How to Offer Secured WiFi to your Customers

the best locations for installing the WAPs at this gym are on or near the ceilings

Wi-Fi signals will not pass through any metal objects, and other structural elements such as block walls may well reduce the coverage area. Therefore, the best locations for installing the WAPs at this gym are on or near the ceilings, with one WAP on each floor centrally mounted.

DIAGRAM COURTESY OF SLAYTON SOLUTIONS

This past Christmas was another networking nightmare for this security professional. After the boxes and wrapping paper have been recycled, I am left with my family members demanding that I hook up their new devices to the existing Wi-Fi wireless LAN in our house. This is not a simple process. I have enabled any and all available methods to secure my Wi-Fi access point from unwanted intruders, including the disabling of the SSID (access point name) transmission, WPA encryption, and use of the “MAC Filtering” option, which limits the devices that can access the system by their MAC addresses. Have you ever tried to find the MAC address of a Kindle? It is neither intuitive nor easy. Persistence prevailed and the family is happy, at least for the moment, as their devices are functional over our Wi-Fi LAN and Internet connection.

The massive proliferation of Wi-Fi-enabled smartphones, tablet computers, and Kindle-type devices is changing how the public feels about Internet access. Many people now expect — no, demand — Wi-Fi and Internet connectivity wherever they go, whether it’s their gym, or favorite restaurant.

A recent conversation with one of my students illustrated this point. He has a client with a number restaurants, who wants to add Wi-Fi and Internet access for his customers at each location. I discussed the particulars with the dealer and hopefully all will go well.

When reviewing our conversation I realized that the addition of Wi-Fi is a relatively simple process that my loyal SDM readers can add to their offerings for both residential and commercial clients. So using the example of “Joe’s Gym,” a three-story business, here is the plan for adding Wi-Fi coverage for “guest” use.

Most all businesses and most residences have LAN and Internet connectivity, and usually have existing Wi-Fi they use for business and/or personal communications. It is imperative that the security dealer discuss network security and the potential bandwidth problems if the customer simply “opens up” their existing wireless access point (WAP). Opening their WAP will allow any user to easily attempt various hacking methods to access the business network servers. In addition, the bandwidth of WAPs is shared, so if a large number of guest users are hitting their Facebook page simultaneously, they will be using a big portion of the available bandwidth. This might slow business Wi-Fi communications.

If guests are using the same Internet connection as the business, it is possible that a criminal might use the guest Wi-Fi access to commit crimes over the business owner’s public Internet connection. If tracked by law enforcement the trail will lead to that IP address. Having your building surrounded by the FBI is not a pleasant experience.

For all of these reasons it is best that the client contact their ISP/telephone company/cable company and arrange for a new, separate DSL or cable modem to be installed. This provides a separate public IP address and eliminates bandwidth issues that might affect the business’s network communications.

With the Internet security issues settled, let’s move on to the physical installation of the Wi-Fi access points. One of the main problems with Wi-Fi is the lack of coverage when WAPs are positioned in specific locations. The Wi-Fi signals will not pass through any metal objects, and other structural elements such as block walls may well reduce the coverage area. With that in mind, the best location of the WAPs at Joe’s Gym will be on or near the ceiling, with one WAP on each floor centrally mounted.

One brand of WAP, the Trendnet TEW-653AP, is a great unit for ceiling installation. It looks like a smoke detector and its multiple antennas are internal to the plastic casing, so there are no ugly antennas hanging down that might be damaged or tampered with. These WAPs also are powered by PoE, so a single Cat5e cable run to each WAP from a PoE-enabled network switch (such as the Trendnet TPE-S44) provides both network connectivity and power for the WAPs.

One of the benefits that should be set up for the guest Wi-Fi network is “roaming” capability. It’s very possible that a gym user might go from one floor to another while completing his workout, so the Wi-Fi connection should be available to each user on all floors.

The roaming setup is important because it is very likely that Wi-Fi coverage from each WAP will overlap with others, which can cause connection confusion with the wireless devices unless the installer has set up the WAPs properly.

The correct way to set up roaming on a single LAN with multiple WAPs is as follows: Set the SSID (WAP name) exactly the same on each unit, and program the WAP to “broadcast” the SSID. There are 11 Wi-Fi channels. For a roaming application, WAPs that might possibly overlap each other in coverage should be set to one of the three channels that do not overlap with others: channels 1, 6, and 11. In a three-WAP system, those are the channels to use.

In this example, if a user has connected to the WAP in the basement, which is on channel 11, and then walks up to the top floor, his device likely will lose the connection to the basement WAP. The handheld Wi-Fi device then will scan for the same SSID as it had recorded previously. Because the SSID in the top floor WAP is the same as the basement WAP, the device automatically should connect to the top floor WAP.

The rest of the system is straightforward, with the network switch being connected to a router such as a Linksys WRT54G via a Cat5e cable. This particular router has a built-in Wi-Fi access point that in this installation should be disabled in the programming selections. A quick check of the Internet reveals that apparently there are few or no available low-cost routers that do not include Wi-Fi these days. An alternative use for the WAP built into the router would be to locate this router in a position to cover one of the three floors, and then only two additional WAPs would be needed. However, keep in mind that the Linksys router requires a plug-in power supply so an AC outlet must be available nearby.

The router is going to provide the dynamic host control protocol (DHCP) addresses for the guests that include unique local IP addresses along with common subnet mask and default gateway addresses. Do not use the DHCP servers that are included with the individual WAPs; these should be disabled. The router’s DHCP server should issue a large quantity of addresses based on potential user demand, with the DHCP settings providing perhaps 75 or 100 addresses.

With the WAPs set for roaming and the DHCP addresses being centrally issued from the router, the system is now ready for the hordes of sweaty hands pounding on their iPhones checking to see if any of their “friends” really care that right now that they are at the gym.

This article was previously published as "Kids, Kindles & Public Wi-Fi" in the print magazine.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity