Wi-Fi is everywhere we go now. It is no longer a “nice to have,” but rather an expectation. This means that all businesses are expected to become network operators and offer your guests Wi-Fi service. In my travels, I have learned that some organizations do this better than others. Most guest users are only worried about the performance of the network, but as a network operator, you should be concerned about the security of your guests as well. Let’s highlight some tools and tricks to determine what type of network you are on, explain some of the risks, and show you how to resolve these issues.
The Large Network Segment
One of the most common issues that I see is the LARGE network segment. In the world of networking, you have the ability to create networks that will support different numbers of devices. Some can be as small as one device, and others can be as large as thousands of client devices. What I see quite frequently is the latter of these two options. A poor design is when you sign into the guest network and are lumped in with many other devices. This makes your device vulnerable to all sorts of problems caused by other users on the network either intentionally or accidentally.
How to check your network size?
While on the guest network, if you press the Windows key on your computer, type CMD, and then press enter. You will be at a command prompt. Now type ipconfig and press enter. Check the line that says Subnet Mask.
Once you have the subnet mask that has been assigned to you by the network, you can then Google to see how many network addresses are in that segment. In the case of this example, there are 256 addresses available. This means you could be sharing the network with over 250 other people.
You may ask, why does the network size matter? Well, have you ever shared a drive on your laptop or set up an FTP server? Perhaps you were trying to share some pictures or a file with a colleague. How about remote desktop? All of these services require you to make an exception in the firewall built into your laptop. Perhaps you couldn’t figure out how to make the exception and just disabled the firewall altogether.
As you log into a guest network with potentially thousands of other devices, ask yourself if you removed all those exceptions. Did you reenable the firewall? If not, your laptop could be an easy target for some bored or malicious individual also on the same network segment.
There are actually software applications available for both PC and mobile devices that will allow you to scan the entire network segment and see which devices are reachable. Once you discover a device on the segment, these applications make it very simple to scan the device for any vulnerabilities.
Are wired networks less prone to issues?
Hotel rooms, conference rooms, and even large conference centers sometimes offer wired ethernet ports. You may wonder if these are more resistant to issues. Truth be told, they are not. Let’s take a large conference center for example. Typically, companies come in and set-up a booth for an event. As part of the booth setup, they attach their own router to the network provided by the conference center. This should be plugged into the WAN port of the router; however, what happens if they accidently connect the LAN port? That router could then start handing out IP address itself instead of letting the venue’s DHCP server hand out addresses. Now this one mistake can impact the experience of everybody else on the network by causing clients to use the wrong Internet gateway, or by handing out duplicate IP addresses which would cause performance issues.
I have good signal strength, but the performance of the network is really poor
sometimes I run into an issue when I log into a guest network that my device says I have good signal strength, but the performance of the network is still very slow. You may ask, is this just a lack of bandwidth? Are too many people using the network at once? This could be true in some cases, but also consider that one of the devices from somebody else in an entirely different room has a virus on it. The objective of this virus is to replicate itself across every other device on the network and ultimately cause a denial of service attack to the local internet gateway from all the devices it is able to infect. This will create a very poor experience for everybody sharing the same network segment.
The gold standard for deploying guest Wi-Fi networks is to deploy a technology that uses per-user micro-segmentation or by another name per user dynamic VLANs. What this means is that each user that logs into the network will be placed into their own bubble. As a result, they will not have the ability to see any other devices on the network, and no other devices will have the ability to see them. It also means that they each have a unique internet gateway. If their computer does something to impact the performance of the network, it is only impacting their bubble.
So, with micro-segmentation in mind, let’s look over the problems we have discussed so far.
The one large network segment is broken into a unique network segment for each guest. This prevents users from being able to probe each other’s devices for vulnerabilities because those devices are separated at both the second and third layers of the network structure.
In the case of the conference center guest user plugging a rogue DHCP server into the network by accident, it would only impact his/her segment. All other users of the network will continue to function as normal because micro-segmentation has isolated the issue to the one small segment assigned to that user.
Finally, in the case of the infectious laptop spreading its virus to other machines and causing a denial of service attack on the internet gateway, this would again be isolated due to micro-segmentation. The infected computer would not have access to any other devices on the guest network, and an attack on the internet gateway would only impact the performance of his segment, not everybody else.