Cliff Skolnick, FreeNetworks
cliff@freenetworks.org
http://www.freenetworks.org/best_practices/
This document is intended to help a technical person install a public access point for a business. The goal is to make it easy to perform the most effective installation possible with cheap off-the-shelf hardware.
The first order of business is to get the access point ("AP") running per the manufacturer's instructions. Each access point has its own set of oddities, and explaining those is beyond the scope of this document. Some recommended hardware is listed below - I've found these to be well behaved, flexible, and compatible with almost any client.
Be sure to check with the ISP to make sure sharing a connection is in accordance with their acceptable use policy ("AUP") before sharing. There are some ISP who are against sharing and others who do not mind. Please do business with the ones that allow sharing a connection.
Unless there is a specific known issue, it is advantageous to load the most recent firmware available from the hardware manufacturer's support site before turning the AP on for public use. Be sure to update the operating system and anti-virus programs on each machine in your business, and keep them updated.
Whether with intent, or just accidental exposure to a virus, any untrusted machine on your public LAN can wreak havoc. Any private systems should be isolated from the public network as much as possible.
It is much easier to compromise a machine on the public network than one on a second network. A personal firewall, such as the Netgear FVS318, and a second IP address may be needed from the ISP if these private systems need Internet access, and it will be money well spent.
If any private systems must be on the public LAN, be sure each machine is secured as much as possible. Personal firewall products, up-to-date virus software, and the disabling of file share services are all required. This means no file sharing over the public network between private systems! A second network is needed if file sharing services are going to be used.
Of course, the default password was changed? Right? Do not leave the default password on the AP, nor an easily guessed password. Keep the pranksters honest.
If someone technical is not on site most of the time, it might be a good idea to have the password in a sealed envelope taped to the bottom of the unit. This way someone else can step in and fix an issue if needed - this of course is not for the paranoid. Since these boxes are usually install and forget it is not uncommon to forget the password after some time: an envelope will help solve that issue also.
It is very easy to sniff a basic authentication password from a web configuration interface unless SSL is used. Use an AP that supports HTTPS access, like the Linksys WRT54G. If existing hardware does not support HTTPS, be sure to configure it from a wired machine plugged into the LAN port instead of over the wireless network. The password can still be sniffed, but at least it is much harder.
In general configuration should be allowed only from the LAN side of the router, and this is the case with any access point. Fortuantely this is the default for most configurations.
Someone will eventually come into every location with a virus-infected machine. It will try to infect everything it can see and being prepared is the only thing that can be done by a network operator. Download a couple different anti-virus programs from the net - almost every vendor has free trials - and have those ready to give to the unfortunate customer if they are found. In addition have an information sheet about the network that warns the customer about using a public network when unprotected.
It is common for a popular spot to run out of DHCP leases unless the defaults have been changed. By default there are usually 50 leases on most APs, and the lease time is 3 days. It is safe to raise the setting to 200 leases and reduce the lease time to one or two hours. Clients will not be kicked off the network when the lease expires but instead will simply renew a lease with no noticeable impact.
Be aware that most cheap APs can't handle more than 30 or 40 clients at one time. If you need more than 30 concurrent users it is recommended to invest in an enterprise grade AP such as the Proxim AP-2000 for hundreds of dollars.
Some clients do not function well when given only one name server. Be sure at least two nameservers are listed in the DHCP configuration.
Blocking port 25, the SMTP port, will stop many spammers. It will unfortunately get in the way of many legitimate users too. If you have the ability to limit a user to one connection per minute or some other rate limiting, enable that. Otherwise, completely block port 25 to avoid the localtion being disconnected or blacklisted by ISPs. Users can fire up a VPN connection to work in order to send mail, or wait to send email when they are back on their home network. The user's home ISP might also support various types of SMTP authentication to allow users to send email from remote sites - that is an issue for the user to address with his ISP.
There are a few tips which can help get maximum coverage. Keeping the AP located in a central area and away from metal objects can work wonders for coverage. Central area means near where most of the users will be, not behind the big metal fridge. Keeping a distance from any microwave ovens, which also use 2.4Ghz, is another good idea. More tips can be found on the net, but the two mentioned above can often get you the biggest gain for no cost.
Frequency coordination is critical to being a good neighbor. Sniff about, with programs like Dstumbler (Linux/*BSD), Macstumbler (MacOS), Netstumbler (MS-Windoz) or Pocket Warrior (PocketPC) and see who is already there. Pick a channel that is furthest away from them. If they are on channel 1, go to channel 11. Use only channels 1, 6 or 11 for deployment due to channel spacing and overlap. If another AP is found operating on a channel other than 1, 6 or 11, talk to them about moving to one of these channels.
Using a meaningful SSID can be a help to users figuring out if the AP is OK to use, or who they can contact in case there are problems. One strategy is to use a URL, such as "www.toaster.net" and maybe tack on "-open" or "-public" to convey that the AP is OK to use. If the AP is sponsored by a business, the business name is also a good choice.
When a free public access point is installed there might be users who will want to abuse the gift. Having an acceptable use policy is the first step to addressing any issues. It gives staff at your location a guide to working with abusers, and it gives your users an idea of what behavior is acceptable.
Things in the AUP might be how long a customer is welcome to stay, if it is OK to plug into a power outlet, et cetera. Have this printed out so the staff can hand a piece of paper to the customer, or use a splash page to display this info when the user first accesses the network.
The AUP is also a good place to inform your users that unless they are using VPN software or have configured their mail clients to use encryption, their passwords are vulnerable.
Communicate in the AUP that a customer is welcome to use the network while enjoying your services, for example a coffee shop might ask them to limit themselves to a short time if there are no tables for other customers, or even ask that during peak times they clear out quickly. Turnover is important, and so are steady customers. The appearance of many regular customers brings in new regular customers.
If you must, turning your AP off at peak times is an option. Not the best, but it is better than no free Internet access. For the most part customers will likely be happy to cooperate with the limits stated in the AUP to keep the service. If the business wants a system that controls access to a network with tickets, D-link has an AP and printer product that can be used.
Imagine if one user walks into the shop, opens a laptop and suddenly is taking 100% of the bandwidth to swap music on the net. At best it annoys the other customers, at worst the shop gets a letter from the RIAA. First start with making a statement in the AUP about not using peer-to-peer programs such as Kazaa or Gnutella. It may also be possible to limit the bandwidth used, but technology solutions at the present time are not available in sub-$100 routers unless you use special third-party firmware.
It may happen, and if it does it will be hard to control, as the hacker might be in a car outside. The best thing to do is find that person's MAC address and filter that MAC address in your router. Most routers support this. Of course the hacker could work around this quite easily but hopefully they will go away instead. This is a difficult issue, and will be more about people skills than fighting some tech-savvy hackers.
First consider if this is a problem. If it is, blocking their MAC address as mentioned above or simply unplugging the access point after business hours might give them the hint.
I would like to thank the following kind people for helping with content and editing.
Tom Bridge, tom_bridge@mac.com, http://www.tombridge.com/
Eric Johanson
Eric "Elf" Kellog
Matt Peterson
Sean Lazar
Tim Pozar
Last Modified