Tips on Managing a Hotspot
First and foremost, make sure your hotspot is easy to use. As much as possible you want to avoid having to help your customers connect up. However, be prepared to offer assistance when someone has difficulty connecting – another good reason to keep things simple. You might want to consider printing up a connection guide.
Not all of your users are going to have a laptop or mobile device to make the connection they need when they show up at your business. Therefore you may want to consider adding a workstation or terminal for those types of users.
Management Software
Hot spot management software is an easily overlooked feature that is incredibly valuable. It's a significant differentiator between the different commercial providers and the Internet in a box packages. Good software can make security, billing, and other issues easy; bad software forces you to rely on log entries and other crude methods for analysis.
It's important to manage your hotspot for a number of reasons. Even if you don't intend charging for its use you need to monitor what your users are doing. Any single user can bring your hotspot to its knees by saturating your bandwidth. It's not unheard of for a spammer to sit down with a cup of coffee and pump out thousands of emails. You also don't want users going to sites that will embarrass your other customers, or perform illegal activities.
Even if you roll your own site, you should install and use a hotspot management package. There aren't a lot of choices at the moment in this category, but that will change with time. One product you can consider is called FirstSport from a company called PatronSoft (patronsoft.com/firstspot). FirstSpot is a Web based login that supports your hot spot configuration, security, auditing and management. Some of this software's more desirable features are:
• Logon management, customization, and support for third party password encryption routines
• Time accounting for both pre- and post-paid account activity
• Usage logs and reports, including connected MAC and IP addresses, time and duration of a connection, and other things.
• Bandwidth throttling that lets you set the amount of bandwidth a user account or your site can use
FirstSpot requires a dual-homed (has two NIC cards) Windows XP, 2003, or 2000 server. You can dump your data out to standard SQL databases, or to any ODBC database. You can also deploy this software behind a NAT, PPPoE, or any static IP or DHCP assigned IP address network connection. PatronSoft offers a free trial for their software.
If you are using management software from a hotspot provider, then you should also be managing security and user accounts in your software as well.
Hot Spot Directories
Any hotspot really needs to be promoted in order to be successful. When people walk in the door they should see a sign that tells them that you have a hotspot and what kind of hot spot it is. You should also tell your customers how to connect to your hotspot and offer them a free trial. Mention your hotspot in ads for your business.
You'll want to get your hotspot listed in the hotspot directories. If your service provider doesn't do this for you, then you should go to the following websites and do it for yourself.
Here are some hotspot directories:
• JiWire.com (submit to data@jiwire.com). Intel's hotspot list may be found at intel.jiwire.com.
• Google Wi-Fi Locator (local.google.com/local?sc=1&q=wifi)
• Wi-Fi HotSpotList.com (www.wi-fihotspotlist.com)
• Wi-Fi-Freespot (www.wififreespot.com)
• HotSpots-Free Directory (www.hotspot-directory.com)
• WiFinder Hotspot Locator (www.WiFinder.com)
• WiFi411.com (www.wifi411.com)
• WiFi Alliance WiFi Zone Directory (www.wi-fizone.org/zoneFinder.asp)
Some people recommend that you create a home page for your business that appears whenever someone successfully connects to your hotspot. That home page could be configured so that it is the starting point of an account generation process. By having people create an account you can find out who your customers are for marketing purposes and track their usage. When they log in and out of their account you can track their usage and use that information to bill for the connection service.
Another good reason to create an initial web page is that you can use that web page to state the conditions of usage for your hot spot. If you have time limitations or restrict certain activities or visiting a certain type of web site you can use this page to state those terms. At the very least it's a good idea to remind your users that they are on an unsecured network connection, that they connect at their risk, and that their communications are not secure. You can also suggest what they need to do to protect their systems from outside examination.
Lessnetworks.com, mentioned earlier in this chapter, provides a solution that allows free hotspots to create just such a web page.
Hotspot Security
The main thing to remember about hotspot security is that you probably won't use the encryption features or password authentication for users with your access point or any other fancy security features unless your hot spot is located in Japan (where encryption is required). Most hotspots use "Open Authentication" (no encryption) instead of WEP, which is called a "Preshared Key Authentication" method. Keep in mind that WEP only authenticates a device, and it is assumed that if the user knows the key that they are allowed to connect. Other encryption methods, like TKIP or AES only allow Open Authentication. In all cases your hotspot will not be authenticating a user as is done on the network with a challenge/response mechanism (username and password).
The counter argument for enabling encryption is that it makes communication more secure and less easily sniffed by other computers. The extra difficulty connecting users with encryption and the reduction in throughput has to be weighed against the probability that someone may try and compromise your guest's communications. I feel that sensitive information sent to a non-secured site is something that is a problem in and of itself, and encryption won't help that. So I tend to opt for ease of use and count on the user to implement their own security features. However, there are many other knowledgeable experts who would disagree on this point.
Don't pay more to get a device that implements unusual security measures because you are going to leave them off so that the public can more easily connect.
An alternate view suggested by others is that you should turn wireless data encryption on, so this is a matter of contention.
However, you should make sure that each of your users has a firewall set on their computer. If they don't have software such as Norton Personal Firewall, Zone Alarm Pro 4 or Black Ice (for Windows, for example), then at least remind your users to set the firewall that their operating system offers them. That firewall is turned on in the Advanced tab of the Network Connection properties sheet of a Windows XP connection and is a check box called the Internet Connection Firewall check box that says "Protect my computer and network by limiting access to this computer from the Internet" .
In Windows XP Service Pack 2 the new Security Center will provide just such a reminder.
Although the current 802.11 protocols are not easy to make secure, hopefully the release of 802.11i will offer some help. Until then there are some things you can do to help make your hotspot more secure:
• Make sure your network doesn't extend beyond your physical location.
• Don't broadcast your WLAN's router's network ID (SSID)
• Remind customers that unencrypted transfers can be read and that sensitive information such as personal information, credit card numbers, and passwords should be avoided on non-secure connections. Stealing information over a WLAN is not uncommon.
(Note: Have your users look for the lock symbols in their browsers to determine the state of the connection; and have them use a secure SSL for e-mail. Most POP and SMTP accounts offer this kind of connection, as do most Web e-mail portals. You may want to recommend the use of client software like HotSpotVPN (www.hotspotvpn.com/) for a more secure connection. )
• Don't leave your router/access point's IP address, login name, or password set at the default. If your AP offers the username "admin" with no password, for example, change both of them. A bad guy only needs to look up your AP's manual on-line to know what the defaults are. Sometimes a router like the Apple AirPort maintains an address that can't be changed.
• Use a strong firewall and put your wireless network on its own subnet.
• Do not allow your clients computers to connect under a peer-to-peer network connection; that is, disable the "ad-hoc" mode and enable the infrastructure mode on your router or AP.
• Make sure that connected computers are password protected, both at a system and a shared file/folder level.
• Know your users. Make sure you have approved the people on your WLAN and that you monitor their activity to make sure that there are no rogue users. If you are registering users then you can enable the known MAC address feature of your AP and only permit known users to connect; something you can't do if your WLAN is meant for general public access without authentication.
• Turn off all wireless devices not in use, and that means every night if necessary. Test on a regular basis that when all of your wireless devices are turned off that there is indeed no wireless signal that can be detected. Unauthorized access points are a security threat.
• Block TCP ports 135, 137, 138, 139, and 445 to directory, file, and printer sharing information to be transmitted. Disable NetBIOS over TCP/IP as well. This can be done in your firewall's software, in security software, and as part of your proxy server or router.
If your business network is going to use the hotspot connection, make sure you have a robust firewall or gateway between your LAN and your access point or router. Frankly, given that access points and routers are as cheap as they are these days you are better off to buy additional wireless devices and keep your network's wireless connection separate – why take additional risk. Any wireless connection on your business network needs to be encrypted and secured.
Auditing and Billing Usage
Billing is one of the more difficult aspects of managing a hotspot. There are many different models in use for billing customers. You can choose to:
• Bill for each time or day that a user connects, thus avoiding having to monitor usage or collect user information.
• Charge a monthly or annual fee for an account, in which case you must create accounts.
• Bill on an hourly basis whether they are connected or not.
• Bill for actual usage time like cell phone companies do.
Most time usage management solutions use the login and logout times of users based on the logging capability of their wireless router/AP. When someone connects or logs into a connection, the MAC address is recorded in the log. Simple devices have difficulties measuring whether a user has logged off or just been disconnected, and may not be able to check a connection using PING when a VPN session is launched or a specific firewall is in use. One of the advantages of using a more sophisticated solution like the Cisco Broadband Service Manager and the Nomadix HotSpot Gateway is that they have the capability to deal with VPNs and firewalls, as well as the added security features that they offer.
One company that sells a hotspot billing software solution is Alepo (http://www.alepo.com/hotspot-billing-software.shtml). Their RBS Hotspot software lets you monitor multiple sites and sing up subscribers to your network. You can sell one time connections, prepaid connections, pay commissions to clients, and allow for roaming accounts. This software would be valuable for a larger business, or for someone selling hotspot services and probably falls outside of the category of small business use. Another solution is LogiSense's (http://www.logisense.com/billing_home.html) engageIP Billing and DSS module, which is really also meant for a service provider.
Given the complexity of setting up an accounting solution (and the costs involved), it is probably better for a small business to leverage this kind of software installed by their service provider rather than trying to duplicate that capability.
Summary
As you have seen in this chapter setting up a hotspot is something that won't make you rich, but could be important to your business. If you compete in a market that offers this service such as a hotel or coffee shop, offering the service could be a deciding factor in getting and keeping business. After setting up other wireless networks such as your home or office, setting up a hotspot doesn't represent a significantly greater challenge.
However, there are things to keep in mind. You need to decide which ISP to use, find out what there throughput limitations (both quantity and type) are, and install appropriate equipment. Management software is one area that is difficult, so if you intend to bill by time or usage you will need to investigate your options. Luckily this is a growing area of service and you can find several canned or boxed solutions that you can use. If you don't want hands on management you can simply make a phone call to a hotspot provider and have them do it all for you. It is satisfying to be able to manage this networking service, and doing so allows you to keep more of the revenues --- with greater risks come greater rewards.
With this chapter we wind up the discussion of various product-related technologies and begin a section on troubleshooting. In Chapter 23 you'll get answers to your connection problems. Following that we'll tackle first security issues, and then device problems.