Services Blog- Hummingbird Networks

How To Separate Guest Wifi Access From Internal Corporate LAN

Written by John Ciarlone | Apr 3, 2014 1:00:00 PM

These days,  a business with any sort of network will have "guest" access available for customers and other visitors to use. On the whole, there's plenty of reasons to do this. The extra costs are extremely minimal, since most people are just checking their email or social media, so there won't be much extra bandwidth usage. Yet, it creates a powerful stimulant and marketing tool to your foot traffic - especially if your business has people sitting around already.

The biggest issue, in fact, comes from security concerns. If you have a guest network, it must be kept separate from your business systems. Otherwise, every time you let a visitor into your WiFi, they could potentially breach your private corporate network.

Luckily, there are plenty of options for getting around this while still offering WiFi to your clientele.

 

 

 

 

Creating Secure Guest Access For Your Business

I. Separate Hardware

In terms of pure security, nothing is safer than keeping your guest network on separate hardware. This isn't the cheapest option, but it effectively makes it almost impossible for a guest to "hack" their way in.

By establishing a couple access points with their own physical wiring directly to the outside Internet connection, your guess access would be entirely segregated from your business network. Since the bandwidth requirements of most guests are minimal (and this is a gratuity, after all) you can get away with using low-end or consumer-grade hardware to save money.

Alternately, if you happen to be looking into larger network upgrades, this can be a great way to re- purpose older hardware that's getting replaced. Just give your guest network the "hand me downs" from your business network, and you get a free ROI boost on your hardware investment.

II. Separate Subnets

The next-best option for creating a segregated guest network is by deploying multiple subnets.

A "subnet" is a particular chunk of your internal IP addresses that are set aside and/or locked off from the rest of the network. For example, if your usual internal addressing is at 192.168.10.x, you could establish a separate subnet on 192.168.50.x which has different security and permissions.

Not every access point can handle multiple subnets, because they require a separate SSID (aka "network name") being broadcast alongside the main SSID. This, in turn, requires the access point to include multiple antennas. However, it's generally consumer-grade hardware which lacks this feature.

If you're using a setup, such as through ADTRAN, Cisco, or Meraki, establishing a separate subnet is as simple as finding the "Enable Guest Account" option in your networking software. After you assign it a new SSID, the network does all the configuration work.

III. Leave The Guest Network Open

The idea of not putting a password onto a network might seem foreign, but if your guest network is locked away from the rest of your system, it's really not necessary.

Just be sure it's walled off.

Leaving your guest network open will discourage people from even bothering to try to log into anything else. Password-protecting everything else makes it clear which SSID a guest should be using and discourages people from snooping around.

This is even more effective if you hide the SSIDs of your actual business networks. If a visitor checks their phone, and there's only one network they can see, that's the one they'll connect to. Especially if they don't have to ask for a password to do so.

 

Make Guest WiFi A Benefit, Not A Problem

It's not hard to lock your guest WiFi services away from your primary network. Whether you do it physically, or with software subnets, a segregated guest WiFi system increases your foot traffic without increasing security risks.

For more ideas, or advice on the best way for your business to implement a guest access system, just contact us for a free consultation on your options!