• Home
• About Us
  • The Company
  • Philosophy
  • The Group
  • Why TomK Consulting?
  • Staff
  • The VRM Consultants
  • Photo Galleries
• Our Services
  • Consulting Services
  • Featured Services
    • Enhanced Internet Reliability
    • Proactive Systems Management
    • Systems Audit Service
    • Systems Documentation
    • Systems Reliability Bundle
• Testimonials
• Newsletters
• Partners
• Contact Us
  • Privacy Policy
  • Sitemap

March 2015 IT Business Consulting Newsletter

Securely Implement Public WiFi, version 2015

By Tom K

Times have certainly changed since I wrote the original Public WiFi article in July of 2009. Internet bandwidth costs have plummeted, the proliferation of wireless devices has gone through the roof, and the amount of high bandwidth consuming content is extreme.

In this month's newsletter I revisit this still important topic and bring it up to date. If your business doesn't provide public WiFi, or if it hasn't been updated in some time, you need to review this quick read.

Options

Implementing a Public Wireless Hot Spot in your office is a GREAT idea! It is very inexpensive, provides your guests with a nice value add, and can draw walk-ins who will get to experience your wonderful staff, observe your outstanding operation, and potentially leave with a brochure or property listing. It is also a good way to differentiate your business from your competitors!

To do it right, however, the Public Hot Spot has to be COMPLETELY ISOLATED from your private business network.

The simplest, and my recommended, method to achieve this is to lease a separate Internet circuit dedicated to your Public Hot Spot, using a wireless router or a Wireless Access Point plugged into the router. Use your Company name in the WiFi circuit ID (the SSID), put a simple Pass Code on it, and you are good to go.

In the past, this was considered a bit exorbitant as you’d be paying around $1200/yr to dedicate mediocre bandwidth to the public, but at today's pricing you can procure a separate 60 Mb cable circuit in most markets for around $50/month. This method not only completely isolates the public traffic from your business network, it also eliminates public Internet demands from consuming your business Internet bandwidth.

If you do need to keep your costs down, another method is to use your firewall to isolate the Public Hot Spot from your Private network, while securely sharing your company’s existing Internet bandwidth. While this method does isolate the public traffic from your business network, it does give away a portion of your very valuable business Internet bandwidth. Because of the importance of your business Internet combined with the very low costs for today's Internet circuits, I rarely utilize the shared bandwidth method any more. But if you need to, here's how it is done:

Firewalls 101

The primary function of a firewall is to rigorously regulate the traffic coming into your Private business network from the Internet (Public network), and vice-versa. It is like a security checkpoint having two gates, the public gate and the private gate. The firewall rules can granularly control who can come through a gate, and where they can go and what they can do once on the other side. Typically, anyone inside the Private network is allowed to go anywhere in the Public network, but no one from the Public network is allowed inside the Private network, unless they are invited. If they ARE invited, they are only allowed access to very specific resources for very specific purposes.

Most firewalls have a third gate, referred to as the DMZ. The DMZ can be configured in many ways, but for our purposes, it is just another gate with a specific set of rules that allow anyone who is inside the DMZ full access to the Public network, but allows NO access to the Private network. The end result is a very secure means to share your company’s Internet access with your guests, at no additional cost.

Wireless Hot Spot

So now that we have the DMZ gate configured with the proper rules to secure the Private Network, we need to provide wireless devices with hassle-free access to the Internet via the DMZ gate. We simply plug a $60 - $100 Wireless Access Point (WAP) into the DMZ, and configure it for open access. Any wireless device that comes within range will automatically connect.

While true “open access” makes it very simple for anyone to use your Public Wi-Fi, I recommend you set a simple pass code on this network to restrict its use to your guests and staff.

If you want to provide wireless coverage across a wide area, like a large office or your office and your pool area, multiple WAPs can be teamed. A wireless device will lock on to the strongest signal (the closest WAP), so when an WAP team is configured properly a user can walk through your facility using a smart phone or tablet, seamlessly hopping from WAP to WAP, with no signal degradation and no service interruption. Way Cool!

Bandwidth Considerations

So, you are now sharing your precious Internet bandwidth with the Public Hot Spot. What happens when multiple guests start gobbling up all of your bandwidth??? Fortunately, many firewalls include a mechanism that allows us to allocate the maximum bandwidth available to the DMZ, often by percent. If your company has 50 Mb of Internet bandwidth and you set the DMZ throttle at 10%, your guests will have up to 5 Mb and your staff will never have less than 45 Mb. But be aware that in today's Internet world, 5 Mb of shared guest access may be construed as "snail slow".

You might consider bringing in that second Internet circuit as mentioned above. But instead of dedicating it to your Hot Spot, add it to your firewall as a load balanced circuit, which can double your Internet bandwidth while virtually eliminating Internet outages (see my April 2009 newsletter Improving the Reliability & Speed of Your Business Internet Connection for details). If we couple this with percentage based DMZ throttling, using the 10% example, your staff would get at least 90% of the combined bandwidth of both circuits. If one circuit goes down, your staff still gets at least 90% of the bandwidth from the circuit that remains up.

Extra Value Add

Another nice touch we’ve often added when implementing this service is setting up a kiosk for those guests who didn’t bring a laptop, tablet, or smart phone (or dropped their smart phone into the hot tub :) but still need to check email or hit the Internet. This only requires an OK PC with a nice flat panel and an inexpensive $30 - $60 USB wireless adaptor to connect the PC to the Public Hot Spot (or hardwire the PC into to the DMZ), completely isolating it from your private network. To be REALLY appreciated, connect a $100 - $200 color ink jet photo printer to the PC.

Business Network Wireless for Staff

Can you provide secure wireless access to your Private business network for your staff, while providing open wireless access to the Public network for your guests?? Yes!

The Public WAPs plug into the DMZ, and require simple security codes. Your secure Private WAPs would plug into your Private network and require complex security codes. When properly configured, the general public can’t even see or scan your Private WAPs and, as discussed above, the Private WAPs can be teamed to provide seamless coverage over larger areas.

It is important to note, however, that I strongly recommend you DO NOT provide wireless access to your business network unless it is absolutely necessary. When you determine that this is absolutely necessary, make sure there are no other alternatives available. See my March 2013 newsletter "Provide Wireless Access to Business Systems???" which highlights my concerns, but does discuss Best Practices should you find this necessary.

Summary

As you’ve seen, the components required to implement this service, either as an independent circuit or as a shared circuit, are very inexpensive. The implementation itself is not overly complex. The few downsides are easily mitigated. Our clients have seen that the advantages in guest relations and meeting new prospective guests are huge compared to the minimal cost. We recommend you roll it out, advertise it on your web site, and prepare to become appreciated!

If you have any questions concerning securely implementing Public Wireless Hot Spots (or any other topics concerning utilizing your infrastructure to enhance your business), I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I’ll discuss your employees "inviting" malware into your environment and how to stop it, in "Protect you Company From Your Staff"

Home | About TomK | TomK Philosophy | The Group | Why TomK? | TomK Staff | TomK Services | Featured Services |
TomK Testimonials | Newsletters | Partners | Contact | Privacy Policy | Site Map

© 2010 - Present, The TomK Consulting Group. All Rights Reserved.