart


----------



## amchardy (Apr 26, 2008)

Your IT department is wrong in this case. You can absolutely plug a wireless access point into one of the Ethernet ports. It's possible with a wireless router but your far more likely to encounter setup issues using a router rather than just an access point. 

I set up my parents house in this manner with the router at one end and a wireless access point up in the loft at the other end. Both have the same SSID so you can walk around the house without a drop in the wireless connection. Be sure to set each to a different wireless channel though.


----------



## ardandy (Aug 18, 2006)

If it's a router just disable DHCP and use that.

Not exactly secure though, people setting up a network rather than the IT dept???

Is it a support company or a dedicated employee? Seems a very strange way of doing things. Can't the boss just get them to install one or does he not want you to do it?


----------



## ardandy (Aug 18, 2006)

Do you have a central office somewhere else? Maybe one you remote into?


----------



## stuart.cameron (Apr 10, 2011)

ardandy said:


> If it's a router just disable DHCP and use that.
> 
> Not exactly secure though, people setting up a network rather than the IT dept???
> 
> Is it a support company or a dedicated employee? Seems a very strange way of doing things. Can't the boss just get them to install one or does he not want you to do it?


I have a little travel router that I'll try tomorrow. It's a dedicated employee that runs the IT.

The company that I work for are a merchanting company for a larger company but all our offices are in the same building if that makes sence? Both bosses don't understand that we can't get wifi so have allowed me to try pluging the router in tomorrow. Fingures crossed that I can prove IT wrong.


----------



## cdti_sri (Jul 17, 2006)

If the network is properly set up then you shouldnt be able to plug anything in other than approved devices configured by the IT team. We implement a range a policies from access control lists to dhcp snooping to stop "rogue" routers being plugged in.


----------



## JohnA88 (Jul 26, 2011)

Could try one of these - http://www.ebay.co.uk/itm/280901455612


----------



## SteveyG (Apr 1, 2007)

If I were the IT department, I certainly wouldn't let anyone plug in a wireless access point into the network. What you're suggesting is a hackers dream.

I'd provide a separate internet only isolated LAN (Hot LAN) for that. Maybe that's what they're getting at?


----------



## stuart.cameron (Apr 10, 2011)

I plugged in my router this morning with permission from my manager and it works. Only thing is I cant access the settings within the router due to permissions on my computer, so monday morning we will have a protected wifi network in our office!

The IT department's idea was to get a new line installed by BT £130 then pay £50 a month for another broadband line. Looks like I've managed to save us £600 a year.


----------



## stuart.cameron (Apr 10, 2011)

JohnA88 said:


> Could try one of these - http://www.ebay.co.uk/itm/280901455612


Thats what I've got, bought one for my girlfriend when she was down in London for a couple of weeks.


----------



## jamest (Apr 8, 2008)

Set up an access point/router with a static IP plug in it anywhere, give it the same SSID and key as the other access point but make sure it is a different channel to avoid any issues then people should be able to move around the building connecting to each router/access point without issue.

Why you would need another line I have no idea...


----------



## stuart.cameron (Apr 10, 2011)

jamest said:


> Set up an access point/router with a static IP plug in it anywhere, give it the same SSID and key as the other access point but make sure it is a different channel to avoid any issues then people should be able to move around the building connecting to each router/access point without issue.
> 
> Why you would need another line I have no idea...


I think we are just going to keep a seperate network for our companies office. I have no idea where the IT guy gets his ideas. He managed to totally confuse me yesterday.


----------



## SteveyG (Apr 1, 2007)

stuart.cameron said:


> I plugged in my router this morning with permission from my manager and it works. Only thing is I cant access the settings within the router due to permissions on my computer, so monday morning we will have a protected wifi network in our office!


Protected in what way? Hopefully more than just a network key



jamest said:


> Why you would need another line I have no idea...


Presumably the easy and safest option for keeping the network isolated. Why would you want to risk the network being easily hacked and potentially confidential information stolen from using a plain home wifi router... :doublesho


----------



## jamest (Apr 8, 2008)

SteveyG said:


> Presumably the easy and safest option for keeping the network isolated. Why would you want to risk the network being easily hacked and potentially confidential information stolen from using a plain home wifi router... :doublesho


I'm talking about the IT guy setting it up, not letting staff plug in their own equipment.

At my last place we configured around 20-30 access points all around the buildings with pretty much blanket coverage without any issues. The WEP key (due to issues with WPA and some devices) was kept private which only 3 of us knew and people had to come to us, we recorded their name and MAC addresses and assigned them static IPs from the DHCP server.


----------



## benji1205 (Jun 15, 2009)

I would probably implement some sort of filtering. Something like MAC filtering or something like that? Would not take you long to collect the iPad's MAC's.

The IT guy has probably suggested using a seperate line due to security on the network? Plugging in your own device could bring you a whole world of pain if people start connecting their phones or even personal laptops. It would leave you open to hackers & viruses. He probably has a set of security guidelines which he has to follow.


----------



## ardandy (Aug 18, 2006)

Or maybe he's worried about bandwidth.

iDevices use a crap load of upload/download thanks to cloud syncing. We have a network in a school which had 150 ipads all of a sudden. Their IT guy set them all up for the staff and some pupils and then wondered why the 10Mb line was running at 100% almost constantly.

Apple stuff produce a lot of traffic thanks to Mr Cloud which is more than likely turned on, on your new kit.


----------



## stuart.cameron (Apr 10, 2011)

The only devices connected to it will be 7 iPads and possibly 3 iPhones. None of these devices use iCloud except for 'Find My iPhone/iPad'.

As for security, what would be the best way to secure it? I would prefer it to be a hidden network.

Thanks for the advice!


----------



## stuart.cameron (Apr 10, 2011)

He didn't mention anything about security, he just said it wasn't possible to plug anything in to create a wifi signal as it's an ethernet network and theres already an access point in the building.


----------



## jamest (Apr 8, 2008)

stuart.cameron said:


> He didn't mention anything about security, he just said it wasn't possible to plug anything in to create a wifi signal as it's an ethernet network and theres already an access point in the building.


He's wrong about that.

For security you could set a WPA key, keep the key hidden, hide the SSID, turn DHCP off, have all the known devices connect with a static IP and enable MAC filtering to whitelist devices.


----------



## stuart.cameron (Apr 10, 2011)

jamest said:


> He's wrong about that.
> 
> For security you could set a WPA key, keep the key hidden, hide the SSID, turn DHCP off, have all the known devices connect with a static IP and enable MAC filtering to whitelist devices.


Thanks!


----------



## SteveyG (Apr 1, 2007)

Or ideally have a separate 'Hot LAN' from your internet gateway if you only need internet access on it, or at LEAST implement second level authentication. jamest, all of those methods can be bypassed - it's not difficult to discover networks with the SSID hidden and to clone MAC addresses from packet sniffing.

Hiding the SSID is generally not recommended with consumer devices, and battery powered devices in particular will go flat quicker as they end up constantly searching.


----------



## jamest (Apr 8, 2008)

It sounds like a relatively small company which isn't exactly going to have hackers trying to get in.

MAC address whitelisting and WPA should be more than sufficient for most small businesses and is a lot more than what a lot of business do.


----------



## SteveyG (Apr 1, 2007)

Fair enough


----------



## stuart.cameron (Apr 10, 2011)

Got it set up last night, the SSID is hidden and there is now a WPA key on it.


----------



## stuart.cameron (Apr 10, 2011)

jamest said:


> It sounds like a relatively small company which isn't exactly going to have hackers trying to get in.
> 
> MAC address whitelisting and WPA should be more than sufficient for most small businesses and is a lot more than what a lot of business do.


Not the biggest of company's and to get access to the office you have to enter the site itself!


----------



## SteveyG (Apr 1, 2007)

stuart.cameron said:


> Not the biggest of company's and to get access to the office you have to enter the site itself!


High gain highly directional antenna and you can be a long distance away


----------



## stuart.cameron (Apr 10, 2011)

Success, the IT guy let me plug it in this morning and we now have Wifi in our office and 2 delighted managers!


----------



## ardandy (Aug 18, 2006)

If I was the manager I'd be peed off at the IT guy for either lying or been crap.

Whats his excuse?


----------



## TubbyTwo (Apr 14, 2011)

Ah your a fiddler, we have someone here that thinks its perfectly acceptable to bring his home devices into work and just plug them in. Not on my network, and I certainly wouldnt allow any external wireless devices, thats a potentially serious security breach waiting to happen.

Verbal warning then written here if people decide to bypass the rules.


----------



## Gaspode (Oct 25, 2012)

I have to agree with Tubby Two - the IT guy suggesting a separate broadband line was being sensible in trying to protect the network and your associated sensitive data (and that of your customers). Plugging a domestic wireless adapter into a corporate network is at the very least 'dodgy' from a security perspective - just because it's technically possible, doesn't mean it's a good idea.....


----------



## jamest (Apr 8, 2008)

Gaspode said:


> I have to agree with Tubby Two - the IT guy suggesting a separate broadband line was being sensible in trying to protect the network and your associated sensitive data (and that of your customers). Plugging a domestic wireless adapter into a corporate network is at the very least 'dodgy' from a security perspective - just because it's technically possible, doesn't mean it's a good idea.....


No, read his post on page 2:



stuart.cameron said:


> He didn't mention anything about security, he just said it wasn't possible to plug anything in to create a wifi signal as it's an ethernet network and theres already an access point in the building.


Security aside, the IT guy they have doesn't seem to know what he is talking about.


----------



## Gaspode (Oct 25, 2012)

perhaps he doesn't - I'd still say that this solution seems to be a bad idea and creates an unnecessary security exposure.....though as the IT guy has now accepted the idea of opening this 'door' into the network, he will no doubt be the one who gets sacked if there is a breach....


----------



## Bero (Mar 9, 2008)

not wanting to sound like an apple geek and i'm sure there are cheaper ways to do it but an Airport express is not too expensive and should work fine.


----------



## stuart.cameron (Apr 10, 2011)

ardandy said:


> If I was the manager I'd be peed off at the IT guy for either lying or been crap.
> 
> Whats his excuse?


Everyone knows he's useless just no one bothers to question him but I was fed up of him saying things cant be done just work around it.

He said we could only have one access point and that the Ethernet cables around the building don't carry Internet....


----------



## stuart.cameron (Apr 10, 2011)

TubbyTwo said:


> Ah your a fiddler, we have someone here that thinks its perfectly acceptable to bring his home devices into work and just plug them in. Not on my network, and I certainly wouldnt allow any external wireless devices, thats a potentially serious security breach waiting to happen.
> 
> Verbal warning then written here if people decide to bypass the rules.


Not a fiddler, just don't like getting told that it can't be done when it can be done. I have had permission by email to plug this in.



Gaspode said:


> I have to agree with Tubby Two - the IT guy suggesting a separate broadband line was being sensible in trying to protect the network and your associated sensitive data (and that of your customers). Plugging a domestic wireless adapter into a corporate network is at the very least 'dodgy' from a security perspective - just because it's technically possible, doesn't mean it's a good idea.....


He never mentioned anything about security, why pay £600 a year when this can easily be done. I'm sure we could get a business access point that will do the same for a lot less than £600 annually!

Also he said that it wasn't even possible to set up wifi in our office without the addition of an extra line!


----------



## benji1205 (Jun 15, 2009)

stuart.cameron said:


> Everyone knows he's useless just no one bothers to question him but I was fed up of him saying things cant be done just work around it.
> 
> He said we could only have one access point and that the Ethernet cables around the building don't carry Internet....





stuart.cameron said:


> Not a fiddler, just don't like getting told that it can't be done when it can be done. I have had permission by email to plug this in.
> 
> He never mentioned anything about security, why pay £600 a year when this can easily be done. I'm sure we could get a business access point that will do the same for a lot less than £600 annually!
> 
> Also he said that it wasn't even possible to set up wifi in our office without the addition of an extra line!


From the sounds of it, he either does not know what he was talking about or was just trying to fob you off.

He should have just been straight with you about what the network limits / capabilities were, what security was in place and what network policies the company have set. However it seems that everything is now setup for you, just a shame that he couldnt have purchased a commercial bit of kit (over something deisgned for home use) and that would have been alot more secure overall.


----------



## TooFunny (Sep 18, 2012)

I have to say I'm on the side of the 'IT guy' who probably just told you it wasn't possible so you'd go away, if someone came near my network with a wireless router I'd cut their hands off!

You're missing the point entirely on what you have 'achieved' you've basically poked a hole through any corporate firewalls and web security and allowed unrestricted web browsing to the public internet though devices that are now completely open to any malicious activity out on the web and completely unprotected in a corporate environment.

If you had wanted this on my network, I would have billed your dept for a standalone switch, patched into a DMZ which in turn had multiple access points around the building, and you would have only had port 80/443 allowed through the firewall and out to the internet, and those devices would be allowed nowhere near my LAN.

You seem to think that because the access point is hidden and has a WPA key that you're fine and dandy, what happens when your device gets hacked? At that point you're still attached to your corporate LAN and that is just as bad as me walking into your office and plugging in a CAT5/6 cable to one of your ethernet ports.

To be fair your IT guy should be sacked, but for allowing this to happen in the first place just to allow people to browse the web on their ipads!!


----------



## stuart.cameron (Apr 10, 2011)

TooFunny said:


> I have to say I'm on the side of the 'IT guy' who probably just told you it wasn't possible so you'd go away, if someone came near my network with a wireless router I'd cut their hands off!
> 
> You're missing the point entirely on what you have 'achieved' you've basically poked a whole through any corporate firewalls and web security and allowed unrestricted web browsing to the public internet though devices that are now completely open to any malicious activity out on the web and completely unprotected in a corporate environment.
> 
> ...


He told two directors this also wasn't possible no matter how much money was put towards allowing us to get wifi in our office. He told them the ONLY way to get us wifi access was to install a new broadband line at a cost of £130 then£50 a month.

I don't think I'm fine and dandy because I've hidden the network and put a password on it, the reason I posted this was to get some advice on what to do. Not to create an argument on why this is wrong. Why buy all the traders in the office iPads when we can't even access emails in the office? Fair enough there running 3G aswell but that's another problem with our office.


----------



## stuart.cameron (Apr 10, 2011)

Also strage how he has a router sitting next to his desk in his office....


----------



## TooFunny (Sep 18, 2012)

stuart.cameron said:


> He told two directors this also wasn't possible no matter how much money was put towards allowing us to get wifi in our office. He told them the ONLY way to get us wifi access was to install a new broadband line at a cost of £130 then£50 a month.
> 
> I don't think I'm fine and dandy because I've hidden the network and put a password on it, the reason I posted this was to get some advice on what to do. Not to create an argument on why this is wrong. Why buy all the traders in the office iPads when we can't even access emails in the office? Fair enough there running 3G aswell but that's another problem with our office.


I think you've found your issue, why buy everyone ipads to check email when you're all in the office anyway??!! Use your PC/Laptop/Mac as you're in the office.

Setting up a hotdesk environment which it sounds like what your after requires a great deal of investment and planning, not just a router in a LAN port....


----------



## TooFunny (Sep 18, 2012)

stuart.cameron said:


> Also strage how he has a router sitting next to his desk in his office....


Perhaps he needs to use the router to stretch the length of your already existing ADSL to wherever else it is needed in the building...it doesnt need to have a wireless network setup on it, he can just be using it as an actual router...


----------



## stuart.cameron (Apr 10, 2011)

TooFunny said:


> I think you've found your issue, why buy everyone ipads to check email when you're all in the office anyway??!! Use your PC/Laptop/Mac as you're in the office.
> 
> Setting up a hotdesk environment which it sounds like what your after requires a great deal of investment and planning, not just a router in a LAN port....


Sorry maybe I was a little bit misleading there, they are not just for checking email. We are generally out on farm or in the car and in a lot of areas where you don't get mobile signal. Most of the guys come into the office in the morning to do a bit of paperwork, make some phonecalls etc. then leave. While the iPads are in the office price lists and any other documents that need to update will update through the wifi. Of course they could use there computer but why not just use there iPad if it's as simple as checking emails?

Don't think we require hot desking, not sure were you got that from...



TooFunny said:


> Perhaps he needs to use the router to stretch the length of your already existing ADSL to wherever else it is needed in the building...it doesnt need to have a wireless network setup on it, he can just be using it as an actual router...


Not right, this is used as an access point also, as the iPads are set up to access it when they are within range.


----------



## stuart.cameron (Apr 10, 2011)

TooFunny said:


> Perhaps he needs to use the router to stretch the length of your already existing ADSL to wherever else it is needed in the building...it doesnt need to have a wireless network setup on it, he can just be using it as an actual router...


He probably wouldn't have the knowledge to do that


----------



## TooFunny (Sep 18, 2012)

Using an ipad to replace a PC is like using a butter knife to chop wood, you'll get there in the end but you'll waste a lot of time doing it.

Sounds to me like you need to look at how your staff work and use their IT equipment, if they're all bowling around a farm or estate and just want to check their email or work on documents, and you're dead set on using an ipad for that function, then a 3G enabled SIM in the ipad and it configured to use your exchange server for email would be the way forward.

That way they can access email and documents (emailed to them) out and about or indeed in the office if they really wanted to, but use their PC's while at their desks connected to the LAN.

The only secure way I would stretch your LAN's internet capability to wireless users would be through a DMZ switch and a CISCO Wireless LAN controller with X amount of hotspots attached to it, this at least gives you the ability to monitor and secure who and what is attaching to it.

This is on the basis that your companies Internet connection is in fact not this ADSL you speak of and something a little more beefy....

Either way it would need investment, and these things don't come cheap.


----------



## stuart.cameron (Apr 10, 2011)

TooFunny said:


> Using an ipad to replace a PC is like using a butter knife to chop wood, you'll get there in the end but you'll waste a lot of time doing it.
> 
> Sounds to me like you need to look at how your staff work and use their IT equipment, if they're all bowling around a farm or estate and just want to check their email or work on documents, and you're dead set on using an ipad for that function, then a 3G enabled SIM in the ipad and it configured to use your exchange server for email would be the way forward.
> 
> ...


The iPads are already set up on our exchange server and we are using two apps for the documents and PDFs we use on a day to day basis. The iPads are 3G enabled but being in the middle of know where in Scotland isn't the best when your using Vodafone...

Thanks for your input, the IT guy is happy how's it's set up and has allowed me to plug it in. Maybe if there is a security breech the company will step up there game in the IT department. For now it will be left how it is.


----------



## ardandy (Aug 18, 2006)

There are many ways to do it securely. 

The point I was trying to make was he's lied to either fob a manager off with jargon or because he doesn't know how. Either way a word might be worthwhile. 


Incidentally, my favourite (fob off) is that there's a problem with the kernel.kfc file.


----------



## stuart.cameron (Apr 10, 2011)

ardandy said:


> There are many ways to do it securely.
> 
> The point I was trying to make was he's lied to either fob a manager off with jargon or because he doesn't know how. Either way a word might be worthwhile.
> 
> Incidentally, my favourite (fob off) is that there's a problem with the kernel.kfc file.


I've asked him various times on the run up to getting the iPads to be prepared and now we have them I've asked him a couple of times. He's either ignored the emails or said it can't be done and the last time I asked he said we could get a new broadband line. Sounds to me that he doesn't know a lot.


----------



## ardandy (Aug 18, 2006)

I'd say laziness.

He's already set up a wireless system in the office it just doesn't reach your room. Just needed to expand it.


----------



## OvlovMike (Jul 19, 2011)

If you wanted to, you could persuade management that they need to have a chat with someone like us to review your infrastructure...


----------



## ardandy (Aug 18, 2006)

I'm not sure they'll buy info from a car forum, no matter how good the sources!


----------

