Guest SSID isolated from corporate VLAN
Demonstrate that devices connected to the guest wireless SSID are logically segregated from the corporate VLAN and cannot initiate network connections to internal corporate resources.
Description
What this control does
This control enforces logical network segmentation between the guest wireless SSID and the corporate VLAN infrastructure, ensuring that devices connected to the guest network cannot directly communicate with internal corporate systems. Implementation typically involves configuring wireless access points or controllers to assign guest clients to a dedicated VLAN, applying firewall rules at the network edge or distribution layer to block inter-VLAN routing from guest to corporate segments, and permitting only internet-bound traffic from the guest network. This prevents unauthorized access to sensitive corporate resources and reduces the attack surface exposed to untrusted devices.
Control objective
What auditing this proves
Demonstrate that devices connected to the guest wireless SSID are logically segregated from the corporate VLAN and cannot initiate network connections to internal corporate resources.
Associated risks
Risks this control addresses
- Unauthorized access to corporate file shares, databases, or internal applications by guest users or compromised guest devices
- Lateral movement by an attacker who compromises a guest device and pivots to corporate network segments
- Data exfiltration via guest network access to internal systems containing sensitive or regulated information
- Malware propagation from infected guest devices to corporate workstations or servers via network adjacency
- Reconnaissance and network scanning of internal IP ranges and services by malicious actors on guest Wi-Fi
- Bypass of corporate security monitoring and endpoint protection by accessing internal resources from an unmanaged guest device
- Denial-of-service attacks targeting internal infrastructure launched from guest network segments
Testing procedure
How an auditor verifies this control
- Obtain the current network topology diagram identifying the guest SSID, corporate VLAN assignments, and firewall or access control list (ACL) enforcement points.
- Export and review the wireless controller or access point configuration showing SSID-to-VLAN mappings, verifying that the guest SSID is assigned to a VLAN distinct from corporate VLANs.
- Retrieve and examine firewall rules, router ACLs, or VLAN interface configurations governing traffic between the guest VLAN and corporate VLANs.
- Connect a test device to the guest SSID and document the assigned IP address, subnet, default gateway, and DNS server settings.
- From the test device on the guest network, attempt to ping, access via HTTP/HTTPS, or establish RDP/SSH connections to known internal corporate IP addresses and resources.
- From the test device on the guest network, verify that internet connectivity is functional by accessing external websites and public services.
- Review network device logs or SIEM logs for evidence of blocked connection attempts from the guest VLAN to corporate VLANs during the testing period.
- Interview network engineering staff to confirm change control procedures for modifying guest network isolation rules and review recent change tickets related to guest or corporate VLAN configurations.
Where this control is tested