It is a very common request these days to provide WIFI access for guests, as well as internal use. However, this must be done in a way that isolates the guest network entirely from the LAN (local area network) so that there is no chance of anyone using your WIFI network as a guest, then accessing your network data.
We aren’t just talking about an experienced hacker here, this could be a lot simpler than you think; lots of applications (SOE Exact, Kodak R4, Sage, many others) will have password protected access to their main database, but will have “flat files”, attachments, images and the like, stored in simple shared folders on the server. Often, the installer of these applications will share this folder out onto the network with “everyone” access (this is a design fault, but one we have to work with). This means that anyone accessing the server from the network (see I) could potentially have easy and immediate access to your data. This is not compliant with the Data Protection Act, which requires you to make every effort to keep your data safe.
Phones, Tablets and Laptops
It is also possible that, as well as guest access, you require access to the LAN via WIFI for a work laptop. This is straightforward, and simply requires a WAP (wireless access point) strategically located, or multiple WAPs for coverage depending on the site layout and the reliability/bandwidth required. A WAP (wireless access point) is exactly that – it simply creates a point of access to your network via WIFI, and is no different to anyone connecting a machine directly into one of your network sockets or your switch via an Ethernet cable.
Note that, if you simply require WIFI in order to have faster Internet access for your phone, tablet or laptop, and you don’t need to directly access your network data, then of course you should only set up WIFI for guests, since you might as well use the same connection for both.
Safe and Secure WiFi
The trickier configuration is setting up secure WIFI that allows your guests to piggyback on your Internet connection, without any chance of them accessing your data. The gold standard in this scenario would be to have a separate broadband connection for this, however, most sites would not be able to justify the ongoing cost of this. The only site that we have that has done this, has taken this route in large part because, as a city centre practice, they found that the bandwidth usage by their guests and regular users (and perhaps some local users finding out the password) was actually impacting on the bandwidth left available for their use.
The next best setup, is to have a range of public IP addresses on your router (see II). You then have one public IP/connection off of which your LAN firewall/router hangs, whilst the public/guest network has its own public IP and its own firewall/router.
In this scenario anyone using your guest access is no more likely to be able to access your LAN than anyone else on the public Internet, so this is as secure a setup as possible.
This is our preferred configuration. The other option is to use a specific firewall that supports guest access – there are many of these, and many firewalls also support an OPT (optional) network that can be put to the same use. However, this is a more complex setup than the public IP range setup, and may cost more depending on the firewall.
The final option, which has a good level of security, but which isn’t our preferred configuration, is to deploy a WIFI router onto the LAN, so that the router creates a sub network of your main network. This does give users connected to this router access to the Internet, without giving them easy access to the LAN. (See III). The flaw in this scheme is that whilst it is entirely secure enough for a casual user, and probably most casual intrusion attempts, it could actually be got round by someone with enough knowledge of the network and/or scanning tools on their computer. (See IV).
Stay on Top of it
It would be good practice, once setup, to check from time to time how many users are connecting to your public/guest WIFI, and even changing the password on it occasionally as well. Unless your business isn’t surrounded by anyone, it is only a matter of time before some local business/person connects to your WIFI, and starts using your bandwidth on an ongoing basis.
In summary, allowing access to your network via WIFI is potentially dangerous and should only be setup by experienced IT professionals, who are fully aware of the implications of the various possible configurations.
I - This can be true even when the user is merely a guest account (if the guest account is enabled on the server); so no username or password will be required at all to browse the files.
II - This is usually called a /29, or 8 public IPs – this may also be called a range of 5 as this is the number of usable IPs.
III - This config could also be considered “NAT within NAT”, since the WIFI clients will be going through 2 NAT/firewall configurations before going out onto the Internet.
IV - This is because NAT within NAT will generally allow you to access machines on the upstream network, if you know what the IP addresses of the second network are, and connect directly to them… so if, for example, you have a LAN with IP range 10.0.0.1, with server at 10.0.0.3, and you hang a WIFI router off this that serves your guests IPs from e.g. the 192.168.0.0/24 private range, it may well be possible for someone connected to the 192.168.0.0/24 network to connect to a server at , e.g. 10.0.0.3. Whilst unlikely, this is not generally our recommended configuration.
Last edited: 10 December 2013