If you are setting up a commercial hotspot, you should get the advice of the Wi-Fi network provider you will be working with in planning the hotspot (unless you expect to be doing service provisioning yourself). You should also know that a number of turnkey "put up a hotspot" kits are available, which you can buy and not have to think about further.
Suppose that you have a small office with a network and want to set up a public Wi-Fi hotspot. The single most important requirement is that people who use the Wi-Fi hotspot should not be able to access the office network. This is important because it maintains the integrity (and security) of the office network. It's easy to imagine needing this in real life, even if you are not out to compete with Starbucks.
For example, suppose that you run a small engineering business that sometimes uses part-time consultants. The consultants use your home office on occasion and need access to the Internet for their email and other uses. But you don't want to give them access to the resources in your private network, including the personal documents on your computers.
There are many ways to set up a network to provide Internet access without also providing access to your personal network. Which method to use depends on the precise functionality required and the level of security needed.
The key concept used to protect the private network is the DMZ. DMZ is a term borrowed from the military that is short for demilitarized zone. In networking terms, it means a computer or subnetwork sitting between an internal network that needs to remain secure and an area that allows external accessfor example, a Web server or a Wi-Fi hotspot.
Figure 14.19 shows a simple model of a DMZ that uses firewalls to protect the private network both from the Internet and from users of the public Wi-Fi hotspot.
Figure 14.19. You can use a DMZ to protect a private network from users who have access to the public hotspot connected to the network.
The beauty of this network topology is that anyone can use the access point and wireless Internet connectivity without you having to worry about the safety or security of your private network.
If you think that you need to set up a DMZ, perhaps because you will be allowing users access to your Wi-Fi Internet access, but want to make sure that they cannot put your private network at risk, start by installing a firewall for your network, as I explain in Chapter 18. Next, read the firewall vendor's documentation to understand how to best go about setting up your firewall.