Posted by Robin Wood on July 21, 2014.
I just got back from a holiday in Spain where I found the poolside bar had better WiFi security than a lot of companies I know. I’m thinking more of guest networks than main corporate ones here but this bar even out did some of those. Looking at why they were doing what they do, it has nothing to do with security and all to do with profit, the bar owner must have sat down and worked out the best way to get the most from a service that most businesses just throw up without thinking about.
Here is a list of what I think they were doing right:
Lets look at these in more detail and what they are doing right compared to others.
Bar – The bar uses encryption to limit the people accessing the WiFi to only those who are using spending money with them.
Company – Help protect your users and stop unauthorised access.
A lot of guest networks I’ve used rely on captive portals rather then encryption to keep people off their network. These may be easier to maintain but offer no protection to the users. If a user wants to protect themselves they need to use something like a VPN on top of the connection. WPA Enterprise would be a better option than PSK however in a lot of cases the overhead isn’t justified. Looking at the three A’s (Authentication, Authorisation and Accounting), all the bar required was Authorisation, if you require more then WPA Enterprise should be looked at.
Bar – To ensure people have to spend money with them each day to use the WiFi.
Company – To keep the list of people who have access to a minimum so protect resources.
How often does your company change its keys? Could a contractor go on site on January the 2nd, get a key and then re-use it on December 30th? By rotating keys periodically – daily is amazing – you are keeping access on the network to only those who should be using it and limiting the timescale for attacks by unauthorised users who manage to grab a copy of the keys.
Bar – Stop people guessing the key and so using the service for free.
Company – Stop attackers from guessing the key and using the service for free or as a way to attack other users.
Is the password for your guest network your company name, maybe with a 1 on the end? Strong keys help defend against brute force attacks.
Bar – To restrict access to only paying customers and so protect their investment and improve service for those allowed access.
Company – By limiting access to only those who require it, the resource is protected and users have a better experience.
I’d been in the bar buying food for the first couple of days of the holiday and had asked for the key while ordering, I was also on chatting terms with the staff including the manager. On the third day I walked in and asked for the key, the server asked where I was sitting and I told him I just wanted to check my mail. He very politely told me that the WiFi was for customers only and refused to give it to me. I was a little annoyed at the time but looking back he was perfectly right to do it, he was protecting his investment and keeping the service for those who were spending money with him . Does your company give out guest access to anyone who asks or just those who actually need it?
Bar – Stop users running up usage bills while the bar is closed.
Company – Lower the attack surface by only providing the service during business hours or when required.
I don’t think I know a single company who turn off their WiFi at the end of the day as they switch off the lights and lock the door. Turning off WiFi outside the standard 9-5 greatly reduces the window of attack, especially when tied with the next point.
Bar – Keep users in the bar area and so spending money.
Company – Lower the chance of attack by an attacker sitting in car park or cafe across the street.
I think this was more because of the local building methods rather than a conscious decision but, by the WiFi signal being limited to just the bar area, even once I’d got the day’s code I couldn’t sit in my room and surf, I had to be in the bar . By limiting the range of your corporate WiFi you restrict where an attacker can position themselves. Tie this to limited hours and you could change an attack from one performed from a bar across the road on a Saturday night to one that has to be performed in your lobby while the receptionist is sat watching. While still possible with the right equipment it makes things a lot harder for the attacker and moves you out of the range of an opportunist attack.
This bar, without any thought to security, has locked down their WiFi better than almost every guest network I’ve come across. They looked at their asset and asked how they could best protect it. Don’t treat your guest network as a throw away perk to give to anyone who comes on site, look at it as an asset that requires proper security and spend some time securing it. The only suggestion here that takes any real time is rotating the keys on a daily basis and that only takes a minute or so. Delegate it to someone who always gets in early and after a few weeks it will become a standard part of their job and they won’t think about it any more.
If you can also insist that anyone who wants to use your WiFi also has to buy your products then so much the better!
 You could give the argument that I may have got caught up checking my mail and ended up buying a drink so free WiFi for all would have lured in more customers but the guy seemed quite shrewd and I’m sure he had thought about that and decided against it.