I'm working on a public hotspot project, all is moving along nicely and I'm in "security lockdown" phase.

I've used public hotspots before that only allow traffic on port 80, and have found this frustrating (I need VPN for example).

I wish to lock this hotspot down without eliminating ports that allow people to do real business. Does anyone have a pragmatic guideline for what ports should be enabled for "fair use" public hotspots?

here's what I'm planning so far:
80 - http
110 - pop3
1723 - PPTP (VPN)

What else? I don't use IM, do IM clients need open ports? Any advice would be appreciated. Thanks!

Your hotspot gateway will pass VPN and IM traffic.

Are you planning on adding a router to block certain ports?

A fair use policy is good but there are certain things you just can't block like P2P applications for downloading music, movies, etc. It's smart enough to port scan and will drain your bandwidth.

Viruses and spyware programs have also become very sophisticated simply using port 80. It's amazing what can get loaded on your PC from visiting popular web sites.

If you're concerned about visitors privacy, use a VPN service for all web traffic like hotspotvpn.com

Greg

You are also setting up to be frustrated. As indeed port 1723 is the default port, but many others are used as well. Most good Sysmins move off of the commonly known ports. So, you will have a hard time pleasing everyone.

Good point M/Q...

I know a few IT guys that spend a good majority of their time on port/virus issues on private company networks and it's a never ending challenge.

Considering this is a hotspot, it might not be worth the effort.

Greg

Hi all. I just wanted to post an update to this tread in case anyone in the future is searching for "pragmatic" settings.

Here are the open ports that have been implimented in this hotspot solution. All other outbound and inbound ports are being blocked.

HTTP: 80
HTTPS: 443
POP: 110
iChat: 5190,5220,5222
AIM: 5190
ICQ: 5190
Apple Remote Desktop: 3283
Windows Remote Desktop: 3389
PPTP: 1723
SSH: 22

The project is for a restaurant/bar & I've provided the manager with forms and a process for any bugs or enhancements requests. We've been up and running under these settings for a couple weeks now with around 10 users per day (not a real "hot" hotspot ;P) and we've had no problems or complaints.

I would be curious to know how many if any are using the other than normal ports.

I have not seen that many users actually start tunnels, and most technically current businesses are converting to SSL VPN's which also makes it easier for a hot spot owner.

Rensinger:

I will be setting up a hot spot for a restaurant my son just purchased. Free internet access but we would like some control like a daily password that's given to customers. Is this how you set yours up?

What level of security did you use if any?

How do you keep them off the local pc network?

Thanks in advance, Brendan

Hi M/Q. True, I suspect ports 80 & 443 are good enough for 90% of the hotspot users, but I've been frustrated when I've went to http(s) only coffee shops and found I couldn't VPN in (we're PPTP) so hey, don't cost nuthin. I thought I'd provide something a little more for those whose window to the virtual world is more than a web browser.

Brendan, I would highly reccomend the D-Link DSA-3100.

The forums here at Wi-Fi Planet have been a fantastic resource during this install. Check out the product specs from D-Link, reviews from google, and of course the "real world" experiences here in the Wi-Fi Planet forums. Pay attention to the post dates on forum threads. There are some rough stories in here from this product's early days, but the product has been on the market for close to 3 years now, is in "revision B" and it's last firmware update was 2004. With no 2005 forum noise on this, I took a gamble on it being "baked". I found it to be mature, stable and an "as advertised" piece.

Setup:
We played with the idea of daily passwords (the DSA-3100 has an optional ticket printer that can generate these on the fly) but ended up with an open system. This was also easiest to setup and didn't require any technical knowlege out of the staff (big plus!). When the user brings up a browser, the DSA-3100 intercepts them and presents them with a login page that contains a End User Service Agreement. The users clicks the accept button and they're authenticated. All traffic is logged in case of legal trouble down the road, it emails its log out to a dedicated mailbox right after it shuts down wireless access for the night.

The DSA-3100 allows you to upload your "branded" login pages, giving your establishment a polished look while masquerading the hardware (keeps honest people honest). Sample pages and more can be found in the FAQ for the 3100 from D-Link's support site. Once authenticated it takes them automatically to any webpage you wish, so we have a non linked page on the website as a "wireless welcome" with tailored content and messaging.

Security:
The big selling point for me on the DSA-3100 is its ability to seperate private and public LANs on the same WAN. This allows the hotspot to share the restaurant's business class broadband connection & keep the point of sale system & office computers secure. If bandwith becomes an issue, the DSA-3100 has the ability to throttle bandwith limits per user, plus you can always add a dedicated broadband connection at a later date. The firewall allows control over inbound as well as outbound ports. I locked the public sandbox per the port list above. Nothing more in or out is available to the users on the public LAN. For the Private LAN, I did a more standard inbound filter with outbound ports open.

Coverage:
I have the DSA-3100 controlling the show with a pair of D-Link DWL-2100 Access Points providing the wireless access. This is a restaruant/sports bar in a converted industrial space. Tons to TVs, concrete and steel. I was shocked by how this ate up signal, so I had to do a couple antenna upgrades (ANT24-0700 on the master, ANT24-0400 on the repeater) to get the whole place glowing green.

Like any project it was more work than expected (I'm doing this as a favor), but in the end I've had fun! I hate to sound like such a D-Link marketing wonk, but their gear made this easy peasy. Best of luck in your endevour.