Suppose you have a small office with a network, and want to set up a public Wi-Fi hotspot. The single most important requirement is that people who use the Wi-Fi hotspot should not be able to access the office network.
There are many ways to set up a network to do this, depending on the functionality that is required. Also, if you are setting up a commercial hotspot, you should get the advice of the Wi-Fi network provider you will be working with in planning the hotspot (unless you expect to be doing service provisioning yourself). You should also know that there are a number of turn-key "put up a hotspot" kits available, which you can buy and not have to think about further.
In any case, the key concept to protect the private network is the DMZ. DMZ is a term borrowed from the military that is short for demilitarized zone. In networking terms, it means a computer or subnetwork that sits between an internal network that needs to remain secure and an area that allows external access, for example a Web server or a Wi-Fi hotspot.
Figure 15.15 shows a simple model of a DMZ that uses firewalls to protect the private network both from the Internet and from users of the public Wi-Fi hotspot.
Figure 15.15. You can use a DMZ to protect a private network from users who have access to the public hotspot connected to the network.