i have a security question reagarding a Ruckus Guest Network.
Basicly the Guest Network is not encrypted (by Default). No WPA2.
But the access to this Network is protected with a Guest Ticket.
How secure is this for my Guests?
Is an attacker able to sniff the Wireless Traffic without having a valid Guest Ticket?
Or should i better encrypt my Guest Network with WPA2?
Please share your thoughts about this.
your guests can use encrypted connections to whatever tey connect to. like ssl, https on websites.
or even trough a vpn service.
if you encrypt your guest network, the guest have one more step to establish a connection.
So sniffing the traffic (if the guest not using SSL/HTTPS) is possible. It is also possible for someone who basicly don't have valid Guest Ticket. Just connect and sniff.
So in that case i think it makes absolute sense to secure my Guests using WPA2. Regardless having a extra step.
Thinking a little bit further the WPA2 PSK should be changed from time to time.
This should be the most secure way for Guests using Ruckus Gear (without any extra costs), right?
Using a WPA2 PSK maybe don't made so much sense in case of a Guest Network.
My Guests are Restaurant Guests. To get the WPA2 PSK the "attacker" only have to come in and take a nice meal... ;)
If someone really want this PSK it's basicly no Problem.
What do you think about this? WPA2 for Guest Networks? Yes or No?
on a guest network only for internet where the company data servers are not reachable, securing of wireles trafic not realy make sense, because the datas on the internet are also net secured.
if your guests care about security on the internet, they use encryption anyway (SSL/VPN..)
But if you feel bad without WPA, just activate it.
Bottom line is, yeah, it is theoretically possible for guests to sniff and disrupt network traffic for others. I wrote a script to do so when I was 16. It would simply promiscuously look for another user on the network that appears to be having internet access, and then copy their MAC and IP address and attempt to associate. WIPS systems at the time were not advanced enough to detect this simple spoofing attack.
Modern WIPS systems are smarter and it will likely result in both users getting blocked, which means guests can still harass other guests.
WPA2-PSK will help a little with guests that don't know the key. But once a guest knows the key, they will still have the ability to eavesdrop on other guests (and if you need both a PSK and a guest pass, eavesdrop and intercept guest passes).
If you want to harden guest security, you'll want to use WPA2-enterprise with credentials you generate for the guest. Or possibly a DPSK based approach, and both need an onboarding portal with valid SSL certificates so that guests don't get duped by a bogus captive portal.
Overall, though, this seems like a lot of unnecessary work in my opinion. The majority of your guests will want to abide by the rules you set. Attempting to nab the 1% of abusers will end up harming the convenience of the rest of your users, which will ultimately lead to a worse guest network experience. I would strongly recommend instead working on a good network isolation, content filtering, and throttling strategy such that a handful of freeloading guests cannot degrade your experience.
I decided not to use WPA2 PSK. A basic Guest Network with Tickets valid for some hours.
Also you can't provide security to users, which are not interested in security, but want only convenience. You can't force them -- they will do as they want anyway, moving to the own mobile hotspot, and degrading environment for everybody.
So use full client isolation, and filter Internet traffic using UTM device. Clients must use only SSL and/or VPN for any type of sensitive traffic, but it have to be done by user...
It makes not much sense to make too secure Wi-Fi network, when traffic goes through all Internet without any security...
Probably, when HotSpot 2.0 will be widely used, it will solve part of problems, but still security will mostly depend on users.
Unfortunately, most users doesn't care about privacy and / or security, convenience is the king. It is not a technical issue, it's a human nature - so no much chance to change it.
May be this will change a bit when more an more payments will be done by mobile phones -- after user wallet will be emptied couple of times as a result of bad security habits, than there will be a slight chance that habits will change...