Wireless Networking Security

Posted on 2005-05-06
Last Modified: 2013-12-07
I have a client that wants to setup a wireless hotspot in his motel to allow internet access to his guests, working off his existing DSL connection.  What are the necessary components (hardware/software) to support up to 50 simultaneous clients (its highly unlikely that he would ever have 50 clients connected at once but it could happen), with ONLY internet access, and prevents malicious user from doing anything destructive in the environment?  I was thinking about connecting a switch to the DSL modem/router and connecting five wireless access points (placed around the motel to ensure the least amount of dead spots) to the switch.  I am not really sure what to do about security issues though.
Question by:mjirwin
    LVL 2

    Expert Comment

    you need an access point/router that support WPA (better then WEP)

    the AP those not broadcast the SSID (you have to tell it to user)
    disable DHCP
    change the default AP password
    256 bit WPA encription (or 128 if not supported)

    now... an access point have a 100 metres range on air without obstacles... with wall in the middle it drastically drop down
    so.. in this case you need wireless repeators (Hub wireless) or you can put one in the main hall if you want that they can use only there...

    Author Comment

    If there is no DHCP, would that mean that users would have to get an IP address from the front desk, and whoever was working would have to know how to help configure each users laptop?
    LVL 1

    Accepted Solution

    The first thing you should do is create a DMZ between the internal network and the AP network.  This will isolate the interal network and the wireless so no one can be destructive.

    As far as wireless...

    WEP is used as a confidentiality and authentication mechanism.  The WEP encryption protects the data, but you need the WEP key otherwise you can't transmit data.  The problem with WEP is that it can be broken in around 3 minutes.

    WPA is a better step forward, but the WPA on most home network APs (Linksys, Netgear, D-Link) is WPA-PSK (WPA with Pre-shared key).  This has been broken with as few as 4 packets.

    So where do you go from here?

    disabling SSID is a good move, but that can be easily picked up with free tools
    disabling DHCP is good to, but one IP subnet can be determined by sniffing the traffic
    changing the AP password is good, but you should only manage an AP via SSL (https://) otherwise your password is cleartext....even SSL may not be enough to stop it from being seen...
    MAC filtering is good, but it is trivial to spoof mac addresses

    What you need is an AP that supports 802.1x (Extensible Authentication Protocol).  With this support you could jail the user in wireless limbo until they authenticate to an access control server (like RADIUS).  Once they are authenticated you could allow them on the network.

    The second step would be choosing the IEEE protocol.  802.11A/B/G??

    802.11a gets you 54Mbps (More like the real world), but the customer would need a card that supports 802.11A.  Most customers would probably have a built in 802.11b or 802.11b/g network card.

    802.11b gets you 11Mbps (real world like 5) and shares the 2.4Ghz band with microwaves, cell phones, etc.

    802.11g gets you 54Mbps (real world like 22) and shares the 2.4 band.  The problem with some G access points is that if a "B" device jumps on it...  The AP goes into "B" mode and the "G" clients go from sharing 54 to sharing 11.

    The third step would be to figure out how many APs, what type of antennae, and minimum power settings for the antennae.  You don't want your wireless working across the street.  It should not extend beyond the building to prevent "war driving".

    I must reiterate this final point...  CREATE A DMZ between your wireless and internal networks.
    LVL 2

    Assisted Solution

    for reply to mjrwin....

    disable DHCP is better for security....
    they can set manually an IP address in the subnet YOU say them.... you can either tell them exatly the IP you want they use...

    those are choice... you ask me for security.. i tell the better for security... if you prefer let all easy to access... so... no security

    (i hope this is clear.. becouse my english is not really good eheh)

    DMZ like Sithloaded said means Demilitarized Zone, this means you have a trusted (internal) zone protected by an hardware/software firewall... and another zone (wireless) not trusted in the internal one....

    MAC filtering is really good.. but that means you have to ask every client for their MAC address and change the setting when they arrive and when they gone...

    the MAC address is a setting of the net/wireless card.. it can be changed but you don't want your hotel client to do too much thing for downloading the e-mail i think....

    LVL 1

    Expert Comment


    This a question answered previously.  It might give you more ideas.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now