Security of a Wireless Guest Network

  • 2
  • Question
  • Updated 10 months ago

Hi,

i have a security question reagarding a Ruckus Guest Network.

Basicly the Guest Network is not encrypted (by Default). No WPA2.
But the access to this Network is protected with a Guest Ticket.

How secure is this for my Guests?
Is an attacker able to sniff the Wireless Traffic without having a valid Guest Ticket?
Or should i better encrypt my Guest Network with WPA2?

Please share your thoughts about this.

Thanks.

KR
Marco

Photo of Marco Eichstetter

Marco Eichstetter

  • 149 Posts
  • 7 Reply Likes

Posted 10 months ago

  • 2
Photo of thomas fankhauser

thomas fankhauser

  • 17 Posts
  • 5 Reply Likes
well, yes, an "attacker" is able to sniff the traffic on the WLAN as he can sniff the traffic averywhere on the net.
your guests can use encrypted connections to whatever tey connect to. like ssl, https on websites.
or even trough a vpn service.

if you encrypt your guest network, the guest have one more step to establish a connection.
Photo of Marco Eichstetter

Marco Eichstetter

  • 149 Posts
  • 7 Reply Likes

So sniffing the traffic (if the guest not using SSL/HTTPS) is possible. It is also possible for someone who basicly don't have valid Guest Ticket. Just connect and sniff.

So in that case i think it makes absolute sense to secure my Guests using WPA2. Regardless having a extra step.

Thinking a little bit further the WPA2 PSK should be changed from time to time.

This should be the most secure way for Guests using Ruckus Gear (without any extra costs), right?

Thanks.

Photo of Marco Eichstetter

Marco Eichstetter

  • 149 Posts
  • 7 Reply Likes
I thought a little bit more about this.
Using a WPA2 PSK maybe don't made so much sense in case of a Guest Network.
My Guests are Restaurant Guests. To get the WPA2 PSK the "attacker" only have to come in and take a nice meal... ;)

If someone really want this PSK it's basicly no Problem.

What do you think about this? WPA2 for Guest Networks? Yes or No?
Photo of thomas fankhauser

thomas fankhauser

  • 17 Posts
  • 5 Reply Likes
i think securing the wireless trafic only make sense inside a business network.
on a guest network only for internet where the company data servers are not reachable, securing of wireles trafic not realy make sense, because the datas on the internet are also net secured.
if your guests care about security on the internet, they use encryption anyway (SSL/VPN..)

But if you feel bad without WPA, just activate it.
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 137 Reply Likes
When it comes to securing guests network, it's really about balancing convenience with security. If you make guest security too cumbersome, you'll end up with guests that are dissatisfied with or bring their own portable hotspots, which then in turn degrades everyone's wifi experience.

Bottom line is, yeah, it is theoretically possible for guests to sniff and disrupt network traffic for others. I wrote a script to do so when I was 16. It would simply promiscuously look for another user on the network that appears to be having internet access, and then copy their MAC and IP address and attempt to associate. WIPS systems at the time were not advanced enough to detect this simple spoofing attack.

Modern WIPS systems are smarter and it will likely result in both users getting blocked, which means guests can still harass other guests.


WPA2-PSK will help a little with guests that don't know the key. But once a guest knows the key, they will still have the ability to eavesdrop on other guests (and if you need both a PSK and a guest pass, eavesdrop and intercept guest passes).


If you want to harden guest security, you'll want to use WPA2-enterprise with credentials you generate for the guest. Or possibly a DPSK based approach, and both need an onboarding portal with valid SSL certificates so that guests don't get duped by a bogus captive portal.


Overall, though, this seems like a lot of unnecessary work in my opinion. The majority of your guests will want to abide by the rules you set. Attempting to nab the 1% of abusers will end up harming the convenience of the rest of your users, which will ultimately lead to a worse guest network experience. I would strongly recommend instead working on a good network isolation, content filtering, and throttling strategy such that a handful of freeloading guests cannot degrade your experience.
(Edited)
Photo of Marco Eichstetter

Marco Eichstetter

  • 149 Posts
  • 7 Reply Likes
Thanks to you all and thanks John for your great post!
I decided not to use WPA2 PSK. A basic Guest Network with Tickets valid for some hours.
Thanks!
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
Completely agree with John D. - for guest network WPA-PSK doesn't make sense, especially as now client OS shares with unknown number of "friends" access credentials. So it doesn't make sense to have any static reusable credentials, which will become shared very soon. I see it everyday in some companies, which don't want to use any other solutions, and are located in business centers with a lot of neighbors. They Guest network user number grows steady in time until password is changed, and than start to grow again.
Also you can't provide security to users, which are not interested in security, but want only convenience. You can't force them -- they will do as they want anyway, moving to the own mobile hotspot, and degrading environment for everybody.
So use full client isolation, and filter Internet traffic using UTM device. Clients must use only SSL and/or VPN for any type of sensitive traffic, but it have to be done by user...
It makes not much sense to make too secure Wi-Fi network, when  traffic goes through all Internet without any security...
Probably, when HotSpot 2.0 will be widely used, it will solve part of problems, but still security will mostly depend on users.
Unfortunately, most users doesn't care about privacy and / or security, convenience is the king. It is not a technical issue, it's a human nature - so no much chance to change it. 
May be this will change a bit when more an more payments will be done by mobile phones -- after user wallet will be emptied  couple of times as a result of bad security habits,  than there will be a slight chance that habits will change...
Photo of Phil Collett

Phil Collett

  • 4 Posts
  • 0 Reply Likes
Wouldn't the wireless client isolation in the WLAN settings prevent computers from talking to each other? Aside from spoofing macs and getting somebody kicked off the network for a bit
Photo of John D

John D, AlphaDog

  • 497 Posts
  • 137 Reply Likes
Sort of. Client isolation does not prevent a wireless adapter in promiscuous mode (or a sniffer) from intercepting traffic on an open network. While you can't do any peer to peer communications, an attacker/eavesdropper can still see everything that is going on in cleartext. 

With that said, CI is still a good idea on a lot of guest networks where peer to peer functionality is deemed unnecessary. It seems at the very least to save airtime from Bonjour/SMB/NetBIOS needlessly chatting with each other.

(Remember too that CI is per AP, not between AP's. You'll need subnet isolation for that, and setting up a whitelist for that tends to require more effort)