Feb 23, 2005 (01:02 PM EST)
Wi-Fi Guest Access: Being Courteous And Cautious

Read the Original Article at InformationWeek

It's not uncommon for visitors to our lab, which is located on the campus of Syracuse University, to lament the lack of parking. When you drive up to the Center for Science and Technology, you won't find any guest parking spaces out front. There aren't enough parking spaces for faculty and staff, let alone guests. If we plan in advance and jump through all the requisite hoops, we can usually secure a guest pass in advance. Oh, what a pain.

Once our guests have secured parking, and after we've had a chance to critique their PowerPoint pitch or take their latest box for a spin, they inevitably ask for connectivity to the Internet. We accommodate on one of the APs in the lab, often in an ad hoc manner that likely violates university policy. To provide visitors with official wireless guest access would require us to file a formal request in advance and be provisioned with a sponsored guest account. Oh, what a pain.

The issue of guest wireless access is currently the subject of significant internal debate, both at Syracuse University and quite possibly in your organization as well. Some champions of the common man are lobbying for wide open access, the kind of wireless service that most people have at home. That approach doesn't go over so well with information security administrators. Yes, such people exist on university campuses, and most are quite smart. Unfortunately, many are also risk-averse, and it's understandable that they are willing to make life a bit less convenient for everyone to control security exposure.

Ideally, security administrators like to see robust authentication, strong privacy through encryption and a functional audit trail. Modern enterprise WLAN systems deliver all these services, integrating with enterprise identity management and access-control systems as well as leveraging the enhanced wireless capabilities of today's WLAN infrastructure and client operating systems to deliver per-session strong encryption. While this represents real progress, it also makes it tougher for guests to get a temporary parking space on the WLAN.

Input from readers suggests that wireless guest access is a concern for nearly all of them, and vendors--which see the demand but haven't entirely solved the problem--echo that sentiment.

Today's mainstream solution is to take advantage of the VLAN capabilities of your wired and wireless network to establish both a secure internal WLAN, protected by authentication and encryption, as well as a less secure and more open WLAN that can be used by guests. This isn't the only approach to guest access. Some vendors are focusing on making it easy for legitimate users to provision a temporary guest account on the spot. But the VLAN approach is easier to implement, and it allows guests to connect in locations like reception areas where "dead-time" waits often occur without assistance from a sponsor.

Enterprises that adopt the VLAN approach still have a number of choices to make. Some have chosen to profit from their guests (or, perhaps more politely, to defray some of the cost associated with providing guest wireless service) by contracting with a hotspot service provider for guest access. This is the modern-day equivalent of the payphone, and many guests are more than willing to spend a few dollars to connect. Still, current fragmentation and low customer penetration in the hotspot market makes it relatively unlikely that your guest will already have an account, prompting the process of account provisioning.

Organizations willing to foot the bill for guest access usually terminate the guest wireless VLAN outside the firewall, in their DMZ. Guest users have access equivalent to any external Internet user. Since you are allocating the IP addresses to them, you can implement address-oriented access policies. For example, you might choose to implement policy that restricts these users from connecting to your internal, remote-access VPN gateway to protect against an inefficient situation where internal users jump on the guest system and connect back into the secure network using a VPN client. Since guest users are for all practical purposes anonymous, you don't have much of an audit trail, but that's the price you pay for easy access. Some network managers have considered terminating the guest wireless VLAN on a network segment that connects to a different ISP, which makes it even easier to establish access policies.

Whichever approach you take, there is some potential for abuse. In multi-tenant buildings or in urban environments, some wireless guests may turn out to be neighbors who are too cheap to implement their own system or possibly hackers mounting denial of service attacks. Good RF design and smarter WLAN products that allow for traffic prioritization can mitigate some of these problems. But in the end, you'll need to accept a little bit of risk to provide wireless services to your visitors. And hey, it's a lot easier than adding more parking spaces.