Upload
techdude
View
378
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Safe & Secure Wireless Access for Patrons
David BottManager, IT & Networks
St. Catharines Public Library
Session 1812Saturday, February 4, 2006
10:40 – 11:55 am
St. Catharines Public Library
Outline of Issues
1. Security of Internal Network
2. Ease of Use for Patrons
3. Ease of Use for Staff
4. Ability to Charge a Fee
5. Management
6. Alternative Solutions
7. Other Issues
St. Catharines Public Library
1. Security
Access points are typically connected to internal network:– The patron would be behind your firewall with
their own hardware– Could intentionally or unintentionally infect
network with network-aware worms and viruses– Could use freely available hacking tools to wreak
havoc on your network– Could possibly access network resources that you
do not want them to (i.e. printers, servers, PCs)
St. Catharines Public Library
1. Security (cont)
Methods of protecting WLAN network from unauthorized access:– Encryption Keys (WEP or WPA)– MAC address filtering– Separate VLAN for WLAN– Require Login credentials (username/password)– Physical isolation from corporate LAN (public
wireless network is not connected to library network)
St. Catharines Public Library
1. Security (cont)
Physical isolation: our wireless network is connected outside of firewall to a separate DSL internet feed
Login Credentials: Patrons require valid username and password before they can pass through portal
Patrons can only access resources that they could from home (our website, catalogue and electronic resources)
No firewall or filtering issues (such as blocked ports, restricted content, etc.)
St. Catharines Public Library
1. Security (cont)
Some consideration must be given as to whether staff members require wireless access
A 2nd WPA-enabled network could be setup for staff members that is connected to your primary LAN (as well as utilizing encryption, MAC filtering, etc. to restrict access)
Corporate firewall and filtering policies remain intact
St. Catharines Public Library
1. Security (cont)
Other options that would allow sharing of single ISP feed would include:– VLAN, a virtual subnet that could be restricted to
internet access only Shares same physical wires and equipment, but patron
is restricted to only certain segments of the network
– DMZ / Separate public IP address outside firewall Install WLAN in DMZ to prevent patrons from accessing
internal network resources
St. Catharines Public Library
1. Security (cont)
Smaller libraries could use D-Link DSA-3100 as designed:– Public and private gateway– Private (library) network is not accessible by
public network– Would work well in smaller environments, but may
encounter issues with corporate firewalls and other network devices that would require some network re-configuration
St. Catharines Public Library
2. Ease-of-Use for Patrons
Wanted to restrict access to “authenticated” users
Wanted patrons to be able to connect automatically without staff intervention
Did not want to use WEP, WPA or other encryption methods, as it generally requires staff intervention (as well as regular key changing) and creates problems for patrons
St. Catharines Public Library
2. Ease-of-Use for Patrons (cont)
Patrons just turn on their laptop, select our ESSID for their AP and then open their browser
The “capture & release” technology redirects their browser to a login page
After logging in with valid username, patrons can access any internet site, as well as use any internet-enabled application (P2P, chat, iTunes, etc.)
Patrons can use select websites without purchasing a ticket
St. Catharines Public Library
Typical Topology
St. Catharines Public Library
Login Page
St. Catharines Public Library
Successful Login
St. Catharines Public Library
2. Ease-of-Use for Patrons (cont)
The capture & release (aka Captive Portal) technology redirects their browser to a login page
After successful login, patrons can surf and use whatever internet-enabled applications they want (e-mail, chat, P2P, etc.)
No firewall or port restrictions
St. Catharines Public Library
3. Ease-of-Use for Staff
Wanted staff to be able to generate “on-demand” user accounts
Did not want staff to have to monitor usage time or have to create new accounts
Patrons do not require a library card Staff just have to press a button on the
printer and a new user is automatically generated and the ticket is printed
St. Catharines Public Library
Thermal Ticket Printer
St. Catharines Public Library
Wireless Ticket
St. Catharines Public Library
4. Ability to Charge a Fee
Wanted the ability to charge patrons for access
Wanted customizable time limit, price and expiration
Currently tickets are $2.00 for 10 hours of access
Tickets expire after 30 days or 10 hours, whichever comes first
St. Catharines Public Library
4. Ability to Charge a Fee (cont)
Typically sell about 40 tickets per month Typically just over 200 logins per month Since March 1, 2005 we have recovered over
$700 Access is available 24 hours per day Patrons even use it when we are closed
St. Catharines Public Library
5. Management
System is managed through web interface Supports multiple methods of authentication:
– “On-demand”, RADIUS, POP3, LDAP, as well as staff and guest accounts
User bandwidth and access control “Walled Garden”
– Patrons can access certain URLs without purchasing a ticket, such as our website site and our catalogue
St. Catharines Public Library
On-demand User Configuration
St. Catharines Public Library
Free Surfing Area (“Walled Garden”)
St. Catharines Public Library
Traffic History
St. Catharines Public Library
Daily Log File
St. Catharines Public Library
6. Alternative Solutions
D-Link DSA-3200 (All-in-one, $700 USD) D-Link DSA-5100 ($3500 USD)
– 400 concurrent users; 3100 & 3200 only support 50 concurrent users
– Can create multiple separate public WANs
PowerNOC HBS-4000– Similar to D-Link solution ($800.00 USD for base)– Integrates with credit card merchant account– (http://www.powernoc.us/hotspot.html)
St. Catharines Public Library
6. Alternative Solutions (cont)
Many other solutions lacked the capability to create “on-demand” accounts, requiring staff intervention to create accounts
Some could not monitor time usage Some were also much more expensive
($15,000+ US)
St. Catharines Public Library
6. Alternative Solutions (cont)
There are free and open source solutions:– Linspot (http://www.linspot.com/)– Ewrt: Enhanced WRT Linux Distribution for
Linksys WRT54G Routers (http://www.portless.net/menu/ewrt/)
– OpenWRT (http://www.openwrt.org/)– NoCat (http://www.nocat.net)
Lacked many of the features I was looking for
St. Catharines Public Library
6. Alternative Solutions (cont)
“Commission-based” services:– Boingo’s Hot-Spot-in-a-Box (http://www.boingo.com)– Pronto’s WISP-in-a-box (http://www.prontonetworks.com)
Quick and easy to setup, although pricing for service is fairly expensive
– H-S-I-B only requires Linksys Router with updated firmware– $9.95 per day for service ($1.00 commission) ; $21.95 for
unlimited monthly access ($50.00 commission)– 25,000 service points world-wide
St. Catharines Public Library
6. Alternative Solutions (cont)
Pronto’s WISP-in-a-Box– $799 US for Pronto controller– Brandable web portal– Customizable pricing:
Minimum $3.00 hourly rate Minimum $6.00 daily rate Minimum $12.00 monthly rate Keep 75% of rate
– Works with Boingo service if desired
St. Catharines Public Library
7. Other Issues
Problems connecting to WLAN– Overall, very few problems for patrons
Login problems: case-sensitive username & passwords Signal strength: move closer to AP Connection problems: release & renew IP address Time Remaining & Logout Problems: turn-off “pop-up”
blocker Expired tickets (generic error message)
– I have added an 8-port switch for patrons to connect non-wireless devices to (or for patrons that are having wireless connectivity problems)
St. Catharines Public Library
7. Other Issues (cont)
Printing– At present patrons cannot print to public network
printers– Currently looking for a way to add a managed
printer to the public wireless network that can be managed and controlled by staff as additional revenue source
– Considering connecting a dedicated computer & printer to public WLAN
St. Catharines Public Library
Equipment List
D-Link DSA-3100 Public/Private Gateway ($600)
D-Link DSA-3100P Thermal Printer ($500) D-Link DWL-2100 AP Access Points (3 x
$135) D-Link DSS-8+ 8-Port 10/100 Switch (2 x
$45) D-Link DWI-614+ DSL Router ($75) Total $1670.00
St. Catharines Public Library
D-Link DSA-3100
St. Catharines Public Library
Final Thoughts
D-Link is a good solution for small to medium-sized libraries
Easy to setup Easy to manage Relatively inexpensive
St. Catharines Public Library
Questions?
Contact me:– David Bott
[email protected] 905-688-6103 x212
Download this presentation at: http://www.stcatharines.library.on.ca/content/ola2006