Client isolation in WiFi hotspot setups
Results 1 to 9 of 9

Thread: Client isolation in WiFi hotspot setups

  1. #1
    Join Date
    Sep 2003
    Posts
    13

    Client isolation in WiFi hotspot setups

    Hi all!

    There is a commonly-preferred setup for use with public wireless networks like WiFi hotspots where the AP clients are "isolated" and not able to communicate with each other. This is usually as a security measure to stop users encroaching on other users' data spaces.

    But there are situations where it is desireable for users who know each other to have access to each others' data spaces at a hotspot. For example, a businessman who is meeting his business partner at the airport may want to move a file from his laptop's "meeting folder" to the partner's laptop's "meeting folder". Similarly, two "kids" may want to use their WiFi-equipped handheld games consoles or laptops to "verse" each other on a two-player two-machine game over a burger, fries 'n' Coke. Other situations also include transfer of data between laptops and WiFi-equipped devices like a lot of the newer digital cameras or the Microsoft Zune.

    One issue that may have to be looked at with regarding this security measure is a way for two or more devices to work together as a secure "cluster" in the same public WiFi hotspot while assuring a sense of security for other hotspot users.

    It shouldn't affect whether the hotspot uses an "enhanced service set" with multiple access points or a "basic service set" with one access point.

    The logic that could be set up could be based on one "account number" being entered in to multiple devices at logon (good for devices owned by one user such as a laptop and PDA / digital camera); or the use of some form of "cluster identity" entered in to multiple devices at point of logon (good for devices owned by multiple users like two handheld games units).

    With regards,

    Simon Mackay

  2. #2
    Join Date
    Nov 2003
    Posts
    5,553
    That is not that big a deal actually. You just setup a different VLAN or subnet and advertise that there there is no isolation between clients on that particular network.
    CWNA, CWSP, K0PBX

  3. #3
    Join Date
    Sep 2003
    Posts
    13
    Do you also have to set up a separate SSID and wireless network for this VLAN? Also, has any hotspot operator had to deal with this dilemma in catering for small "few-device" networks using their WiFi backbone?

  4. #4
    Join Date
    Nov 2003
    Posts
    5,553
    That is correct. I guess in my travels I never worried about it. If I needed to do something like that I just used a USB key or setup a quick ad hoc network between the concerned parties.

    The problem with doing it the way you suggest opens up a huge avenue for attacking. IMO, one of the major "do not do's" is get on a very public network with shares being accessible.
    CWNA, CWSP, K0PBX

  5. #5
    Join Date
    Sep 2004
    Posts
    1,162
    There is a way around that issue and we use it for multi-function networks that may include wireless surveillance, intercoms, RFID, etc. in addition to public Internet access.

    You could add the individuals MAC ID's to the pass thru list on the gateway.

    This would be a labor intensive process to manage if it were provided to anyone requesting peer-to-peer access.

    Best to use M/Q's suggestion...

    Greg

  6. #6
    Join Date
    Sep 2003
    Posts
    13
    Another application that I had mentioned were the handheld games consoles like the Nintendo DS or the Sony PSP. These consoles are providing WiFi network ability as a standard feature or as an option. A key functionality often touted by the manufacturers for this facility is multiplayer gaming.

    Could there be ways to allow this kind of activity in an AP-isolated setup?

    Simon Mackay

  7. #7
    Join Date
    Nov 2003
    Posts
    5,553
    Sure, as I mentioned that is just dependent on how much security you want to allow on any given VLAN or separate subnet. Depending on what type of AP you get, it may have the ability to have several different VLANs on the one device or you get several APs and have them connect to a managed switch (my choice)
    CWNA, CWSP, K0PBX

  8. #8
    Join Date
    Sep 2003
    Posts
    13
    Hi M/Q

    How would you set up the second AP and the managed switch which is used for the "peer" activities? Would you simply set these up as a totally separate network and would you hide the AP's SSID but expose the primary (hotspot) AP's SSID? As far as the SSID is concerned, I would have it as <hotspot_SSID>.localactivity or something similar.

    With regards,

    Simon

  9. #9
    Join Date
    Sep 2004
    Posts
    1,162
    The SSID of a VLAN in the AP will most likely be hidden by default.

    Regardless, if client isolation is configured in the AP, doesn't matter how many VLAN's you have setup, two associated peers won't communicate on that particular AP.

    Consider using client isolation in your gateway and not the AP's.

    You would still have to use MAC ID pass thru for the peers to communicate and bypass your login screen which may be necessary for gaming devices that do not have a web gui (i.e. Nintendo).

    Greg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •