Guest Networking


Guest networking is a term used to describe the provision of network access to nonemployees where connectivity is usually limited to Internet access. Guest networks are typically considered and implemented as logical external networks. They avoid the need for visitors such as customers, contractors, and external vendors to access your native enterprise network to obtain Internet connectivity. Conceptually, guest networks are very similar to public hotspots, like those commonly found in airports, cafes, and hotels. The main difference is that the users of enterprise guest networks are usually not charged for access.

Note

Although it is not strictly required, guest networks are most commonly wireless in nature. Guest networks could be implemented as wired networks and integrated into the existing wired network. However, this is a much more complex endeavor than configuring WLANs to provide a guest networking service.


The key questions that you need to answer when considering guest networks are

  • Why should you deploy guest networks?

  • What components are required for deploying them?

  • How should you implement guest networks?

The following sections tackle these questions by discussing the business rationale for providing guest networking capabilities, the components that are required to enable the service, and finally, the main implementation considerations for deploying WLAN guest networks.

Business Rationale for Enabling Guest Networking

Before deciding to implement guest networks, you should validate the business drivers for providing this complementary service in your environment. The value proposition of wireless guest networks is not necessarily the same as the rationale for deploying WLANs in general because it is usually related to one of the following considerations:

  • Business agility

  • Security

  • Liability protection

The following sections explore each of these considerations in more detail.

Business Agility

Guest networking is made available to nonemployees as an amenity. By ensuring your users can access the Internet, you improve their experience when at your site. This can be important in industries that have a high degree of public interaction or organizations that have many visitors.

A guest portal is often used, so the visitor is greeted with a Web page when they first use the service. Typically, this will include a welcome page, perhaps a legal disclaimer, and maybe an authorization or check box for them to acknowledge.

After guests successfully obtain Internet access, they can use their own remote access solution to connect to their corporate infrastructure. Guests thus effectively extend their organization's Intranet to your own site making their full suite of productivity applications available to them. For example, they can download their e-mail, browse their internal website, and retrieve voicemail.

A particularly useful application of guest networks can be found in product demonstrations. When a sales representative visits your office, he can access all applications and information that would be available to him if he were at his own corporate offices. As such, a full-featured demonstration can be delivered without being encumbered by the potential unavailability of tools and data.

Security

Many enterprises do not allow nonemployees to access the network. This simple security policy avoids the risk associated with visitors introducing viruses to the network, snooping, hacking, and other undesirable activity. However, visitors can benefit from Internet connectivity to gain access to their own enterprise networks (to check e-mail, access files, and so on). A policy decision to altogether prohibit access therefore negatively impacts the productivity of your visitors.

A guest networking solution addresses this conflict. You can provide visitors, contractors, and vendors access to the Internet, while avoiding the ability to access your enterprise network. Guest traffic is separated and tunneled securely on your network and to the Internet; thus creating an isolated and secure environment for your visitors to work in.

Legal Liability Protection

Internet traffic can typically be tracked to its source. Therefore, all Internet traffic that originates from an enterprise can easily be identified as having come from that enterprise's network. Employees usually sign an acceptable use policy when hired. They agree not to undertake malicious or illegal behavior, such as hacking or deliberately spreading viruses. However, guests are not required to sign such employee agreements.

Protect yourself from legal liability by implementing a portal in which users need to read and explicitly accept a policy for acceptable use prior to connecting to your wireless guest network. In the unfortunate case of a crime or unacceptable behavior, you can audit records, identify the offending guest, and take appropriate action.

Components of Guest Networking

A guest network imposes two distinct requirements:

  • The guest network must somehow uniquely identify itself This is achieved in guest WLANs by using a dedicated Service Set Identifier (SSID).

  • Guest traffic must be transported to and from the Internet in an isolated and secure fashion This is done by using IP tunneling protocols to create virtual conduits between the access point and the Internet.

A dedicated guest SSID is created on the same access point that services the enterprise WLAN to produce a separate Layer 2 network. The benefit of adding an additional SSID is that it avoids the need to purchase, deploy, and support additional access points. The incremental guest WLAN SSID thus uniquely identifies the virtual WLAN that is dedicated to guest traffic. This not only makes the separation of guest and production traffic possible, but it also enables the definition of different association and authentication policies for your guests and regular users.

Configure your guest SSIDs with "OPEN" authentication and no encryption to provide open access in the same manner as public hotspots. This essentially permits any laptop to associate with the AP. Furthermore, configure the access points to broadcast the SSID so that the guest SSID can readily be discovered by any station that wants to attach to the guest network. Figure 4-4 illustrates how a dedicated guest SSID creates a virtual WLAN that is separate from the WLAN that is identified by the enterprise SSID.

Figure 4-4. Enterprise and Guest SSIDs on the Same Access Point


Note

The broadcasting of SSIDs for the enterprise WLAN is discouraged for security reasons because it makes the identification of the SSID more difficult and lowers the risk of accidental or malicious association.


These steps ensure that all visitors can locate and associate with the SSID, and use the guest networking service, without having to resort to substantial configuration changes on their laptop. WLAN client software can be used to select the same public WLAN profile that is applied to access public hotspots.

The second requirement is to transport all guest traffic in an isolated and secure manner from the access point to the Internet. Tunneling protocols such as LWAPP, GRE, or IPsec provide an efficient mechanism for performing this task. The protocols erect virtual conduits between the access point and the Internet gateway through which all guest traffic must pass.

This is essentially identical to the use of VPN tunnels to provide secure remote access to the enterprise network across the Internet. The minor difference in the case of guest WLANs is that the tunnels cross the private intranet versus the public Internet in the case of VPN remote access. The principal, however, is identical. Tunneling traffic isolates it from the rest of the network and provides a secure path to the destination.

Note that even though guest WLAN traffic traverses the same physical infrastructure of the enterprise network, it is entirely separated on a logical basis. Although the same access points, switches, and routers are used to transport data, for all intents and purposes the guest network is a completely separate network. Figure 4-5 shows the physical configuration of a WLAN that is tunneling guest traffic onto the Internet. Figure 4-6 shows the corresponding logical configuration of the same network; highlighting the fact that the guest network appears as a logically separated entity.

Figure 4-5. Physical Topology of Guest Networking Solution


Figure 4-6. Logical Topology of Guest Networking Solution


Guest WLAN capabilities can be provisioned in different ways. Many WLAN vendors provide equipment with "built in" support for guest networking capabilities. The WLAN gear can be configured to create the SSID, the tunnels, and even a guest portal. For example, these features are offered in the centralized WLAN controller-based solution from Cisco Systems.

Alternatively, you can purchase dedicated equipment that is specifically designed to provision guest services. These network appliances are usually placed in a centralized location in your network and provide guest networking services to several buildings, often along with additional security capabilities.

Finally, it is possible to engineer a solution using the capabilities of your switches and routers. This last option is not recommended because it does not scale well and requires significant technical expertise to implement and maintain correctly.

Guest Networking Implementation Considerations

Several topics should be considered before implementing guest networking. Whereas this service can add significant value, it also introduces additional complexity to the WLAN. Some of the issues you should consider before implementation include the following:

  • Guest portal

  • Legal disclaimers and acceptable use policies

  • Ease of use

  • Support

  • Logging and auditing

The next sections describe each of these in greater detail.

Guest Portal

Develop a guest portal to be the public face of your guest network. Make it aesthetically pleasing; include your corporate identity; and, depending upon your security policy, require the guest user to record their name, acknowledge a legal disclaimer, or sign an acceptable use policy.

Legal Disclaimers and Acceptable Use Policies

Include a legal disclaimer with your guest network. You should engage independent legal counsel to ensure that the disclaimer conforms with local legislation and that you are protecting your enterprise from any legal liability that might accrue from misuse by your guests. Display the acceptable use policy on the guest portal and require that guests agree to comply with the policy prior to granting access to the Internet. Having users select an I Accept box or type their name into a Signature field works well for this purpose.

Ease of Use

Make the guest networking solution easy to use. When providing guests with access to a guest network, you should not require specific software or configuration changes to their laptops.

Implement the guest networking solution with its own SSID configured with OPEN authentication and no security settings. Ensure that the SSID is broadcast. Because the guest network is logically isolated from your enterprise network, and only provides access to the Internet, this should not present any security concerns. As always, ensure that your Information Security department review and approve your design prior to making it available to visitors.

Support

Minimize the support burden of your guest networking solution. Because the users will primarily be guests, you do not want to expend operational cycles on supporting them. Keep the system easy to use and produce some basic guidelines for your guests to lighten the support burden. Frequently Asked Questions (FAQ) sheets can be produced that tell the guest what SSID to use, how to navigate the guest portal, and to help with basic connectivity troubleshooting.

Logging and Auditing

Log the activity of your guest users. Your enterprise might already log Internet activity by your own staff, which should make it easier if you decide to log guests also. At the minimum, keep records of the number of sessions, the identity and IP address of the guest users, and the time and date of their session.




The Business Case for Enterprise-Class Wireless Lans
The Business Case for Enterprise-Class Wireless LANs
ISBN: 1587201259
EAN: 2147483647
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net