cancel
Showing results for 
Search instead for 
Did you mean: 

Security of a Wireless Guest Network

marco_eichstet1
Contributor III

Hi,

i have a security question reagarding a Ruckus Guest Network.

Basicly the Guest Network is not encrypted (by Default). No WPA2.
But the access to this Network is protected with a Guest Ticket.

How secure is this for my Guests?
Is an attacker able to sniff the Wireless Traffic without having a valid Guest Ticket?
Or should i better encrypt my Guest Network with WPA2?

Please share your thoughts about this.

Thanks.

KR
Marco

10 REPLIES 10

thomas_fankhaus
Contributor II
i think securing the wireless trafic only make sense inside a business network.
on a guest network only for internet where the company data servers are not reachable, securing of wireles trafic not realy make sense, because the datas on the internet are also net secured.
if your guests care about security on the internet, they use encryption anyway (SSL/VPN..)

But if you feel bad without WPA, just activate it.

john_d
Valued Contributor II
When it comes to securing guests network, it's really about balancing convenience with security. If you make guest security too cumbersome, you'll end up with guests that are dissatisfied with or bring their own portable hotspots, which then in turn degrades everyone's wifi experience.

Bottom line is, yeah, it is theoretically possible for guests to sniff and disrupt network traffic for others. I wrote a script to do so when I was 16. It would simply promiscuously look for another user on the network that appears to be having internet access, and then copy their MAC and IP address and attempt to associate. WIPS systems at the time were not advanced enough to detect this simple spoofing attack.

Modern WIPS systems are smarter and it will likely result in both users getting blocked, which means guests can still harass other guests.


WPA2-PSK will help a little with guests that don't know the key. But once a guest knows the key, they will still have the ability to eavesdrop on other guests (and if you need both a PSK and a guest pass, eavesdrop and intercept guest passes).


If you want to harden guest security, you'll want to use WPA2-enterprise with credentials you generate for the guest. Or possibly a DPSK based approach, and both need an onboarding portal with valid SSL certificates so that guests don't get duped by a bogus captive portal.


Overall, though, this seems like a lot of unnecessary work in my opinion. The majority of your guests will want to abide by the rules you set. Attempting to nab the 1% of abusers will end up harming the convenience of the rest of your users, which will ultimately lead to a worse guest network experience. I would strongly recommend instead working on a good network isolation, content filtering, and throttling strategy such that a handful of freeloading guests cannot degrade your experience.

marco_eichstet1
Contributor III
Thanks to you all and thanks John for your great post!
I decided not to use WPA2 PSK. A basic Guest Network with Tickets valid for some hours.
Thanks!

eizens_putnins
Valued Contributor II
Completely agree with John D. - for guest network WPA-PSK doesn't make sense, especially as now client OS shares with unknown number of "friends" access credentials. So it doesn't make sense to have any static reusable credentials, which will become shared very soon. I see it everyday in some companies, which don't want to use any other solutions, and are located in business centers with a lot of neighbors. They Guest network user number grows steady in time until password is changed, and than start to grow again.
Also you can't provide security to users, which are not interested in security, but want only convenience. You can't force them -- they will do as they want anyway, moving to the own mobile hotspot, and degrading environment for everybody.
So use full client isolation, and filter Internet traffic using UTM device. Clients must use only SSL and/or VPN for any type of sensitive traffic, but it have to be done by user...
It makes not much sense to make too secure Wi-Fi network, when  traffic goes through all Internet without any security...
Probably, when HotSpot 2.0 will be widely used, it will solve part of problems, but still security will mostly depend on users.
Unfortunately, most users doesn't care about privacy and / or security, convenience is the king. It is not a technical issue, it's a human nature - so no much chance to change it. 
May be this will change a bit when more an more payments will be done by mobile phones -- after user wallet will be emptied  couple of times as a result of bad security habits,  than there will be a slight chance that habits will change...

phil_collett
New Contributor II
Wouldn't the wireless client isolation in the WLAN settings prevent computers from talking to each other? Aside from spoofing macs and getting somebody kicked off the network for a bit