# Unsecure WIFI connection



## sostrow28 (Mar 11, 2008)

I work for a medium sized manufacturing company. We have visitors that come and go on a daily basis that need access to our network or for wireless service on their laptop. Normally the same person does not come back a second time. Right now I have to look up their MAC address, enter it into the MAC filter on the WAP, and then type in network key on the laptop. This is time consuming and it eats up the available slots on our filter. Especially when we have large groups in. I need a solution that will allow these users to log on with relative ease. I want to eliminate all the extra work. Similar to what you might do at say a Panera. I was thinking of setting up a RAC, but was unsure because I have never done that before. I am also concerned about security. I would have have to create an unsecure connection for these users, but I would need to lock down certain parts of the network.


----------



## XtabbedoutX (Sep 12, 2007)

If you have a the ability to assign the WAP on it's own subnet and make sure that subnet does not have the ability to access anything else you should be ok. The more you can seperate the WAP from all other network activity would be the best bet.


----------



## ForumKB (Mar 7, 2008)

do your users need internet or network access


----------



## ForumKB (Mar 7, 2008)

either way acutually if you have an internal network and an external with your router you could add an access point to the external network, eg plugged into the router if it has lan ports. I would still put WPA encryption on it so all you have to do is give them a password but it will still be secure. They would then be able to access the internet and you could control access to your internal network as users would be effectivley accessing from outside as if on the Intenet.

If you needed to provide network services to them that can't be 'web based' then you would probably need a server in your external network to act as a bridgehead for the services you require.


----------



## sostrow28 (Mar 11, 2008)

We really only need internet access. I originally was planning on buying an WAP and running it side by side with the existing one, and changing the frequency so it doesn't interfere. I would plug it into the router port, same as the current one. I was told, however, that I would have to add the user to the filter if I used a WEP encryption. This is what I want to avoid. I only need Internet access. Wouldn't the network be exposed without WEP?


----------



## ForumKB (Mar 7, 2008)

You do need encryption WEP or WPA to stop everyone using you internet (or trying to get into your network) but you do not have to use the MAC address filter (highly advisable if you are using WEP rather than WPA as WEP isn't very secure), this way you wouldn't need to configure anything on the AP, just give the user an encryption key.


----------



## sostrow28 (Mar 11, 2008)

I just wanted to clarify this: I can use WEP without the MAC filter, but it isn't recommended. Also if I implement this, is it common to change encryption passwords on a regular basis for security reasons?


----------



## Cellus (Aug 31, 2006)

It is good security practice to change the encryption password on a regular basis, say every few months. Just make sure if you do so that the appropriate parties (mainly those who use the wireless) are aware of this. Changing it too often can become very inconvenient, especially for those who are not computer savvy.

WEP is extremely easy to break into, and using a MAC filter would cause an inconvenience to you (you would have to update the filter list every time someone new wanted to use it). MAC filters also, beyond common belief, do not really secure a wireless network. Your best bet would be to secure a separate wireless network via WPA. If the WAP is connected to your internal network, ensure proper security measures are in place (eg. put it in the DMZ, outside of your inner firewall and/or IDS/IPS). In other words, treat the WAP and its wireless network as public. If someone using this wireless network wishes to connect to your internal network, it would be best if they did so via a proper secure method such as VPN.

I am going to move this thread to the Security and Firewalls board.

Addendum: One thing to consider, given the size of your company, is to dedicate a workstation primarily as a public terminal. This will allow your visitors to access your network, the Internet, and so forth from a single controlled location. It is important to note that semi-private wireless (eg. your proposed hotspot), which can be adequately protected from unsolicited users, does not protect you from unsolicited _use_. Setting up one of your old beige boxes and locking it down with limited privileges is the best method. Use a dedicated user account which has limited, audited access to network resources. Lock down the machine using Group Policy and software such as Deep Freeze or Windows SteadyState, and prevent physical access to the actual workstation (so people can not use disc drives, USB ports, etc), lock the BIOS, etc.


----------

