4 Ways to Safeguard your Guest Network

By Alan Ni, Director of Smart Spaces & IoT
Share Post

If your guest network purely uses a shared key or an open SSID, you can forget about security. Anyone can connect when they want, and you have no record or way to enforce restrictions.

Screen Shot 2014-07-20 at 11.13.00 PM.png

Don't be left in the cold with a false security blanket.  Consider implementing the following strategies so your guest network isn't an easy target.

  • Prevent man-in-the-middle attacks - One of the biggest security threats to open SSID guest networks is a man-in-the-middle attack. Since open Wi-Fi networks aren't encrypted, it's easy for an attacker to impersonate your SSID and intercept your guest's traffic. These honeypots open your network and guests to endpoint attacks, data leakage and denial-of-service attacks.  To prevent this, pick a unique SSID name and confirm that your WLAN has an intrusion detection system (IDS) that scans for SSIDs that impersonate your own. A unique SSID ensures that rogue devices are easily detected.  Be sure that you have procedures in place to respond to alerts.
  • Disable peer-to-peer communications - Guest networks are usually intended for external internet connectivity.  Disable peer-to-peer communications on your network to prevent hackers from attacking other guest network users. Ensure that all guest traffic is properly isolated from any corporate traffic.
  • Buy a SSL certificate - Don't be a cheapskate!  Guest login portals with default certificates generate browser "security exceptions" that reduce user confidence.  Purchase a SSL certificate through a well-respected digital certificate provider.  And don't forget to renew them when they expire.
  • Move employees off the guest network - Full-time network users deserve stronger protection.  These individuals should avoid the guest network altogether and utilize SSIDs with 802.1x/WPA2 security.  Solutions such as ClearPass Onboard make it easy to automate device provisioning for secure certificate based 802.1x network access.Screen Shot 2014-07-20 at 11.13.12 PM.png


Surely, there are many other techniques that can further safeguard your guest network.  Each will likely alter the classic usability vs. security equation. Start by implementing these user-friendly suggestions and materially increase your security posture.  Regardless of what you do, there's no such thing as a hacker-proof guest network.  But that's what click to accept terms and conditions are for!

Check out our Next Generation Guest Access for #GenMobile guide for more security best practices.