Best practices for guest wi-fi networks

by Jeremy Vignaux, VP Technology

Your boss has requested temporary wireless Internet access to a guest in the main conference room - again. This seems to happen every week - or every day - for some IT managers.

Many companies fulfill the guest access requirement by installing a separate wireless access point/router in the conference room and attach it to the corporate Internet connection. Then they write the wireless security key on a sheet of paper and leave it in the conference room. Some folks even write it in the top corner of the whiteboard - I've seen this in many places.

Here are just a few of the things that are very bad about this solution:

  • Once a guest gets access to the wireless network, it is saved on their laptop or other device. If they wanted to, they could sit out in the parking lot (or elevator lobby) and use your Internet connection. Unless you change the security key frequently - and most people don't - you have a security hole.
  • Why is the fact that someone knows your key a security hole? Ask the FBI when they arrive in your lobby asking to talk to the IT manager. They might tell you that they've tracked terrorist or child porn activity to your IP address. Guess who's problem that is - not your guest's. Yep, that's your company's problem.
  • What happens if your guest connects to your Internet with a computer that is infected with all sorts of malware? Suddenly your users are complaining of slow Internet connectivity. It seems that your guest is using 100% of your Internet pipe. Yikes!
  • That wireless Access Point you installed in the conference room is interfering with your corporate wireless APs. Remember that in the 2.4-GHz band, there are only three non-overlapping channels. You just used up a channel in a 300-foot radius around the conference room.

Imagine someone standing outside your conference room screaming at the top of their lungs every few seconds. Offices around the conference room would find it pretty hard to get a word in between screams. That's what the wireless spectrum is like in your office.

Here is what you should do to create a manageable, secure and non-interfering guest wireless network:

  • Use your enterprise Wi-Fi equipment to publish a guest wireless LAN. This will eliminate the interference issue. Enterprise WIFI access points can publish and support multiple SSIDs (wireless network names) simultaneously and connect users to a different network on the back-end depending on which one they choose.
  • Implement a guest portal that asks users to enter a key unique to them and with an expiration date or time. This will eliminate the rogue user using your connection after their "guest" time has expired. Enterprise WIFI systems can create and manage guest access on a per-user basis that could last minutes, hours, days or months.
  • Implement bandwidth limits on this guest wireless network. This limits the amount of Internet traffic that a guest can generate. Protecting your internal users from infected guest machines.

Harbor Networks is a Ruckus Wireless partner. We can show you how wireless should be implemented properly. Ask us anytime.