Download presentation

Safe & Secure Wireless Access for Patrons

David BottManager, IT & Networks

St. Catharines Public Library

Session 1812Saturday, February 4, 2006

10:40 – 11:55 am


Outline of Issues

1. Security of Internal Network

2. Ease of Use for Patrons

3. Ease of Use for Staff

4. Ability to Charge a Fee

5. Management

6. Alternative Solutions

7. Other Issues


1. Security

Access points are typically connected to internal network:– The patron would be behind your firewall with

their own hardware– Could intentionally or unintentionally infect

network with network-aware worms and viruses– Could use freely available hacking tools to wreak

havoc on your network– Could possibly access network resources that you

do not want them to (i.e. printers, servers, PCs)


1. Security (cont)

Methods of protecting WLAN network from unauthorized access:– Encryption Keys (WEP or WPA)– MAC address filtering– Separate VLAN for WLAN– Require Login credentials (username/password)– Physical isolation from corporate LAN (public

wireless network is not connected to library network)


1. Security (cont)

Physical isolation: our wireless network is connected outside of firewall to a separate DSL internet feed

Login Credentials: Patrons require valid username and password before they can pass through portal

Patrons can only access resources that they could from home (our website, catalogue and electronic resources)

No firewall or filtering issues (such as blocked ports, restricted content, etc.)


1. Security (cont)

Some consideration must be given as to whether staff members require wireless access

A 2nd WPA-enabled network could be setup for staff members that is connected to your primary LAN (as well as utilizing encryption, MAC filtering, etc. to restrict access)

Corporate firewall and filtering policies remain intact


1. Security (cont)

Other options that would allow sharing of single ISP feed would include:– VLAN, a virtual subnet that could be restricted to

internet access only Shares same physical wires and equipment, but patron

is restricted to only certain segments of the network

– DMZ / Separate public IP address outside firewall Install WLAN in DMZ to prevent patrons from accessing

internal network resources


1. Security (cont)

Smaller libraries could use D-Link DSA-3100 as designed:– Public and private gateway– Private (library) network is not accessible by

public network– Would work well in smaller environments, but may

encounter issues with corporate firewalls and other network devices that would require some network re-configuration


2. Ease-of-Use for Patrons

Wanted to restrict access to “authenticated” users

Wanted patrons to be able to connect automatically without staff intervention

Did not want to use WEP, WPA or other encryption methods, as it generally requires staff intervention (as well as regular key changing) and creates problems for patrons


2. Ease-of-Use for Patrons (cont)

Patrons just turn on their laptop, select our ESSID for their AP and then open their browser

The “capture & release” technology redirects their browser to a login page

After logging in with valid username, patrons can access any internet site, as well as use any internet-enabled application (P2P, chat, iTunes, etc.)

Patrons can use select websites without purchasing a ticket


Typical Topology


Login Page


Successful Login


2. Ease-of-Use for Patrons (cont)

The capture & release (aka Captive Portal) technology redirects their browser to a login page

After successful login, patrons can surf and use whatever internet-enabled applications they want (e-mail, chat, P2P, etc.)

No firewall or port restrictions


3. Ease-of-Use for Staff

Wanted staff to be able to generate “on-demand” user accounts

Did not want staff to have to monitor usage time or have to create new accounts

Patrons do not require a library card Staff just have to press a button on the

printer and a new user is automatically generated and the ticket is printed


Thermal Ticket Printer


Wireless Ticket


4. Ability to Charge a Fee

Wanted the ability to charge patrons for access

Wanted customizable time limit, price and expiration

Currently tickets are $2.00 for 10 hours of access

Tickets expire after 30 days or 10 hours, whichever comes first


4. Ability to Charge a Fee (cont)

Typically sell about 40 tickets per month Typically just over 200 logins per month Since March 1, 2005 we have recovered over

$700 Access is available 24 hours per day Patrons even use it when we are closed


5. Management

System is managed through web interface Supports multiple methods of authentication:

– “On-demand”, RADIUS, POP3, LDAP, as well as staff and guest accounts

User bandwidth and access control “Walled Garden”

– Patrons can access certain URLs without purchasing a ticket, such as our website site and our catalogue


On-demand User Configuration


Free Surfing Area (“Walled Garden”)


Traffic History


Daily Log File


6. Alternative Solutions

D-Link DSA-3200 (All-in-one, $700 USD) D-Link DSA-5100 ($3500 USD)

– 400 concurrent users; 3100 & 3200 only support 50 concurrent users

– Can create multiple separate public WANs

PowerNOC HBS-4000– Similar to D-Link solution ($800.00 USD for base)– Integrates with credit card merchant account– (http://www.powernoc.us/hotspot.html)


6. Alternative Solutions (cont)

Many other solutions lacked the capability to create “on-demand” accounts, requiring staff intervention to create accounts

Some could not monitor time usage Some were also much more expensive

($15,000+ US)



There are free and open source solutions:– Linspot (http://www.linspot.com/)– Ewrt: Enhanced WRT Linux Distribution for

Linksys WRT54G Routers (http://www.portless.net/menu/ewrt/)

– OpenWRT (http://www.openwrt.org/)– NoCat (http://www.nocat.net)

Lacked many of the features I was looking for



“Commission-based” services:– Boingo’s Hot-Spot-in-a-Box (http://www.boingo.com)– Pronto’s WISP-in-a-box (http://www.prontonetworks.com)

Quick and easy to setup, although pricing for service is fairly expensive

– H-S-I-B only requires Linksys Router with updated firmware– $9.95 per day for service ($1.00 commission) ; $21.95 for

unlimited monthly access ($50.00 commission)– 25,000 service points world-wide



Pronto’s WISP-in-a-Box– $799 US for Pronto controller– Brandable web portal– Customizable pricing:

Minimum $3.00 hourly rate Minimum $6.00 daily rate Minimum $12.00 monthly rate Keep 75% of rate

– Works with Boingo service if desired


7. Other Issues

Problems connecting to WLAN– Overall, very few problems for patrons

Login problems: case-sensitive username & passwords Signal strength: move closer to AP Connection problems: release & renew IP address Time Remaining & Logout Problems: turn-off “pop-up”

blocker Expired tickets (generic error message)

– I have added an 8-port switch for patrons to connect non-wireless devices to (or for patrons that are having wireless connectivity problems)


7. Other Issues (cont)

Printing– At present patrons cannot print to public network

printers– Currently looking for a way to add a managed

printer to the public wireless network that can be managed and controlled by staff as additional revenue source

– Considering connecting a dedicated computer & printer to public WLAN


Equipment List

D-Link DSA-3100 Public/Private Gateway ($600)

D-Link DSA-3100P Thermal Printer ($500) D-Link DWL-2100 AP Access Points (3 x

$135) D-Link DSS-8+ 8-Port 10/100 Switch (2 x

$45) D-Link DWI-614+ DSL Router ($75) Total $1670.00


D-Link DSA-3100


Final Thoughts

D-Link is a good solution for small to medium-sized libraries

Easy to setup Easy to manage Relatively inexpensive


Questions?

Contact me:– David Bott

[email protected] 905-688-6103 x212

Download this presentation at: http://www.stcatharines.library.on.ca/content/ola2006

Documents

Download presentation