Safe

1
Safe Secure Wireless Access for Patrons
Session 1812 Saturday, February 4, 2006 1040
1155 am

• David Bott
• Manager, IT Networks
• St. Catharines Public Library

2
Outline of Issues

• Security of Internal Network
• Ease of Use for Patrons
• Ease of Use for Staff
• Ability to Charge a Fee
• Management
• Alternative Solutions
• Other Issues

3
1. Security

• Access points are typically connected to internal
  network
• The patron would be behind your firewall with
  their own hardware
• Could intentionally or unintentionally infect
  network with network-aware worms and viruses
• Could use freely available hacking tools to wreak
  havoc on your network
• Could possibly access network resources that you
  do not want them to (i.e. printers, servers, PCs)

4
1. Security (cont)

• Methods of protecting WLAN network from
  unauthorized access
• Encryption Keys (WEP or WPA)
• MAC address filtering
• Separate VLAN for WLAN
• Require Login credentials (username/password)
• Physical isolation from corporate LAN (public
  wireless network is not connected to library
  network)

5
1. Security (cont)

• Physical isolation our wireless network is
  connected outside of firewall to a separate DSL
  internet feed
• Login Credentials Patrons require valid username
  and password before they can pass through portal
• Patrons can only access resources that they could
  from home (our website, catalogue and electronic
  resources)
• No firewall or filtering issues (such as blocked
  ports, restricted content, etc.)

6
1. Security (cont)

• Some consideration must be given as to whether
  staff members require wireless access
• A 2nd WPA-enabled network could be setup for
  staff members that is connected to your primary
  LAN (as well as utilizing encryption, MAC
  filtering, etc. to restrict access)
• Corporate firewall and filtering policies remain
  intact

7
1. Security (cont)

• Other options that would allow sharing of single
  ISP feed would include
• VLAN, a virtual subnet that could be restricted
  to internet access only
• Shares same physical wires and equipment, but
  patron is restricted to only certain segments of
  the network
• DMZ / Separate public IP address outside firewall
• Install WLAN in DMZ to prevent patrons from
  accessing internal network resources

8
1. Security (cont)

• Smaller libraries could use D-Link DSA-3100 as
  designed
• Public and private gateway
• Private (library) network is not accessible by
  public network
• Would work well in smaller environments, but may
  encounter issues with corporate firewalls and
  other network devices that would require some
  network re-configuration

9
2. Ease-of-Use for Patrons

• Wanted to restrict access to authenticated
  users
• Wanted patrons to be able to connect
  automatically without staff intervention
• Did not want to use WEP, WPA or other encryption
  methods, as it generally requires staff
  intervention (as well as regular key changing)
  and creates problems for patrons

10
2. Ease-of-Use for Patrons (cont)

• Patrons just turn on their laptop, select our
  ESSID for their AP and then open their browser
• The capture release technology redirects
  their browser to a login page
• After logging in with valid username, patrons can
  access any internet site, as well as use any
  internet-enabled application (P2P, chat, iTunes,
  etc.)
• Patrons can use select websites without
  purchasing a ticket

11
Typical Topology
12
Login Page
13
Successful Login
14
2. Ease-of-Use for Patrons (cont)

• The capture release (aka Captive Portal)
  technology redirects their browser to a login
  page
• After successful login, patrons can surf and use
  whatever internet-enabled applications they want
  (e-mail, chat, P2P, etc.)
• No firewall or port restrictions

15
3. Ease-of-Use for Staff

• Wanted staff to be able to generate on-demand
  user accounts
• Did not want staff to have to monitor usage time
  or have to create new accounts
• Patrons do not require a library card
• Staff just have to press a button on the printer
  and a new user is automatically generated and the
  ticket is printed

16
Thermal Ticket Printer
17
Wireless Ticket
18
4. Ability to Charge a Fee

• Wanted the ability to charge patrons for access
• Wanted customizable time limit, price and
  expiration
• Currently tickets are 2.00 for 10 hours of
  access
• Tickets expire after 30 days or 10 hours,
  whichever comes first

19
4. Ability to Charge a Fee (cont)

• Typically sell about 40 tickets per month
• Typically just over 200 logins per month
• Since March 1, 2005 we have recovered over 700
• Access is available 24 hours per day
• Patrons even use it when we are closed

20
5. Management

• System is managed through web interface
• Supports multiple methods of authentication
• On-demand, RADIUS, POP3, LDAP, as well as staff
  and guest accounts
• User bandwidth and access control
• Walled Garden
• Patrons can access certain URLs without
  purchasing a ticket, such as our website site and
  our catalogue

21
On-demand User Configuration
22
Free Surfing Area (Walled Garden)
23
Traffic History
24
Daily Log File
25
6. Alternative Solutions

• D-Link DSA-3200 (All-in-one, 700 USD)
• D-Link DSA-5100 (3500 USD)
• 400 concurrent users 3100 3200 only support 50
  concurrent users
• Can create multiple separate public WANs
• PowerNOC HBS-4000
• Similar to D-Link solution (800.00 USD for base)
• Integrates with credit card merchant account
• (http//www.powernoc.us/hotspot.html)

26
6. Alternative Solutions (cont)

• Many other solutions lacked the capability to
  create on-demand accounts, requiring staff
  intervention to create accounts
• Some could not monitor time usage
• Some were also much more expensive (15,000 US)

27
6. Alternative Solutions (cont)

• There are free and open source solutions
• Linspot (http//www.linspot.com/)
• Ewrt Enhanced WRT Linux Distribution for Linksys
  WRT54G Routers (http//www.portless.net/menu/ewrt/
  )
• OpenWRT (http//www.openwrt.org/)
• NoCat (http//www.nocat.net)
• Lacked many of the features I was looking for

28
6. Alternative Solutions (cont)

• Commission-based services
• Boingos Hot-Spot-in-a-Box (http//www.boingo.com)
  
• Prontos WISP-in-a-box (http//www.prontonetworks.
  com)
• Quick and easy to setup, although pricing for
  service is fairly expensive
• H-S-I-B only requires Linksys Router with updated
  firmware
• 9.95 per day for service (1.00 commission)
  21.95 for unlimited monthly access (50.00
  commission)
• 25,000 service points world-wide

29
6. Alternative Solutions (cont)

• Prontos WISP-in-a-Box
• 799 US for Pronto controller
• Brandable web portal
• Customizable pricing
• Minimum 3.00 hourly rate
• Minimum 6.00 daily rate
• Minimum 12.00 monthly rate
• Keep 75 of rate
• Works with Boingo service if desired

30
7. Other Issues

• Problems connecting to WLAN
• Overall, very few problems for patrons
• Login problems case-sensitive username
  passwords
• Signal strength move closer to AP
• Connection problems release renew IP address
• Time Remaining Logout Problems turn-off
  pop-up blocker
• Expired tickets (generic error message)
• I have added an 8-port switch for patrons to
  connect non-wireless devices to (or for patrons
  that are having wireless connectivity problems)

31
7. Other Issues (cont)

• Printing
• At present patrons cannot print to public network
  printers
• Currently looking for a way to add a managed
  printer to the public wireless network that can
  be managed and controlled by staff as additional
  revenue source
• Considering connecting a dedicated computer
  printer to public WLAN

32
Equipment List

• D-Link DSA-3100 Public/Private Gateway (600)
• D-Link DSA-3100P Thermal Printer (500)
• D-Link DWL-2100 AP Access Points (3 x 135)
• D-Link DSS-8 8-Port 10/100 Switch (2 x 45)
• D-Link DWI-614 DSL Router (75)
• Total 1670.00

33
D-Link DSA-3100
34
Final Thoughts

• D-Link is a good solution for small to
  medium-sized libraries
• Easy to setup
• Easy to manage
• Relatively inexpensive

35
Questions?

• Contact me
• David Bott
• dbott_at_stcatharines.library.on.ca
• 905-688-6103 x212
• Download this presentation at http//www.stcatha
  rines.library.on.ca/content/ola2006