Wireless security solution

I am in a situation where I would like to provide wireless internet access to our the patients in our medical facility while they are at the office.  I don't want to run things wide open and unencrypted, but I also don't want a security setup that the average user can't handle or that we will have to spend time helping them setup.  What I was thinking was some sort of dongle or usb type device that would plug into their laptops and allow them onto the network while the device is plugged in.  When they leave they turn in the device.  That way we have keep the security of our wireless in 2 ways both encryption and physical device.  I have tried several unsuccesful internet searches, does anyone have any idea of a product that would fit this requirement?  Or maybe another solution?

Thanks.
LVL 1
mmiseroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bagged2dragCommented:
I would just supply PCMCIA wireless cards to your patients. Since they will be your cards, just use MAC address filtering on your router. You won't have to use any encryption, but no one will be allowed on your network unless their MAC address is on the list. Of course, I am assuming you will be using laptops. Its as simple as that. Hope this helps. FYI, MAC addresses are as unique as a VIN number on an automobile. Hope this helps!
Lee W, MVPTechnology and Business Process AdvisorCommented:
Actually, MAC addresses aren't THAT unique, but I've never run in to a duplicate (some of my colleagues have and they note it can produce WEIRD network issues.

Also, understand, wireless security is a bit like saying military intelligence.  Even the most secure wireless network can be hacked fairly easily, even with Mac Address filtering as a mac address can be easily spoofed.  If you have to comply with government regulations for securing patient data, I would suggest you create a separate network to provide this wireless access so they are not on YOUR network.
rindiCommented:
If you just give them internet access and no other network access, and your wireless system isn't also connected internaly to a lan, I'd just use a simple WEP key which you change every day and which you supply your guests with. Just make sure you also provide them with some simple rules they should follow so they stay as secure as possible, like disabling file and printer sharing etc., or not to use an administrator account during the surfing. That way your users can use the OS they have on their PC, using a dongle or something like that will probably only work easily with M$ stuff, but there may be others out there, like mac or linux users....
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

decoleurCommented:
you might want to check out this reference for securing wireless accesss points:
http://www.cisecurity.org/bench_wireless.html

there are many devices that will do what you are looking for but the infrastructure to set up something like what you are talking about can start to add up. Any ideas on the budget for your solution?

A popular recomendation that I see in EE often would be something like a  RSA Security SecurID Key Fob which could do it, for $1400+ each... but what do you do if someone walk out with one?

HTH

-t
mmiseroAuthor Commented:
Wow, lots of great information!  It seems the only thing close to what I am after is the Key Fob, but the price tag is prohibative.    The PCMCIA card idea with mac filtering might be closer to the bugetary requirements, although, again the personel on site are medical staff and would not have the time or ability to help patients through configuring a network card.  The basic plan as conceived is to have a switch on the perimeter, the internal (company) lan would be firewalled off this switch.  The patient access/wireless AP/router would be connected to the perimeter switch.  Both the firewall and the wirelessAP/router will have outside IP addresses.  I don't think we would have government (HIPAA) compliance issues as we don't have to protect the patient's personal equipment, only their medical information that we are in possession of.    A thought occurs to me, does anyone know how hotels handle internet or wireless access?
decoleurCommented:
Just a thought, as you mention your desire to keep it simple... what about wireless usb adapters?

you can configure your access points to allow access by mac address and provide wireless access to any device by just plugging in a usb based wireless card.

i might even keep them as 802.11b usb adapters, that combined with 802.11G capable routers would possible provide a higher QOS for everyone.

you could come up with a little laminated instruction card for the configuration, you would be suprised how quickly poeple will learn about a technology if they think it will provide an advantage.

my mother can get a wireless NIC on line but still cannot set the clock on her VCR.

HTH

-t

on the other side about how to go about configuring the end users...

i would put the wireless APs on their own vlan and NAT them behind a public IP, it wont serve you if you create a path onto your laptops from the outside. What would happen if a utility laptop which is typically used by patients gets co-opted by the doctors for a training session and the key logger that was "accidentally" put on it starts feeding juicy non HIPPA compliant stuff to a central american website... maybe not so good methinks.
rindiCommented:
I think hotels usually use a radius server for the authentification. This makes sure only those paying for the service get access, And they can then just remove the radius account when the customer has gone. The user logs on with a username and password. The wireless security itself usually isn't set to too high, because there is no network to protect, all the connection is for is to connect to the internet. The users must be made aware to follow some simple rules so as not to expose their data on the laptop to others, but that is mainly their business, not yours. You just have to make sure they are aware of that so that they can't sue you later.

If you aren't going to extract a fee for internet usage from your patients, you won't need a radius server, all you need is a daily changing wep key as I mentioned above, a pamphlet with the name of the access point/points and simple config examples. that will not only allow windoze users to connect via wireless to the internet. Adding extra hardware is often not compatible with other OS's, so leave that out.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.