[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Wireless Networking Security

Posted on 2005-05-06
Medium Priority
Last Modified: 2013-12-07
I have a client that wants to setup a wireless hotspot in his motel to allow internet access to his guests, working off his existing DSL connection.  What are the necessary components (hardware/software) to support up to 50 simultaneous clients (its highly unlikely that he would ever have 50 clients connected at once but it could happen), with ONLY internet access, and prevents malicious user from doing anything destructive in the environment?  I was thinking about connecting a switch to the DSL modem/router and connecting five wireless access points (placed around the motel to ensure the least amount of dead spots) to the switch.  I am not really sure what to do about security issues though.
Question by:mjirwin
  • 2
  • 2

Expert Comment

ID: 13948524
you need an access point/router that support WPA (better then WEP)

the AP those not broadcast the SSID (you have to tell it to user)
disable DHCP
change the default AP password
256 bit WPA encription (or 128 if not supported)

now... an access point have a 100 metres range on air without obstacles... with wall in the middle it drastically drop down
so.. in this case you need wireless repeators (Hub wireless) or you can put one in the main hall if you want that they can use only there...

Author Comment

ID: 13950656
If there is no DHCP, would that mean that users would have to get an IP address from the front desk, and whoever was working would have to know how to help configure each users laptop?

Accepted Solution

SithLoaded earned 1000 total points
ID: 13952806
The first thing you should do is create a DMZ between the internal network and the AP network.  This will isolate the interal network and the wireless so no one can be destructive.

As far as wireless...

WEP is used as a confidentiality and authentication mechanism.  The WEP encryption protects the data, but you need the WEP key otherwise you can't transmit data.  The problem with WEP is that it can be broken in around 3 minutes.

WPA is a better step forward, but the WPA on most home network APs (Linksys, Netgear, D-Link) is WPA-PSK (WPA with Pre-shared key).  This has been broken with as few as 4 packets.

So where do you go from here?

disabling SSID is a good move, but that can be easily picked up with free tools
disabling DHCP is good to, but one IP subnet can be determined by sniffing the traffic
changing the AP password is good, but you should only manage an AP via SSL (https://) otherwise your password is cleartext....even SSL may not be enough to stop it from being seen...
MAC filtering is good, but it is trivial to spoof mac addresses

What you need is an AP that supports 802.1x (Extensible Authentication Protocol).  With this support you could jail the user in wireless limbo until they authenticate to an access control server (like RADIUS).  Once they are authenticated you could allow them on the network.

The second step would be choosing the IEEE protocol.  802.11A/B/G??

802.11a gets you 54Mbps (More like 22...in the real world), but the customer would need a card that supports 802.11A.  Most customers would probably have a built in 802.11b or 802.11b/g network card.

802.11b gets you 11Mbps (real world like 5) and shares the 2.4Ghz band with microwaves, cell phones, etc.

802.11g gets you 54Mbps (real world like 22) and shares the 2.4 band.  The problem with some G access points is that if a "B" device jumps on it...  The AP goes into "B" mode and the "G" clients go from sharing 54 to sharing 11.

The third step would be to figure out how many APs, what type of antennae, and minimum power settings for the antennae.  You don't want your wireless working across the street.  It should not extend beyond the building to prevent "war driving".

I must reiterate this final point...  CREATE A DMZ between your wireless and internal networks.

Assisted Solution

mastrominchione earned 1000 total points
ID: 13955874
for reply to mjrwin....

disable DHCP is better for security....
they can set manually an IP address in the subnet YOU say them.... you can either tell them exatly the IP you want they use...

those are choice... you ask me for security.. i tell the better for security... if you prefer let all easy to access... so... no security

(i hope this is clear.. becouse my english is not really good eheh)

DMZ like Sithloaded said means Demilitarized Zone, this means you have a trusted (internal) zone protected by an hardware/software firewall... and another zone (wireless) not trusted in the internal one....

MAC filtering is really good.. but that means you have to ask every client for their MAC address and change the setting when they arrive and when they gone...

the MAC address is a setting of the net/wireless card.. it can be changed but you don't want your hotel client to do too much thing for downloading the e-mail i think....


Expert Comment

ID: 13959047

This a question answered previously.  It might give you more ideas.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question