Networking Wireless

Guest Networks

Maintaining and securing public access wifi and portals

  • A logically separated network segment that provides internet access to temporary users while isolating them from the main corporate/private network
  • Operates on the principle of network segmentation - guests can access internet resources but cannot reach internal network assets
  • Typically implemented using VLANs, separate SSIDs, or dedicated physical infrastructure
  • Provides security by creating a controlled environment where guest traffic is contained and monitored

Implementation Methods

  • VLAN-based separation: Guests assigned to dedicated VLAN (e.g., VLAN 100) with restricted routing policies
  • Separate SSID: Wireless networks broadcast additional SSID (e.g., “Company_Guest”) mapped to guest VLAN
  • Physical separation: Dedicated access points or switch ports connected to isolated network segment
  • Firewall rules: ACLs (Access Control Lists) block guest-to-internal traffic while permitting internet access

Security Controls

  • Bandwidth throttling: Limits guest consumption of network resources (e.g., 10 Mbps per user)
  • Time-based access: Sessions expire after predetermined period (common: 24 hours)
  • Content filtering: Web filtering blocks malicious or inappropriate sites
  • Captive portal: Authentication page requiring terms acceptance or credentials before network access
  • MAC address isolation: Prevents guest devices from communicating with each other (client isolation)

Common Configuration Components

Component Purpose Example Values
Guest VLAN Traffic segregation VLAN 100, subnet 192.168.100.0/24
DHCP Pool IP assignment Pool: 192.168.100.10-192.168.100.100
Default Gateway Internet routing 192.168.100.1
DNS Servers Name resolution 8.8.8.8, 1.1.1.1
Session Timeout Access duration 24 hours, 8 hours
Bandwidth Limit QoS control 10 Mbps down, 2 Mbps up

Vocabulary

  • Client Isolation: Feature preventing devices on same network from communicating directly
  • Captive Portal: Web page requiring authentication or agreement before network access
  • SSID (Service Set Identifier): Wireless network name broadcast by access points
  • Hotspot: Public wireless access point, often with guest network functionality
  • NAT (Network Address Translation): Translates private IP addresses to public for internet access

Notes

  • Guest networks should NEVER have access to internal VLANs - use explicit deny rules for RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Default gateway for guest VLAN typically points to firewall interface with internet-only routing policies
  • Consider legal requirements for guest access logging (some jurisdictions require connection records)
  • Bandwidth limitations prevent network abuse - set reasonable limits based on internet connection capacity
  • WPA2/WPA3 encryption still recommended even for open guest networks (use PSK with published password)
  • Monitor guest network usage for security anomalies - unusual traffic patterns may indicate compromise
  • Regularly audit firewall rules to ensure guest-to-internal network isolation remains intact
  • Guest DHCP pools should use shorter lease times (e.g., 4 hours vs 24 hours for internal networks)