Manage Learn to apply best practices and optimize your operations.

Securing the wireless guest network: Authentication and management

If you're implementing an enterprise-class wireless guest network, tighter security is crucial. A guest wireless LAN must support better visibility and user control.

As enterprises more commonly offer wireless guest networks, they must gain better visibility and stronger access...

controls based on device type, user role and observed status/behavior.

Early guest wireless LANs were used by creating an open network for Internet access without limitation.  These wireless guest networks were usually assigned their own name --wireless service set identifiers (SSID) -- and mapped onto an isolated Ethernet VLAN. HTTP requests from newly connected clients were sometimes redirected to a captive portal, where guests had to accept "terms of service" before being released onto the Internet. This basic guest access strategy is simple to deploy and maintain, but it doesn't address several thorny challenges posed by enterprise-class guest access.

Here are some challenges of using this type of wireless guest network:

  • Infected devices receive unfettered access to both the guest SSID and VLAN, enabling malware propagation to other clients and exposed network infrastructure.
  • Hackers can try to exploit this largely-unguarded back door to penetrate the corporate network -- for example, by launching Web exploits against the captive portal.
  • Shared network resources -- including wireless channels and backhaul bandwidth -- can be usurped by guests, impacting availability and performance for corporate users.
  • Enterprises lack visibility or control over "data extrusion" through guest networks, such as when a worker jumps onto the open network to bypass corporate SSID filters.
  • Enterprises may not have a reliable way to monitor wireless guest network activity in order to track incidents or unauthorized use back to responsible parties.
  • All guests may be reduced to the lowest common denominator -- HTTP/SSL -- which artificially limits contractor or employee-owned devices that deserve "guest plus" access.
  • Workers may share or re-use their own corporate network credentials or burden IT by requesting additional corporate accounts, in order to circumvent wireless guest network limitations.

Built-in wireless guest network management features

Today, most enterprise WLAN products -- and many SMB products -- offer built-in guest management. Capabilities range from simple captive portals and firewall filters to traffic shaping and unique guest logins that can be generated without IT assistance.

To illustrate, consider guest management capabilities offered by Meraki's Enterprise WLAN Cloud Controller. To create a Meraki guest wireless LAN, configure an SSID with the desired sign-on method, such as a click-through or sign-on splash page. If a sign-on page is chosen, users will be redirected to a customizable portal and must enter a username/password before continuing.

Three options are provided for guest sign-on creation. First, an administrator can configure the guest's account. Second, a Guest Ambassador can add/delete guest accounts but make no other changes. Third, guests can be permitted to request their own accounts on the portal splash page, subject to admin approval. To further empower self-activation, users who have not yet signed on can be given permission to reach a "walled garden" IP range or send non-HTTP traffic.

Controlling user activity for guest wireless LAN security

The next step is to control signed-in guest activity. Start by deciding whether the captive portal should require guests to run antivirus programs. Then configure permitted destinations, ports and/or URLs, optionally tied to bandwidth limits and wired/wireless priorities. Finally, decide whether guest traffic should be bridged onto a VLAN or routed to the Internet, with or without local LAN access. The Cloud Controller can also analyze traffic to show how the wireless guest network is used.

These capabilities are often applied to unencrypted guest wireless LANs, but can also be combined with WPA2 pre-shared keys (PSKs). Requiring a PSK can reduce Denial of Service (DoS) risk and discourage outsider probing. However, conventional PSKs are shared by everyone; they cannot be tracked or revoked for individual guests. But those gaps are addressed by products that issue dynamic, per-user PSKs, such as Ruckus Dynamic PSK (DPSK) and Aerohive Private PSK (PPSK).

For example, Ruckus wireless LANs can be configured to require a unique DPSK for each guest. Anyone with corporate network access can use a Web form to request a Ruckus Guest Pass. Each issued Guest Pass provides printable instructions, including guest name, guest SSID, the guest's unique DPSK and a validity period. These settings can even be auto-installed onto Windows, OS X and iPhone clients that visit a guest portal, eliminating manual configuration or mistakes. Once issued, DPSKs may auto-expire or be revoked, preventing further use without disrupting others.

Device integrity checks on the guest wireless network

These guest management strategies can deliver better visibility and control over wireless LAN access, including what guests can actually do and the resources they can consume. However, more is needed to prevent damage by guest devices that are malware-infected. According to Gartner, managing this risk is the primary driver in three out of four network access control (NAC) deployments.

Stopping infected wireless clients is not just a guest wireless LAN concern. But guest devices pose greater risk because they cannot be managed by IT, usually cannot be forced to install IT-specified programs or settings, and may not even run temporary integrity checkers. For example, a captive portal might use an ActiveX control to quickly verify that guests are running one of several approved anti-virus programs. However, an ActiveX control cannot check non-Windows guests or those using locked-down browsers.

For some organizations, Windows-only guest integrity checks are sufficient -- after all, malware is far more common on Windows. But other organizations may prefer to block guests that can't be checked or tightly limit their traffic (e.g., HTTP only, no intra-LAN traffic). A third possibility is a NAC or IDS product, such as ForeScout, CounterACT or Bradford Network Sentry, that can run network-based checks. NAC appliances like these offer their own guest managers that can be integrated with wireless LAN infrastructure for access rule enforcement, cutting off guests as soon as they behave in a way that indicates risk or would violate policy.

In summary, enterprise-class guest networks should combine efficient user management with controls that tightly enforce conditions of use and compliance. They must also enable incident resolution and deliver usage tracking. These strategies can turn a freewheeling hotbed of who knows what into a well-oiled service that enterprises can comfortably offer to contractors, partners, customers and other approved guests.

About the author: Lisa A. Phifer is president of Core Competence Inc. She has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for more than 20 years and has advised companies large and small regarding security needs, product assessment and the use of emerging technologies and best practices.

This was last published in March 2011

Dig Deeper on Wireless LAN (WLAN)