Q. I run a small IT consulting business in the New York area. One of my clients approached me with a project that I’m not certain how to go about implementing. I was hoping you might be able to point me in the right direction.
This particular client runs a sports car club and is interested in setting up a Wi-Fi hotspot for his club members to use. Since the club’s network is already equipped with a high-speed Internet connection, the owners thought they could accomplish this by simply adding a wireless access point to the network. While this solution would provide the members with wireless access, it does create a few problems.
For instance, this approach would give all of the members on the wireless network access to the corporate network. While members shouldn’t be able to access the corporate servers directly, they would still on the company’s private network, which increases the chances of security breaches and virus infections. Also, since this wireless link is part of the corporate network, it would need to be secured. This means either using WEP or preferably WPA. However, by securing the network in this fashion, the club would then need to assist in configuring every member’s laptop or PDA device before they could use it. So this isn’t a cost-effective solution.
Additionally, they might want to charge a small fee for this service, but using the access point approach, there is no way to regulate when users can get access or manage how long they can stay online. The only other thing I can think of would be to bring in another Internet connection and use that one exclusively for the wireless network. That would solve the security issue, but still does nothing for managing the user accounts.
Admittedly, hotspots are a bit outside my field of expertise, and I don’t know if there is anyway to securely set up a hotspot using an access point on a corporate network. I know there are large vendors that specialize in this sort of thing, but this is a relatively small club and they don’t want to spend a fortune on this project. Can you tell me if there is a way for me to securely set up a hotspot that uses the existing Internet connection, but that also prevents users from accessing the corporate computers?
A. With the explosive growth of hotspots, I’m surprised a question like this hasn’t come up before. Like you, I’m not overly familiar with all of the details involved in setting up a hotspot. However, I agree that just adding an access point to the company network is a bad idea. Even if the club members themselves have no malicious intent, it still represents a security risk. Plus, to have to troubleshoot and support every wireless device that comes through the door would be a nightmare.
The second Internet connection you mention would be a better alternative because it would keep it independent of the company network, but why incur the added expense of another line if you don’t need to — not to mention that this approach doesn’t address your manageability issues. I’m sure there are many ways to accomplish your task, but I think I know of a simple solution.
Recently, I came across something that might be the prefect for this situation, providing that you’ll never need to have more than 50 users online simultaneously. D-Link has a product called the Airspot DSA-3200 Wireless G Public/Private Hot Spot Gateway. It has a street price of about $500 and allows business owners to provide users with either free or fee-based public wireless network access, while at the same time providing secure, private ports for use with the company network.
The DSA-3200 is a secure wireless hotspot gateway designed to create separate networks through 802.11g wireless connectivity and its two integrated public and private ports. This gateway creates a public 802.11g wireless network for wireless clients and a public LAN network — so both wired and wireless patrons can access a free or fee-based broadband Internet connection. Through the private port, hotspot operators can be assured that their private and confidential information remains secured from public access. And depending on the establishment size and network deployment needs, you can add switches and additional access points to expand the networks to provide full wireless coverage.
Business owners maintain full control over their hotspot service using the DSA-3200’s wide variety of advanced features. This gateway manages up to 250 user accounts in its internal database and supports up to 50 concurrent online users. Additional features include user bandwidth control, network policy enforcement, customizable user timer, customizable login/logout Web page, online traffic monitoring and URL redirection. The DSA-3200 also supports NAT IP Plug and Play (IP PnP), which allows any network-ready computer to connect to the Internet without having to change their static IP configurations.
Venues offering public Internet access with unsupervised log-ins risk the possibility of non-patrons accessing the Internet. In order to prevent unauthorized users from accessing the public hot spot service, the DSA-3200 Wireless G Public/Private Hot Spot Gateway supports Authentication, Authorization and Accounting (AAA) to ensure all wireless users have the correct right to connect. The DSA-3200 also supports an internal user authentication as well as RADIUS client for larger-scale hotspot networks. For the private network, the integrated DHCP server and firewall with Denial of Service (DoS) Protection safeguards the network from malicious attacks and hackers.
Hotspot operators can easily manage the DSA-3200 unit and all its provided features via its Web-based configuration utility. The interface is intuitive enough for anyone managing the hot spot venue to use and reconfigure settings if necessary.
In addition, by adding a DSA-3100P Ticket Printer to your hotspot setup, you can configure and manage user accounts at the touch of a button. The DSA-3100P prints login tickets and dynamically adds user accounts to an internal database. This gives hotspot operators the capability to offer, manage and control access to their public Internet connection (whether it is free or fee-based). The DSA-3100P Ticket Printer helps ensure that all users accessing your hotspot are authorized.
I think this would be the best solution for your situation. It’s relatively inexpensive, gives you plenty of flexibility and can be implemented pretty quickly. The only drawback is that it’s rated to support only 50 simultaneous users. For anything more than that, you’ll have to go with a larger wireless provider such as Aruba Networks, but that will undoubtedly be a more expensive solution. In any event, I hope you find this information was helpful. Good Luck!
Reprinted from PracticallyNetworked.