Security management measures for guest wireless networks

Today, most enterprise-class WLAN products and many SMB products offer built-in guest management capabilities. From simple forced network portals and firewalls to traffic shaping and unique guest logins, such products can be automatically generated without it assistance.

For example, let's look at the guest management capabilities provided by Meraki's enterprise-class WLAN cloud controller. In order to create a Meraki guest wireless LAN, we need to start with a command to configure an SSID, such as one click or login Start Page. If you select the Start page, the user is redirected to a custom portal, logged in by entering a username and password.

There are three choices for guests to start creating. First, the administrator configures the Guest account. Second, the guest representative can add and delete guest accounts but cannot make other changes, and third, allow guests to use their own account on the entry prompt page, subject to admin approval.

Controlling user activity to realize security of guest wireless LAN

The next step is to control the activity of the logged-in user. Consider forcing the network portal to require users to run antivirus software. Then set the allowed destinations, ports and URLs, optionally adding bandwidth throttling and wired/wireless properties. Finally, consider whether guest traffic needs to be bridged to a VLAN or routed to the Internet when local area network access is allowed or not allowed. The cloud controller can analyze traffic to see how the wireless guest network is being used.

These features are typically used for unencrypted guest wireless networks, but can also be combined with WPA2-PSK to implement encryption. Setting up the PSK can reduce denial of service attacks and prevent external probes. However, the traditional PSK is shared with each user, and they cannot track or cancel the tracking of individual guests. However, some products provide dynamic PSK to each user, such as RUCKUSDPSK and AEROHIVEPPSK can solve such problems.

This column more highlights: http://www.bianceng.cn/Network/wxwl/

For example, the Ruckus Wireless LAN can be set to each guest a unique DPSK. Anyone with access to the corporate network can request ruckus guest privileges through a Web form, and each publication's guest permissions provide instructions that they can print, including guest name, guest SSID, guest's only DPSK, and expiration date. These settings can even be automatically installed on Windows systems, OS X, and iphone clients, effectively avoiding manual setup and possible errors. Once in effect, the DPSK will automatically expire or be abolished without interrupting any other use.

Device integrity checks on guest wireless networks

These guest management policies can provide good visibility and controllable rows on a wireless LAN, including what guests can access and what resources they can use. However, more needs to be done to prevent the damage caused by infected guests. According to Gartner, three-fourths of network access control deployments are designed to deal with such threats.

Although blocking infected wireless clients is not something that guest wireless LANs need to do, guest devices can pose a greater risk because they are not managed by the IT department and generally cannot forcibly install software or configurations required by IT departments, or even perform temporary integrity checks. For example, a mandatory network entry might use ActiveX control to quickly see if a guest is running a licensed antivirus software. However, ActiveX control cannot view non-Windows guest devices or locked browsers.

For some businesses, integrity checks are sufficient for guests using Windows, after all, viruses are more common in Windows. But other companies may be tempted to block people who cannot check them or restrict them (e.g., HTTP only, no access to the intranet). The third possibility is to use NAC or IDs products, such as forescout,counteract or Bradfordnetworksentry, to run web-based checks. NAC devices can be integrated into existing wireless network facilities to provide guest managers with access control policies that are immediately severed if a virus threat or policy violation is detected on the client.

In short, the enterprise guest network must have efficient user management control to conform to the enterprise specification. And they must provide a solution to the emergency and an effective tracking scheme. With these strategies, companies can safely provide the network to contractors, partners, customers, and other authorized guests without fear of knowing what to do.