Visitors to your company expect the wireless Internet. How do you provide it without security risks?
Steve Lundin has given up on wireless.
Lundin is the founder of the public relations firm BIGfrontier Communications Group (his actual title is "Chief Hunter and Gatherer"). BIGfrontier has many high-tech clients and other visitors who routinely arrive, pop open their laptops, and expect to access the wireless Internet. And, at one time, they could. "We had an open wireless network," Lundin says.
Then one day he read a newspaper article about another local firm offering an open wireless network. In the article, a hacker easily found the signal from outside the building and broke into the company's network. Ironically, the company was Lundin's former employer.
Concerned that BIGfrontier might be similarly vulnerable, he sought advice from the company's tech consultant, who suggested a WPA (Wi-Fi Protected Access) pass code as a security measure. But entering the pass code presented problems for some visitors. "Half the guests could log in using the pass code," Lundin says. "The other half weren't able to override the settings on their computers."
Lundin asked the IT consultant for a different solution, so he provided USB flash drives with the pass code preloaded. This worked better, but the consultant worried that they didn't provide enough security since, for one thing, visitors would leave with the pass code stored on their hard drives.
The next solution was a somewhat costly set of custom-made USB wireless antennas, with the pass code already stored in them. The idea was that visitors could simply plug them in, and go directly online. When representatives from a high-tech security firm arrived for their kickoff meeting, Lundin proudly handed out his new antennas. The visitors plugged them in -- but none of them could go online. As they fiddled, Lundin shot an e-mail to the IT consultant, who instructed him to hand out installation disks.
"So now, in the middle of the kickoff meeting, they're messing around with these disks," Lundin recalls. "The CEO of the client company said, 'This is the worst security I've ever seen! Don't you have a cable?' And so we ran five cables to their five laptops and got everyone online."
Since that day, he says, "We're basically using cables for guests."
Providing wireless Internet for guests is a necessity
This solution may work for BIGfrontier since the company only hosts small groups and everyone's using laptops (as opposed to cameras, PDAs, or other devices which might not have an Ethernet port). But for most businesses, providing wireless Internet to visitors is a necessity, not an option. And, as Lundin's story illustrates, doing so can come with complications and security concerns.
What's a small company to do? Here are some possible alternatives:
Have two wireless networks, a closed one for employees and an open one for guests. This is a common practice for businesses like coffee shops and hotels that offer wireless access to customers. "A VLAN (virtual local area network) can partition a network for different users and different applications," says Kelly Davis-Felner, senior manager at the Wi-Fi Alliance, a global trade association which operates a testing and certification for Wi-Fi devices and services. Users will see two networks, one open, one locked, when scanning for connections. With a VLAN partition, the open network can be completely isolated from your company's network, meaning visitors won't be able to see secret information, and any viruses or other malware that might be undetected on their devices won't affect your network.
Require certification and/or authentication. The WPA key that frustrated Lundin is one way to accomplish this. If you go this route, Davis-Felner advises using WPA2, the most recent set of protocols for Wi-Fi certification. But there are other options as well. "We have a solution that allows guests themselves to create their own usernames," says Sean Convery, CTO of Identity Engines. To ensure authentication, the user must enter a mobile phone number to which the password is sent. "If something happens that you don't like, you have a permanent record of exactly who was on the network," Convery notes.
Make users agree to terms of service (TOS). "Most popular firewalls have a captive portal option, or there are several open source products that provide that," Convery says. A captive portal (again, common in hotels and coffee shops) forcibly redirects users' browsers to a splash page with a welcome message and a button to click if they agree to abide by rules as to how the network will be used, for instance, not to distribute spam. If you have visitors you don't know well using the network, a TOS may be worthwhile precaution.
Consider Wi-Fi protected setup. Usernames, passwords, and encryption keys can work well for visitors logging on to the network via a laptop or PDA. But what about a visitor using a wireless-enabled device such as a camera, that doesn't have a keyboard? To address this situation, the Wi-Fi Alliance's new protocol, Wi-Fi Protected Setup (WPS), allows users to be authenticated by pressing a button on the device at the same time as an employee presses a similar button on the access point. The program is new so not all devices have the button built into them yet, although Davis-Felner says more and more do.
Whatever you do, Convery advises, do make sure visitors have some way to get online. "People will want to connect to the Internet, and they're going to find a way to do it," he says. "They may start plugging into open jacks in the wall," he says. "So don't try to prevent it. You'll be fighting an uphill battle."