Wi-Fi Guest Access: Being Courteous And Cautious - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

06:15 PM
Dave Molta
Dave Molta

Wi-Fi Guest Access: Being Courteous And Cautious

Providing guest access to your WLAN is more than a matter of simple courtesy. It raises all sorts of security and other technology and business issues that can't be ignored.

It's not uncommon for visitors to our lab, which is located on the campus of Syracuse University, to lament the lack of parking. When you drive up to the Center for Science and Technology, you won't find any guest parking spaces out front. There aren't enough parking spaces for faculty and staff, let alone guests. If we plan in advance and jump through all the requisite hoops, we can usually secure a guest pass in advance. Oh, what a pain.

Once our guests have secured parking, and after we've had a chance to critique their PowerPoint pitch or take their latest box for a spin, they inevitably ask for connectivity to the Internet. We accommodate on one of the APs in the lab, often in an ad hoc manner that likely violates university policy. To provide visitors with official wireless guest access would require us to file a formal request in advance and be provisioned with a sponsored guest account. Oh, what a pain.

The issue of guest wireless access is currently the subject of significant internal debate, both at Syracuse University and quite possibly in your organization as well. Some champions of the common man are lobbying for wide open access, the kind of wireless service that most people have at home. That approach doesn't go over so well with information security administrators. Yes, such people exist on university campuses, and most are quite smart. Unfortunately, many are also risk-averse, and it's understandable that they are willing to make life a bit less convenient for everyone to control security exposure.

Ideally, security administrators like to see robust authentication, strong privacy through encryption and a functional audit trail. Modern enterprise WLAN systems deliver all these services, integrating with enterprise identity management and access-control systems as well as leveraging the enhanced wireless capabilities of today's WLAN infrastructure and client operating systems to deliver per-session strong encryption. While this represents real progress, it also makes it tougher for guests to get a temporary parking space on the WLAN.

Input from readers suggests that wireless guest access is a concern for nearly all of them, and vendors--which see the demand but haven't entirely solved the problem--echo that sentiment.

Today's mainstream solution is to take advantage of the VLAN capabilities of your wired and wireless network to establish both a secure internal WLAN, protected by authentication and encryption, as well as a less secure and more open WLAN that can be used by guests. This isn't the only approach to guest access. Some vendors are focusing on making it easy for legitimate users to provision a temporary guest account on the spot. But the VLAN approach is easier to implement, and it allows guests to connect in locations like reception areas where "dead-time" waits often occur without assistance from a sponsor.

Enterprises that adopt the VLAN approach still have a number of choices to make. Some have chosen to profit from their guests (or, perhaps more politely, to defray some of the cost associated with providing guest wireless service) by contracting with a hotspot service provider for guest access. This is the modern-day equivalent of the payphone, and many guests are more than willing to spend a few dollars to connect. Still, current fragmentation and low customer penetration in the hotspot market makes it relatively unlikely that your guest will already have an account, prompting the process of account provisioning.

Organizations willing to foot the bill for guest access usually terminate the guest wireless VLAN outside the firewall, in their DMZ. Guest users have access equivalent to any external Internet user. Since you are allocating the IP addresses to them, you can implement address-oriented access policies. For example, you might choose to implement policy that restricts these users from connecting to your internal, remote-access VPN gateway to protect against an inefficient situation where internal users jump on the guest system and connect back into the secure network using a VPN client. Since guest users are for all practical purposes anonymous, you don't have much of an audit trail, but that's the price you pay for easy access. Some network managers have considered terminating the guest wireless VLAN on a network segment that connects to a different ISP, which makes it even easier to establish access policies.

Whichever approach you take, there is some potential for abuse. In multi-tenant buildings or in urban environments, some wireless guests may turn out to be neighbors who are too cheap to implement their own system or possibly hackers mounting denial of service attacks. Good RF design and smarter WLAN products that allow for traffic prioritization can mitigate some of these problems. But in the end, you'll need to accept a little bit of risk to provide wireless services to your visitors. And hey, it's a lot easier than adding more parking spaces.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll