Over the years I have configured guest/visitor wireless access for a number of customers, and in every instance there have been five decision points that have delayed the implementation:
- What information do we need/want to gather from the visitor before allowing them in?
- What terms and conditions do we want them to agree to before allowing them in?
- What level of internet protection do we apply to the visitor guest connection?
- What level of protection do we apply to the wireless connection itself?
- Do we throttle the connection?
Each of these five decisions should be made by the business sponsor of the visitor access, not the IT team responsible for implementing the solution. Lets look at each of these in detail.
What information do we need/want to gather from the visitor before allowing them in?
There are a number of underlying questions here, including: what info are we going to ask for; how much of it will be compulsory; when we get it, what are we going to do with it; what is the business value of this data?
A lot of businesses collect name/email/company data from visitors "just because they can", with no intention of using any of this data in any productive way. They have to consider the need of the business to collect the data vs the inconvenience to the visitor in filling in the form. My advice has always been to collect the minimum necessary data to satisfy the business, remembering that if you are collecting data you are required to protect it.
What terms and conditions do we want them to agree to before allowing them in?
There is a general requirement to "cover your butt" when providing any form of internet access, whether it be to staff or visitors. Make sure you get the corporate legal team involved, and get them to sign off on a general wireless disclaimer. It is a lot faster if you can give them a draft to agree upon, rather than asking them to come up with something from scratch. The rider on having terms and conditions is having some way to "prove" that the visitor has seen and agreed to the Ts&Cs. Is just having them available to view enough, or do you want/need the visitor to "click-through" to force them to at least see the first few lines, or do you have a "positive affirmation" tick box process that will not let them connect unless they adknowledge the terms?
What level of internet protection do we apply to the visitor guest connection?
It's a toss up between this one and the Ts&Cs which one causes the most delays. How restrictive (or open) do you want to be with your guest connection? What liability do you want to accept? It goes without saying that the visitor internet link should go through some form of (modern) firewall, and if you can the link should enforce anti-virus and anti-malware protection, but how far should you go? Do you configure URL filtering to prevent visitors from connecting to "bad" sites, and what constitutes a "bad" site. A lot of organisations I have worked with apply the same level of URL filtering to the visitor network as is applied to the internal staff network- mainly because this requires the least amount of thinking and discussion, and it is easy go get past the governance people.
The issue that is starting to make itself felt at the moment is the great internet security bypass port, otherwise known as port 443 (https). Should internet traffic for visitors be decrypted and examined for malicious traffic or should it be let through with no content inspection? The answer is - it depends. It depends on your level of paranoia, it depends on whether your firewalls have enough spare CPU cycles to perform the decryption and inspection, it depends on your industry and how savvy your visitors are likely to be.
This subject has a second question - what network ports or protocols should be allowed over the visitor connection? Some customers only want visitors to be able to browse the internet, others want their visitors to be able to "work" whilst connected to their visitor network, which implies allowing VPN connections, cloud connections, SIP/voice and other productivity applications. Again, this sort of discussion needs to be held right at the very beginning, when the business is deciding WHY it is providing visitor access at all.
What level of protection do we apply to the wireless connection itself?
This answer will change in the next few years. At the moment it is pretty easy, WPA2 Personal or None. WPA2 Personal will require that the visitor reconfigures their wireless connection on their end device to allow it to connect, and this can be an issue with technology challenged visotors. If you go down this route, be prepared to have your reception team or IT help desk involved in reconfiguring visitor devices. The alternative is no encryption on the wireless (known as Open). This is the normal default for most public hotspots, airline lounges and places like that, and requires that the visitor make no changes to their wireless configuration to connect. Just be sure that the Ts&Cs (see above) make it very clear that the wireless network traffic is in the clear, and anyone can sniff or capture the data, and that the organisation makes no guarantees around the security of their data.
In the next couple of years, we will see the introduction of WPA3 (Aruba has already announced availability), which is a new technical standard that will create a private encrypted connection for each visitor, without them having to enter any local keys (which is what WPA2 Personal requires). WPA3 will require changes to the hardware and/or drivers on both the Access point and client sides, so it will take a while to become standard.
Do we throttle the connection?
How much our our internet bandwidth do we allocate to our visitors? Often organisations will use their corporate internet connection to deliver their visitor network connection. There are two big issues with this - bandwidth and reputation. Too many visitors, or visitors doing too much can eat internet bandwidth quickly, so there needs to be a way to throttle the connection; either on an aggregate connection basis (visitor wireless can only use 10% of the internet connection, no matter how many visitor wireless users there are), or on a per user/visitor basis (each visitor gets only 100Kb/s of internet access), or if you are lucky your wireless system will let you mix and match throttling in more intelligent ways.
The visitor reputation issue is where a visitor uses your (free) wireless connection to conduct activities that generate a lot of low reputation activitity, such as sending spam. If this spam traffic is noticed by some of the internet reputation services out there, the corporate internet connection may be blacklisted for valid email connections, and it can take some time to get some of these blacklistings removed.
If it can be arranged, a dedicated and low cost visitor internet connection removes these issues, protecting business internet traffic from visitor volume, and removing the reputational risk.
To reiterate, the delivery of visitor or guest wireless is a business decision, and it is our job to help the business decision makers understand the impact of their decisions, and to guide them in coming up with a workable, stable visitor wireless access that will enhace the bottom line.