Hotspot Security?

hi everyone.
here's my first question. any help would be appreciated.

i have had to implement a wireless hotspot in my friends hotel a month or two before i planned. obviously, this hasn't allowed me the time to study up on the security of the hotspot.

the equipment we are using is:

AP's are colubris cn3200 with cn320 for repeaters
switches are dell powerconnects 2724's which are managed
router is draytek 2950 (their latest enterprise class)

access required is:

1. secure encrypted access for hotel lan & staff. easily implemented with mac & wpa. this goes to vlan1 which allows access to the hotels private lan and internet

2. guest access to just the internet. again, it is easily implemented using dhcp and a https logon with no mac or wep/wpa encryption. this goes to vlan2 which only allows access to the internet.

all of the above clients cannot talk to each other and can only talk to the access point itself. all AP's are firewalled.

the question then......
am i as secure as i can be?

Hotspot Safety for Business Users

We illustrated five common-sense steps that anyone can take to defeat most Wi-Fi hotspot threats. Unfortunately, many users still insist on skinny-dipping in shark-infested hotspot waters. The only reliable way for employers to manage associated business risk is to define, monitor, and enforce hotspot acceptable use policies.

Something old, something new
Many companies have policies governing secure remote access to corporate networks. Those policies and related countermeasures are an excellent starting point for securing business hotspot use. However, they must be extended to deal with risks unique to Wi-Fi.

Before Wi-Fi, remote workers used dial-up or broadband to reach corporate networks. Because those links connected business assets to the public Internet, measures were needed to deflect unsolicited inbound traffic and ensure data confidentiality. As a result, many workers are now required to use anti-virus, personal firewall, and a VPN tunnel when connecting from afar. ......
Wifi pune, Wi-fi Pune, Pune Unwire - Hotspot Safety for Business Users


Thanks

The WPA2 AES network for the hotel staff should be WPA2 Enterprise that implements a FreeRadius server - it can better withstand a bruteforce attack. It is the most secure way to prevent intrusions. Also, the freeradius server can also act as an authentication server for LAN clients as well (if you don't have a Domain server with Radius authentication).

In addition, you can have your Workstations VPN over LAN to an OpenVPN server (on LAN) so that all traffic is encrypted across the network if you don't have DES ethernet security. You also want encryption for your guest clients connections so they can securely browse the Internet - also use Radius and provide a system that will generate keys for the duration of the guest's visit - WPA encrypts the Data and not just the connection.

Also, find some way of detecting Jasager Fon networks that can do session Hijacking. You don't want your guests to be preyed upon by a malicious guest or employee that uses Web Browser session hijacking to get personal login information - and yes SSL/TLS certificates can be spoofed and many people will accept an invalid certificate. It is very easy for a hacker to grap info with a Jasager Router and a 3G mobile phone/laptop card. Radius Security for guests is half the work.
http://www.digininja.org/jasager/

You can also get a Napera Switch. It has many security features like Windows NAP verfication, and has some of the best enterprise Radius security.
Napera N24 Appliance - Secure Network Access Protection

Hi,

Thanks for sharing the cool link.
The website has a fresh appearance and it appealed to me.
Just read the article and it really is interesting.

Keep sharing such cool links and information.

Regards
Ben Thomas

__________________
Business Telephone Systems

Try a personal vpn using tcp port 443. It works most but not all of the time. If it works then it will continue to work and won't get blocked as the traffic looks like SSL traffic on port 443 which is legitimate.........








_____________
Tweak Change Windows 7 logon screen

Many consumers realize that hotspots can be risky, but fail to take even the most basic precautions. Why? Some underestimate the dangers, while others lack the financial and IT support enjoyed by corporate users. Fortunately, anyone can protect himself or herself by taking a few simple, cost-free steps. To look steps for Hotsspot Security