The Challenges Of Wi-Fi Guest Access

Earlier today, I was passing by a conference room in the building where I work on the Syracuse University campus. One of our business partners from a local technology incubator was sitting in the conference room working on his laptop computer, trying to make productive use of his time before a meeting. I stopped in to say hello and it didn't take long before he related his frustration about the performance of our campus wireless network. This network is well engineered for performance, but I knew immediately that he was trying to use the guest access system. Performance was indeed abysmal, reminiscent of the days of dial-up networking. Needless to say, it didn't leave our visitor, someone we very much want to spend time on campus, feeling very good about our campus information services.

It's been over 10 years since I left my position as Director of Network and System Services to work as a faculty member in the School of Information Studies. During that time, I've been pretty heavily involved in wireless networking as a technology editor and analyst and I've also worked pretty closely with our central IT Services organization as they've rolled out Wi-Fi services across campus. During the early development of this network, I lobbied hard for guest access services. We have lots of campus visitors, including vendors, guest speakers, and family of students and prospective students. Many of these visitors come to campus with Wi-Fi equipped laptops and PDA's and they relish the opportunity to connect to the Internet while visiting. I thought the business case for providing guest access was pretty compelling and I was disappointed that my initial lobbying was met with considerable resistance from the network staff.

In an era of heightened awareness of information security issues, I guess I shouldn't have been all that surprised that some folks would find the notion of unauthenticated guest wireless access to be a little threatening. These are the same folks whose responsibility it is to remediate the security issues that often result when infected computers connect to the campus network. Information security professionals are often risk averse. Hey, you'd be a little paranoid too if you had to fix all the problems caused by malware while taking heat from management for not being more proactive. The end result is often a management technique I've long referred to as "mini-maxing." Faced with security threats, network administrators often attempt to minimize their maximum regret, to protect against worst case scenarios, even when the adverse impact, in terms of user inconvenience and lost productivity, should be readily apparent.

Once we got past the visceral reaction to open guest wireless access, we were able to hammer out a plan that seemed acceptable to all parties. By using wireless VLANs, some virtual network segmentation, and port restrictions, we were able to offer guest access to the Internet to our visitors without the need to authenticate. This was totally acceptable to campus visitors, and even though the lack of security left them somewhat vulnerable to eavesdropping, it was no different than what they would experience at Starbucks or hundreds of other open access Wi-Fi hotspots. Our more sophisticated visitors protected themselves using a VPN connection. The rest took their chances, relying on internal firewalls and application-layer security for modest protection.

Working out these arrangements required a little bit of compromise by all parties involved. In exchange for getting my way with guest access, I reluctantly agreed that it would be acceptable to throttle performance for these users, both to insure that they didn't impact wireless performance of authorized campus users (given the small numbers of guests, I didn't think this argument had much merit) and more importantly, to discourage campus users from bypassing the secure wireless network. Given the configuration complexities of the 802.11i-based security system, that concern seemed more reasonable. We also investigated our legal liabilities (e.g., an unauthenticated guest user sending out kiddie porn, there's that mini-maxing again) and a reputable attorney advised us that it wasn't a problem.I eventually learned that my experience today with our distinguished visitor was the result of a decision by one of our campus network managers (a very talented guy I personally hired many years ago!) to further throttle back guest bandwidth in preparation for the start of school next week. His goals were understandable, to get as many new students as possible to connect to the wireless network in a secure manner rather than to use the guest access back door to the Internet. Unfortunately, that decision has had a significant adverse impact on campus visitors.

As I was relating this story to our School's IT manager, he thanked me for the information because it helped explain the problems he was experiencing earlier in the week with another campus visitor. We talked about the system the central IT folks have put in place to allow faculty and staff to sponsor campus visitors, providing them with credentials needed to access the secure wireless network. Those processes are well-intended, but they are onerous, requiring manual provisioning of accounts, configuration of client devices, and scanning of systems for malware.  The motivation is totally understandable because a sponsored user has full access to campus network resources and these resources, as well as other users on our campus network, need to be protected. However, it is rare that visitors need access to on-campus resources. Give them a wireless Internet connection, preferably with performance measured in megabits per second rather than kilobits per second, and they are happy.

Enterprise wireless vendors have long understood the importance of guest wireless access and most have capabilities to support these services. However, none that I am aware of strike the right balance between making life really easy for visitors while also protecting the legitimate concerns of network managers. Maybe some day.