Having internal Wi-Fi for your business is useful. It reduces the need for Ethernet cabling. Employees can use mobile devices. If your policies allow it, they can use their own personal ones.
You may also want to offer public or semi-public Wi-Fi to visiting customers. It’s an attractive feature that makes your business look a bit friendlier. But be sure not to cross the streams. If visitors and employees use the same network, outsiders can get close to private information that they shouldn’t see. Public and internal users need different access. They need to see different networks.
Many access points offer “guest access” mode. That doesn’t do the job by itself. People using the guest SSID can’t get at the router’s administrative functions, but they have the same network access.
The public side should generally allow nothing more than access to an Internet service provider. People should be able to check their email and access websites. You may want to take them straight to your website when they first connect. You can require them to accept terms before continuing. Setting up web filtering is generally a good idea. That way, visitors can’t as easily visit offensive or dangerous sites while they’re using your Internet connection.
The important thing is that public Wi-Fi must not allow access to your internal network. You may think your servers are protected by other methods, but once people are inside the network, it’s much harder to keep them from stealing information or doing damage. Public access should be strictly separate.
Keeping Separate SSIDs
There are a couple of ways to set up public access, depending on how “public” you want it to be. The starting point is that the public and private access paths need to have separate SSIDs (Wi-Fi service names).
The simplest approach is to set up an SSID with no encryption or password on the public side. This is the way shopping malls and libraries usually do it. The server can set up a gateway for visitors, requiring them to register or agree to terms. Anything they send and receive gets no protection. If they visit secure websites, they’re still secure, but if they send a password as cleartext, anyone can see it.
A more secure and more restrictive approach is to set up an encrypted connection. When you set up the SSID, specify WPA2, which is the current industry standard for security. Users have to receive the password before they can use Wi-Fi. This has the advantage of keeping unwanted visitors out and giving guests more protection.
If you set up a public password, it can be a simple one. You can’t keep it secret anyway. Just make sure to use a strong password for internal access and not let it leak out.
Keeping Separate Networks
As we’ve already mentioned, having separate SSIDs isn’t enough. They need to reach different networks. The private server includes local file access and internal applications. The public server should either present a specialized internal Web server or a gateway to an Internet service provider and nothing more.
The best way to do this is to present a VLAN (virtual local access network) to anyone using the public SSID. The only thing visible on the public VLAN is the Internet gateway or local Web server. Everything else simply isn’t there, as far as the visitor can tell. The chances of being able to get at private information that way are very low.
A VLAN is similar to a subnet. The main difference for this purpose is that a VLAN is set up at the router or switch level. You can use either a router with VLAN functionality or a separate switching device. Each VLAN is configured to go with a particular SSID.
This may sound uncomfortably technical, but once it’s set up, it’s simple to use. Visitors trying to connect will see what looks like two separate Wi-Fi hotspots. One of them should have an inviting name like “Our Company’s Public Access” so they know which one to use. The other should have its password carefully restricted so that they can’t get into it even if they’re curious. An employee only has to enter it once on a given device, and after that, it will connect automatically.
If you use a password for public access, you can hand it out on cards or even put it up on a sign. While you don’t want it overused, it’s not devastating if someone uses it who shouldn’t.
Using a Separate Machine
A simpler approach, though it isn’t as flexible, is to set aside a computer for public access. It isn’t connected to your internal network. It has its own Wi-Fi router, firewall, and Internet connection. With this approach, your private data is well protected, and it’s hard to make a damaging mistake configuring the server.
The downside is that you can’t manage it from your local network, only through the dedicated machine. Also, it requires you to use a separate router. Its Wi-Fi may need repeaters if you want to cover a wide area. If you have a small IT operation, these may not be problems.
If you go this route, don’t economize too much. It could be tempting to use a cast-off computer for public access, but you don’t want one so old that it provides second-rate service. Older machines may not be able to get the latest security upgrades. Even if all it does is provide a pass-through service, it could get infected by malware and cause trouble. Be sure it’s maintained as well as your other systems.
Wi-Fi Separation with Managed Services
Setting up separate public and internal Wi-Fi isn’t terribly difficult, but it requires some familiarity with network configuration. A managed service provider can easily set up dual Wi-Fi services so that your visitors have the convenience of public access and your business doesn’t compromise its security in the process.
Talk with us about how we can help to set up your network so it efficiently provides all the functionality it needs. With managed services, you can concentrate on your business while we keep your network running.