Mitigating the Security Risks of Free WiFi
Your clients expect free WiFi. It’s gone from being an important amenity to a basic competitive necessity. And it warrants important security concerns: Once connected to your WiFi network, guest users could mount a Denial of Service (DoS) attack or spread bandwidth-starving computer viruses to the rest of your network. Are you protected?
There are simple and practical approaches to managing the various risks associated with offering free WiFi at a business location. Let’s look at two that leverage technology and service provider solutions.
Logical Separation of Guest Network
Most WiFi solutions allow you to dedicate specific WiFi networks—or SSIDs—to your guest users, enabling you to limit network resource sharing to the strict minimum required (AAA, DHCP, DNS). This practice can be further enhanced with dedicated VLANs (Virtual Local Area Networks) and Virtual Routing & Forwarding (VRF) assignment, for modular traffic control.
Though practical on the surface, Logical Separation does not guarantee a complete isolation of the guest traffic from your corporate or administrative network, so any exposed or shared network resources must be protected with security mechanisms that apply to each layer of exposure. One such mechanism routes the guest WiFi traffic through an enforcement point such as the DMZ (demilitarized zone) interface of a security appliance. The level of sophistication involved in executing this solution requires a sound understanding of the architecture and security policies.
Physical Separation of the Guest Network
For this option, you keep the guest traffic off your LAN (Local Area Network) as much as possible. Taking the Logical Separation option to the next level, you can offload the guest WiFi traffic as close to its source as possible, especially if the guest traffic is limited to a well-defined physical area such as a lobby, waiting room, dining hall or arena. Dedicated WiFi Access Points (APs) and Switch/Router ports are all valid approaches, depending on the resources at your disposal.
Though this approach reduces the number of touchpoints needing securing, it also quickly racks up substantial capex and opex for a parallel network. The latter constraint prompted the rise of a sub-model inspired by the Managed Services trend for IT risk mitigation. In fact, most of the guest WiFi access infrastructure can be completely outsourced, for free, by leveraging the brand-awareness WiFi Hotspot offering from your local Internet Service Provider (ISP). Essentially, a hotspot node is activated at the business location without added service or equipment cost to the business owner. Benefits of the WiFi hotspot partnership, however, must be carefully weighed against relinquishing all controls on the guest WiFi to the ISP.
Whether your IT security policies require a well-crafted technical solution by your staff, or a partnership with the ISP for a free guest WiFi solution, take care in determining the best combination that meets your business objectives without frustrating your stakeholders and guest users. Free WiFi requires striking a perfect balance between budget and usability if it is to serve its purpose.
Come back to Pivot for continued conversation and coverage for all things WiFi and beyond. Send us questions and comments on Twitter at @SpectrumEnterprise.