WebJunction

There are many ways to implement a wireless hotspot. I would love to go in-depth and technical on the different ways to setup wireless, but the scope of this article is the basics of wireless security for small libraries and one possible solution. In this article, I will explain how I setup our library's wireless hotspot. It may not be the technically perfect setup, but is great for our needs.  Remember, the way we did it at Blackfalds is just one possible way of doing this.  As always, there are many different ways to do the same thing.

To start with, we needed our wireless hotspot to be as simple as possible for our staff and our clients. If a patron can't connect to our system easily, then they may become frustrated and not use our service at all. So a wide open wireless access point is the easiest. Also, most of our staff are not 100% computer literate, and they are busy enough as it is. Therefore, for our staff we needed uncomplicated user administration, simple client logon processes, and straight forward time limit controls.  The less support staff members had to provide users for this connection, the better.

While we decided that we were not going to try a complicated security setup for clients,  we still needed to have access/time control to the Internet services that our patrons were using without having the staff to maintain a database of users, passwords, time controls, etc. These needs led us to implement a HOTSPOT gateway. This piece of hardware on our network allows us to control access (via usernames and passwords) and limit the amount of time a patron can use the hotspot (through a built-in logout timer). Using a small thermal printer attached to the network, we can generate random ad-hoc user names and passwords by just the press of a button.  When a patron opens their browser on their wireless-enabled device, they are automatically sent to the logon page of the gateway.  The patron then inputs the random user name and password he or she is given and they are on their way.

I would like to step back for a moment and talk about wireless and staff computers. I would NOT recommend placing my staff computers on a wireless network segment.  (At least not without implementing advanced level wireless security policies, which can be very complicated, expensive, high maintenance and are out of the scope of this article!)  The best staff wireless security is not to use it at all. It's not to say wired systems are perfectly secure, but the control of it is much easier.  To keep your life more simple, I would recommend always placing staff systems on their own wired subnet, router, or virtual local area network (VLAN).

So, why am I not concerned with the patrons' wireless security? Well, I have no control of the computers that are brought in off the street, so it is impossible for us to protect them. We cannot possibly know what firewall software they are using, whether or not their antivirus software is up-to-date, if all of the operating system patches are installed, etc.   Although I will address patron security later in this article, my philosophy is that the patrons should be responsible for themselves and their computer security. This is something that is made clear to users in the form of a disclaimer on the login page the users must go through before our hotspot service is used.

Here is a diagram of our library's setup…

As you can see, we keep all of our network equipment in a secured room, with the staff systems on a wired network behind a router on their own network. The staff network segment is completely separate from the public systems in this setup.  Also, the public wired systems cannot be seen by the wireless users and vise versa. The wireless users must get past the gateway before they are granted access to the Internet.  Although you don't see it here on this diagram, the ticket printer we use to generate usernames and passwords for the gateway is attached to the wireless gateway as well. 

As said earlier, I would like to address the wireless security of the patrons. You might notice the wireless access point in the diagram with Wi-Fi Protected Access (WPA) enabled. This gives the patron a choice in whether or not to use wireless security between their computer and the access point (AP).  Remember, if they use the wide open AP their data can be captured and read by anyone who has wireless sniffing software.  Using the WPA enabled AP, all data between the patron computer and that AP is encrypted.  There's a caveat here.  On the WPA-enabled AP in our setup, I use a random Pre-Shared Key (PSK) that is NOT secret (it's public to everyone). I have not been able to absolutely determine if this is more secure than simply having a wide open AP. (There might be hacker tools available that can use these non-secret keys to hack/sniff the wireless communications.) One of the principles of WPA is that it generates random encryption keys continuously, so if the encryption keys change a lot, it would be much more difficult, if not impossible to hack/sniff the data.

All of the above leads me back to why the patron should be responsible for their own computer and data.  One solution to this problem is a Virtual Private Network (VPN). This is an encryption and data security method that is independent from any wireless hotspot, Internet café, or public Internet connection setup.   (Commonly used in businesses where users need to access the company network from the road, a VPN is a sort of "secret tunnel" within the public internet through which traffic between the user and the company network can travel privately.)  In order to make to create a VPN, VPN software must be installed and setup on both the users' (client) computer and on the other end (whichever network the user is trying to communicate with.)  Because most users don't have the expertise to setup a VPN, there are public VPN services available. Ji-wire spotlock and PublicVPN are a couple of services that for a small fee will enable a patron to use the Internet without worrying about their data being sniffed wirelessly or wired. 

There is one last problem with public hotspots that should be mentioned.  It refers to a hacker attack method called the "Evil Twin".  What this involves is a rogue access point (AP) is setup to mirror a legitimate AP near your physical location. When the unsuspecting patron turns on his or her wireless device and it starts looking for a signal, the device would find and access that rogue AP and think it is your library's AP. At that point all the data is being routed though the hackers AP.  It would not matter if WPA security is enabled or not - the hacker could see your unencrypted data when it travels through the rogue AP. The only ways to prevent this is to use an advanced level of security, or the public VPN system described above. The wireless hotspot gateway in our implementation, however, mitigates this problem because it the hacker's rogue AP would not likely be able to emulate our random user name and password method of accessing the Internet. Using the rogue AP, patrons would just be let straight through to the web.  If you use some form of authentication or implement a wireless hotspot gateway, part of patron's training should be to know that if they do not see a login page, they should be suspicious.

I am including some links to information regarding wireless below.

Understanding the Basics of Wi-Fi Security
http://download.jiwire.com/spotlock/userguide/whitepaper-security.pdf

Keeping Your Wireless Network Secure
http://www.extremetech.com/print_article2/0,2533,a=108865,00.asp

Wi-Fi .org
http://www.wi-fi.org/OpenSection/index.asp?TID=1

Note:  See WebJunction's Blackfalds (AB) Public Library: Highway to Wi-Fi article for an introduction to Randy Nelson and Blackfalds Public Library's services.