Best Practices to Protect WiFi Hotspots

The inherent nature of such public WiFi networks is such that it has to remain very open to make it easy and convenient for users to connect and get online, yet remain secure and robust to only allow authorized users to gain the required level access and service while prevent intentional or unintentional malicious users from bring down the service or compromising other users. So each network component and layer has its own part to play to provide overall security and robustness of the entire service.

In this post, the highlighted part is the roles of the various network layers / components  in ensuring service robustness.

Access Points

Basic requirements would be to enable “client isolation”, thus preventing users from accessing each others computers while connected to the same AP.

More secure (and complicated) features would be to enable EAP-type (EAP-SIM is one which we are advocating for 3G offload) authentication which will also enable encryption of all users’ wireless traffic.

Other types of controls like restricting the maximum number of clients to associate, “steering” of clients between near-by APs, using Smart Antenna technology to overcome interference and rogue AP detection/suppression are other common features we’ve seen touted that improves Wifi hotspot service security and robustness.

Network Switches

Edge, distribution and core switches play a critical role in ensuring robustness of the overall WiFi service. Some key features that should be considered in the choice of such equipment include:

  • VLAN support for network segregation, especially for user traffic from management traffic and for reducing impact of broadcast storms.
  • Traffic throttling to limit both amount of traffic and even number of packets to swarm to the rest of the network. Some switches provide even more intelligence like specific traffic throttling (ICMP or broadcast type traffic) or even behavior based throttling (virus / worm like behavior).
  • Ability to trigger alerts when certain events happen to inform administrators to take pre-emptive action to remedy possible fault causing situations (like failure of redundant power supply, failure of certain ports etc)
SSG

This complex component of the WiFi hotspot service is arguably the most critical component of the entire system and is also the most vulnerable to attacks from malicious users. It has to tread the fine balance between making it as easy to connect and go online while preventing itself from being DoS-ed by malicious users.

The SSG thus provides the following features to primarily protect itself, thus ensuring maximum uptime for the WiFi service:

  • SYN flood protection. This allows the SSG to detect this kind of attack and prevent it self from being too busy to service other user’s connection to it.
  • DNS protection.
  • Invalid DNS packet. Malformed DNS packets are dropped.
  • Duplicate request. Duplicate DNS requests will be dropped to prevent overloading  of the SSG and other external DNS servers.
  • DNS cache poisoning alert. This logs down attempts by other users from poisoning the DNS cache of other users.
  • DNS request throttling. The SSG will slow down its response to the user who has exceeded the configure threshold rate.
  • Bandwidth rate limit. By throttling the speed at which a user is allowed to send or receive traffic from the SSG, the SSG prevents itself from being overwhelmed.
  • ARP request rate limit. Similar to the DNS request rate limit, but this is applicable to ARP request
  • Duplicate IP.
  • Same MAC blocking
  • Anti-SPAM features. Another common problem faced by visitor-based networks is the issue of SPAM from its users, both intentional and unintentional. The SSG addresses this problem in a few innovative ways:
  • Total recipient limit. By limiting the total number of recipient for each mail, this makes spamming more inconvenient for intentional spammers and effectively blocks of virus-initiated SPAM.
  • Invalid sender domain blocking. Another common practise of spammers is to fake an invalid sender domain so any bounced mail does not impact his mail server. This check again makes it that much harder for spammers to generate SPAM.
  • Concurrent SMTP connection limit. This limit can be set on a per user and global basis. This prevents a spammer from making multiple connections to the SG to send out SPAM.
  • Size & Recipient limit for each outgoing mail. This configuration limits the size of each outgoing mail that can be sent out by a user. This prevents hogging of the WAN bandwidth as a result of trying to deliver a very large email attachment. It also prevents a user from sending mails to too many recipients.
  • Rate limiting of email sending. A “number of email” threshold is set on the SG. For each delivery of the same mail above this limit, the SG will add a “threshold delay” before accepting a delivery request to a new target email address. This effectively slows down rate of delivery and prevents chocking up the WAN link with email traffic.