29

Is it safe for a small business to let customers use their wifi while waiting?

My friend is starting up a small dentistry practice (1 dentist), and I'm setting up his computers/wifi as a favor. He'll have a waiting room and wants it to be a pleasant experience for his customers and thinks the wifi password should be easy so the receptionist can give it to patients. (Though he doesn't expect patients to wait long or most to ask and expect wifi).

I'm telling him he needs a very strong WPA2 wifi passphrase and to keep it private (his business is in city with other businesses/apartments nearby) or else someone malicious could start openly stealing his wifi and either do illegal things with him liable or just severely slow down their connection (which needs to be fast; they plan on using cloud-based services).

Is there a secure way to let the public use your wifi that is monitored by non-tech savvy people (once properly setup)? Or is the only option for small-scale users (without enterprise solutions) to just not allow random users on their wifi?

Simple MAC address filtering is probably too burdensome on the receptionist (getting patient to find MAC on their device; typing it correctly; and removing it after the patient leaves).

Would it be possible to say have a whitelist of a few MAC addresses that we use; and allow other MAC addresses ~2 MB of unrestricted bandwidth at which point their connection starts getting severely throttled? Or is it possible to setup a scheme to generate one-time passwords that will expire after the first of ~2MB or 2 hrs of use?

schroeder
  • 125,553
  • 55
  • 289
  • 326
dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • A word of warning that separate hardware be used instead of "isolation" technology (some of which is mentioned or alluded to in the comments below). pen-testers can use setups such as wifitap to bypass these weak protections -- https://github.com/gdssecurity/wifitap/ – atdre Feb 17 '13 at 09:58
  • The simple answer is: "yes, it's a very bad idea" – baldPrussian Dec 04 '17 at 16:48

6 Answers6

36

You can't allow customers to be on the same network as your own computers.

A lot of new WiFi access-points take care of this for you, by creating two wifi networks, where the "guest" network does not have access to internal computers. The Cisco/Linksys 4200 is what I have at home for guests, and it's easy to setup, but there are many other systems that have the same feature.

Robert David Graham
  • 3,893
  • 1
  • 15
  • 14
  • 4
    The Cisco 4200 you mention uses a captive portal like M'vy talks about in his answer. – JS1 Aug 24 '11 at 08:36
  • Some also allow you to do so that the clients on the guest network can't talk with each other. Not sure how this works though... – Svish Aug 24 '11 at 11:23
  • 1
    Not all "guest" networks are as locked down as you want them to be (not a completely separate network). Unless you know what you're doing, I wouldn't take this option either. – user606723 Aug 24 '11 at 14:10
  • 1
    I recently installed a NetGear WNDR3400 router at home, which supports the standard home network (2, since it's dual-band) *and* a guest network (also 2). The guest network is not only isolated from the main network, but it has an option to completely isolate guest clients. Two clients connected to the guest network can't even see each other, much less anything on the main network. To guests, it's basically just a bridge directly to the Internet. Guest network can also be throttled. – Toby Aug 24 '11 at 14:47
18

Is it safe for a small business to let customers use their wifi while waiting?

No. Even if no customer intentionally attacks his WiFi network they could be carrying some type of malware on their laptop/smart phone/portable device that might spread. Additionally the WiFi signal doesn't end at the front door. You have probably connected to a WiFi some place and seen other networks you didn't recognise. Those network didn't necessarily intend to extend their signal to you. Your friend could accidently extend his signal to neighboring businesses. In that case he would be sharing his personal network with more than just his customers. As Robert Graham suggested set up a separate guest WiFi for customers.

the wifi password should be easy so the receptionist can give it to patients. (Though he doesn't expect patients to wait long or most to ask and expect wifi).

Making the WiFi password for the guest WiFi simple is fine as long as it is separate from the business network and the business network uses a strong password. I would still recommend periodically changing the guest WiFi network password, perhaps every month. At the end of the month he does the accounting and changes the WiFi password.

I'm telling him he needs a very strong WPA2 wifi passphrase and to keep it private

Absolutely. Also he needs to change it periodically. I probably don't need to say that he also needs some type of anti-virus software for all of his computers.

Is there a secure way to let the public use your wifi that is monitored by non-tech savvy people (once properly setup)?

Not that I know of, again I like Robert's suggestion; set up a separate guest network. Even a moderately skilled computer user will have difficulty with the tools used to analyze network activity. Even if the setup was secure at the begining, IT security is a continually changing problem. One of the best current defenses is to keep your equipment and software up to date. Imagine that the particular wireless access point he is using turns out to have a security vulnerability. At some point the vulnerability is discovered and the vender releases a firmware update. Who would install the update? If neither your friend nor anyone on his staff could do it, would he feel comfortable letting a vulnerable WiFi access point connect to his business?

Or is the only option for small-scale users (without enterprise solutions) to just not allow random users on their wifi?

That is one option, but I like the separate guest WiFi access better.

Simple MAC address filtering is probably too burdensome on the receptionist

Yea, I don't see that as an option. Not only is it rather burdensome, but it is probably the simplest form of security to circumvent. A little wifi-sniffing + MAC clone gets anyone past the gate not to mention lack of data encryption.

Would it be possible to say have a white list of a few MAC addresses that we use; and allow other MAC addresses ~2 MB of unrestricted bandwidth at which point there connection starts getting severely throttled?

Or is it possible to setup a scheme to generate a one-time passwords that will expire after the first of ~2MB or 2 hrs of use?

Yes, but I think you want to keep this much simpler. Using a separate guest WiFi access point will save a lot of work trying to keep the guests, and unwanted guests, away from the business stuff.

The easiest way to enforce the time limit is to change the password, and I wouldn't recommend changing the password more often than daily. I think changing the password ever week or two is good, up to a month is likely ok. Additionally you could set a electrical socket timer (for example: http://www.amazon.com/Woods-59377-Digital-Appliance-Settings/dp/B000IKQRTU) to turn on during business hours and turn off after hours, which would reduce the exposure of the WiFi to attackers.

To distribute the password I would buy some inkjet or laserjet ready business card sheets (for example: http://www.avery.com/avery/en_us/Products/Cards/Business-Cards) and print out a simplified business card with the dentist's name, address, phine number, and guest WiFi password. The receptionist just has to hand out the cards.

Note: I not affiliated with Avery, Amazon, or Woods. The examples are not recommendations.

Community
  • 1
this.josh
  • 8,843
  • 2
  • 29
  • 51
  • Think about this: an unknown user decides to run his Tor exit node off your corporate wireless. Or decides to surf for child pornography. If the feds get wind of either of those activities, the practice would have to prove that they wasn't doing that as part of business. Meanwhile, the equipment can be seized as part of the investigation. Keep the two separate!! – baldPrussian Dec 04 '17 at 16:46
18

Letting guests come on your network is not a good idea. But this has already been said.

A major point that must must be remarked is that even for guests, you need identification and authentication. In fact (I am not aware of your laws) you want to make sure to be able to track back any user of your WiFi in case of a legal problem. If someone comes and tells you: "You have hacked our systems," you need to know who did it.

If I had to choose a solution, I would go for a captive portal that wouldn't allow anyone to access the internet unless provided with credentials. Therefore you (or the receptionist) could issue credentials for guests and register them into your database. These credentials would be time-limited on purpose.

charlesreid1
  • 117
  • 9
M'vy
  • 13,053
  • 3
  • 48
  • 69
  • Good point about the legal risks. – this.josh Aug 24 '11 at 16:12
  • Thanks. I think I'll try finding a router that can setup a throttled captive portal on a guest network. – dr jimbob Aug 24 '11 at 16:50
  • "_you want to make sure to be able to track back any user of your WiFi in case of a problem with justice_" How does the captive portal help with that? – curiousguy Nov 13 '11 at 18:52
  • @curiousguy A captive portal could allow the endpoint to log users with their "window of access". Then when a disgruntled party comes saying "You looked at kiddy porn at [time]" you can give them a list of people who were connected at [time]. – Aron Mar 12 '15 at 10:58
4

From a security and management point of view (as well as keeping within budget) I'd recommend having a look at what http://www.fon.com offers.

The basic access point that they sell has 2 SSIDs that connect to your network. One of them is completly open but is routed in such a way that it cannot access your internal network, only the internet. By default they are taken to a FON captive portal where they can choose to log on for free (if they are a member) or pay (if not). I'm not sure if there's a way to offer it free full stop.

The 2nd SSID has an encryption key and exists on a different subnet to your main network. I think it's possible to block access to your network from this as well which would give you a free network that you can hand out the key for.

I'm not affiliated with FON in any way apart from being a user, and I don't know whether it fits with what you're planning but thought it was worth suggesting.

Matthew Steeples
  • 221
  • 1
  • 5
  • I have used FON as part of my local community network for a while and if all you need is a basic guest portal, then it works really well. I don't think it offers a free to non-members option though. – Rory Alsop Aug 24 '11 at 08:44
2

If you can get a few static, public IP addresses, you can use one IP address strictly for guests. You can use another public IP address as the outside address for your private network. This provides greater security because the relationship of the guest network to your private network is that it's just another network on the Internet. There is no special relationship between the guests and your private network.

This also makes the distinction between guests and privileged users externally visible on the Internet. So if a guest connects to a site that you also connect to, you will appear to be coming from different public IP addresses. This means if guests get blacklisted, it won't usually affect the private network. And it means that if there are complaints about spamming, abuse, or copyright infringement, you'll know that it came from a guest.

If you're truly paranoid, file a DMCA agent form. This will protect you from most legal liability for the actions of your guests. http://www.copyright.gov/onlinesp/

David Schwartz
  • 4,233
  • 24
  • 21
  • 1
    Registering your DMCA agent will only help if you actually follow through with all of the provisions to maintain your Safe Harbor status. Registration is not the solution, just the starting point. – Scott Pack Aug 25 '11 at 12:35
  • 1
    I'm not 100% sure about this, but I believe that if he only provides raw Internet access (and not, for example, hosting of any kind) then registering is pretty much all he has to do. He can never get an actual DMCA complaint because the complaint would have to identify something he's hosting. Or if he did, by that time it would already be gone anyway. What else do you think he needs to do? – David Schwartz Aug 25 '11 at 12:42
  • Peer-to-Peer is the best example. If one of his guests comes in with their BT running, then they are perfect targets for a take down notice. – Scott Pack Aug 25 '11 at 13:03
  • 1
    Sure, but by the time he receives the take down notice, it's already down. So what does he have to do? – David Schwartz Aug 25 '11 at 13:11
1

Honestly, I can't think of a good reason that a small business should have wifi. If you're a business, you should be using RADIUS (WPA enterprise). If you don't want to pay for RADIUS equipment, then don't use wifi.

WPA Personal should not be used for businesses for the following reasons-

  1. WPA Personal networks need -very- strong 'passwords' because one can simply collect the packets and then later break the network using a high speed desktop computer. If there are businesses/apartments close by this problem becomes even worse.
  2. So, if you're using a WPA Personal network for a business, you should use a random key and not any sort of passphrase. However, using a key is highly inconvenient for the staff and I doubt it would stay this way for very long.
  3. If you're using WPA Personal it's unlikely you have a technical staff to enforce that the password stay a random key.
  4. If they have networked office computers using some sort of dentistry suite, it's not likely that this software is very well secured. My parents are veterinarians and I know that theirs is not very secure. Securing it would complicate the setup and it's much easier to just not have wifi.

It would childsplay for a teenager to break into your network and proceed to hack into your accounts. And most likely, no one even notice this happening. Consumer solutions use a technology called WPA "personal" for a reason. It's not meant for business use.

After writing this whole thing I just realized that you mentioned that the application would be hosted on the cloud. This is actually an interesting idea and probably offers better security than most approaches... However, most small business would object against this because they don't have corporate grade internet to support this and the internet going down would cause huge issues.

TL;DR

Business should only use wifi if they can afford to use corporate grade solutions. Otherwise, just avoid it.

Community
  • 1
user606723
  • 842
  • 5
  • 10
  • The desktop computers will be wired internet. The wifi will just be for a portable device (e.g., honeycomb tablet) they plan on eventually using (to do stuff like have an assistant enter data -- like recording anesthesia levels in a patient room). I understand WPA2 passphrases need to be high entropy (~90 bits) and planned on using diceware. – dr jimbob Aug 24 '11 at 16:36
  • But that doesn't mean the wired computers aren't vulnerable to attack via wifi. Perhaps what you should do is create two guest networks, one for the business and one for the customers. This way no wifi can actually reach the "production" machines. – user606723 Aug 24 '11 at 16:39