Guest Wi-Fi and The Small Business Owner

by | May 30, 2017 | Enterprise Networking, Security, UniFi, Wireless | 0 comments

My wife and I recently took a trip to the Outer Banks in North Carolina and through all the stores, restaurants and outlets I started to notice something.  Guest Wi-Fi.

We’ve hooked some of our customers up with the built in Guest network offering from UniFi (which is entirely different than most out of the box setups, I’ll explain in a moment), so I wondered what kind of features these places offered to their guests and how secure their guest wireless was.  Even further, I started taking note of wireless setups in some of the businesses and places we visit around Williamston and the surrounding areas as well.  Here are some of the things I noticed:

Captive Portal

Out of the box systems that are usually a router/wireless AP combo will most of the time offer up a “guest wireless” network, which is usually just an open wireless SSID with no authentication.  Most of the places we visited had this particular configuration, and they advertised it.  One reason I think was because most buildings down there you go in and cell signal dies, and these places want you to be on social media advertising their stuff for them, so they provide free Wi-Fi.  The open network guest option is a big problem.  You have no record of who access your network or what they did while they were on there unless you want to pour through router logs and somehow have the MAC address of their phone.  The other issue is VLAN/subnet restriction from the guest network to the private network, we’ll get to that in a second.  One place in particular that seemed to be doing it right was the Tanger Outlets in Nags Head.  They had what’s called a “captive portal” authentication page where the guest had to put in their email address before they could access the Guest Network. Genius! They now have a record of who accessed the network, AND their email address where they can spam them deals about stores in the outlets, yay!  Captive portal is by far the best way to go and there are several modes to operate a captive portal on.  You can retrieve user information, like name, email address, phone number etc.  You can operate it as a hotspot where guests have to pay for wireless access, or even use a token given to them at check-in or from the front desk.  This gives you control over the people accessing your network.

Network Segmentation

Speaking of out of the box router/wireless combos, the glaring security flaw most of them have is that when you enable that guest network, it may put guests on a separate subnet (i.e 192.168.2.1/24 instead of 192.168.1.1/24) but they likely don’t have a firewall, let alone rules that restrict access from one VLAN/subnet to another.  In this sort of scenario, you better hope you don’t have any kind of private data, storage, file servers etc on that private subnet without some kind of rules in place to restrict access from the public network.  Without those rules, you’re one step away from data theft by somebody just looking to see how far they can get.  There are a few Cisco Small Business devices that offer guest/private network segmentation and restriction.  The great thing about UniFi is that you can entirely restrict guest access to private portions of the network all through the UniFi controller very easily.  Routing tables and rules are automatically built to prevent cross VLAN communication between the two.  Best of all, you broadcast those guest networks and private networks (both 5g and 2.4g) from the same access point, simultaneously.

Coverage

One of the things I noticed about Tanger was that there was a small Dell Access Point in every single store on the boardwalk.  Going off the construction of the buildings, it seemed to me that they were having some sort of coverage issue and had to have that many AP’s just to get decent signal everywhere.  Not so….with that many AP’s you actually create wireless noise, thereby reducing the quality of wireless internet your guests are getting.  That seems to be the case in most places I’ve visited, either way too many AP’s, or only one, nestled back in a corner, hoping that it can handle all the people bombarding it with requests to join all by it’s lonesome.

Wireless noise is a big problem in large places where you have a lot of foot traffic or a bunch of people sitting down to do work or telecommute.  The AP’s basically get in the way of each other and transmission rate, among other things degrades.  Two or three high density AP’s can handle what 6 or 7 regular AP’s can, and then some.  Reduce the noise, increase quality, and allocate each user their own dedicated channel.  This technology is called MU-MIMO. 802.11ac Wave 2 MU?MIMO (Multi?User, Multiple Input, Multiple Output) technology allows a Wave 2 AP to communicate with multiple clients at the same time – significantly increasing multi?user throughput and overall user experience.

So, do you have a small business around town that could benefit from offering guest wireless?  Are you currently offering guest wireless but it’s not set up in the most secure way?  ServantDesign can help.  Let us give you a free site assessment and quote on a new wireless and wired network system.

Share This