Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Offer public access without creating a security risk

Are multiple SSIDs a great idea, or too cumbersome?

Article comments

Q: In a public library environment, what are some methods that would allow us to provide "secure" Wi-Fi access (for Web browsing) to the public, while protecting their privacy and minimising administration time?
- Jeanne, Albany, NY

The Wizards gaze deeply into their crystal ball and respond:

Bob Friday, Airespace
That is a great question, and a timely one, given the launch of the newly constructed Central Library in Seattle a few weeks ago, a flagship for the US national library system. Delivering secure, reliable WLAN services proved tricky in the Seattle Public Library environment, given the difficult radio frequency characteristics of the building, the mobile nature of the user base, and the tendency for millions of books to absorb radio waves. That environment revealed several key “best practices” that might be applicable to your library environment:

Deploy a system that allows multiple Service Set Identifiers (SSIDs) to run concurrently. A less secure SSID, either completely open or running Web authentication, can be used to provide Web access to library visitors. A more secure SSID, using WPA, 802.1x, or VPNs could be used for library personnel.
Your wireless network should deploy radio frequency-related security measures that can dovetail nicely into other wireline security tools. Examples of WLAN specific security features include rogue AP detection, location and containment; ad-hoc prevention (to protect against client-to-client communication); user blacklisting; location-based access control; and protection from RF related attacks, such as Man in the Middle and denial of service [read about how to prevent wireless atacks here]

Real-time management is critical. Due to the difficult RF environment, you should make sure that your WLAN system can adapt to changes in real-time. Things like dynamic channel assignment and AP transit power control will come in quite handy. To minimise administrative burdens, these functions should be ingrained in the system. Relying on site survey tools or scheduled sweeps of the RF could be labor intensive – and not work as expected when live traffic is flowing across your network.
Use smart antenna technology, such as beam switching, as a way to improve throughput and WLAN reliability. This might be especially desirable if there is a plan to implement voice services alongside traditional data services, as was done in Seattle.

Centralised WLAN management is also very important. Being able to visualise the RF will help detect and avoid coverage holes. Having a centralised way of creating and enforcing quality-of-service and security policies will dramatically minimise the time (and resources) you devote to administering your wireless network

Keerti Melkote, Aruba Networks
The main problem with enhancing security and privacy is that it usually involves client software, or at a minimum, configuration of the client devices. In a public access network, asking patrons to configure settings such as WEP keys is not practical. One promising technology is that of Secure Socket Layer VPNs. The client piece of an SSL VPN is typically downloaded as a browser-based applet, and is ostensibly client operating system independent. Although SSL VPNs are not transparent to all types of protocols, they do allow Web browsing while encrypting traffic over the air.

Marcel Wiget, Chantry Networks
In order to protect privacy for public access, some sort of user or session encryption is required. An obvious choice in an enterprise environment is to use Wi-Fi Protected Access (WPA) combining Temporal Key Integrity Protocol (TKIP) and 802.1x/EAP. Every user, after being authenticated, is given a unique initial encryption key that is changed over time (simplified here, I recommend reading more about this area). In a public environment however, users must be somehow instructed on how to use 802.1x, yet might not have the support in their device for it.

I would recommend using a captive portal without WEP or WPA on one broadcast SSID. This captive portal contains a security warning for using this public access and information on how to use WPA, made ideally available on a hidden SSID. The reason to hide the SSID is not to be “undetectable,” but to make certain that new users don’t end up accidentally on that SSID. Check for wireless systems that either support WPA and captive portal on the same SSID or have multi-SSID support with per SSID authentication and privacy settings.

Rohit Mehra, Bluesocket
Protecting the privacy of library patrons and minimising administration time needn’t be mutually exclusive goals. By adding a wireless infrastructure solution (such as a wireless gateway, switch or appliance) to secure and manage its WLAN, a library can provide: seamless Web-based authentication to enable patrons to log on to the library’s wireless network using their familiar library card number without staff assistance, access control to limit access to library servers and services to only authorised patrons, and bandwidth management to prevent patrons from hogging the airwaves while downloading large files (MP3 files, videos, etc.). This also provides several options for airlink security to protect staff and patrons’ private information, examples being 802.1x, IPSec, L2TP or PPTP. An alternate but cumbersome approach would be to use multiple SSIDs and virtual LANs to segregate public traffic from that of library staff so as not to compromise internal administrative user data.


Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *