Introduction
You might be considering setting up that complimentary hotspot for your guests to use but there are certain risks to be aware of concerning the security of your business and your guests’ data and identity.
Risks that have been highlighted include confidential-data and identity theft performed against customers as they work this data from their portable devices; as well as clandestine computer activity like the downloading or serving of illegal content; or the distribution of spam email, performed using computers connected to public Internet networks like wireless hotspots.
As well, there may be other imperatives required of people who provide Internet access to the public. These imperatives, asked for by various local, state / regional or national governments may include requirement like keeping a log of whom you provide Internet access to or requirement for session tracking. Therefore I am not therefore in a position to explain how to satisfy these needs and it is best to seek local advice on this topic.
Therefore, your business should know who is using the hotspot service and be able to make sure that the people who benefit are the business’s customers or guests. This means that the customers or guests are actually going to be operating the network device that they use when connecting to the service and also operate it on your premises. As well, your customers know that they are going to actually benefit from your hotspot service when they log in to this service.
The cafe or bar as a “second office”
This is more important for the cafe as an increasing number of businesspeople use these places as “second offices” where they can work without unnecessary office-borne distraction or as places where they meet their colleagues or business partners. Here, these people will be working on workplace-confidential data and most of these workplaces place high value on the security of this data as it travels between the laptop and the workplace’s main computer systems.
In fact, the reason I have decided to publish this article was because a cafe that I regularly visit in Camberwell (Melbourne, Australia) had just started to offer free public Wi-Fi access but I had wanted them to provide a free Wi-Fi service that is safe for their customers. Here, they had an ordinary wireless router as the Internet service but they needed help in getting this service working properly and safely. They also wanted to make sure that this resource was available just to their customers as part of their customer service.
Your equipment
When you start out with your complimentary-use hotspot service, you may use a wireless router hooked up to a separate Internet service or use one with a “guest-access” or hotspot function and is connected to your common Internet service.
This should be set up to cover your public area such as the bar areas in your bar or the dining room in your cafe. In some situations, you may need to use an additional access point to cover larger areas or get your signal past thick walls. This is something I have covered in this site as a separate article.
As well, if your equipment works on 802.11n technology, it should be set to work in compatibility mode where it can work with 802.11g and 802.11n devices. This is to cater for the fact that most devices that are in circulation, especially smartphones, are likely to work with 802.11g technology and people may operate battery-operated 802,11n-capable devices in 802.11g mode in order to conserve battery runtime.
Dual-band setups
It may be an asset to consider a dual-band setup for your wireless hotspot. This will use a radio presence on the 2.4GHz band as well as the newer 5GHz band and is supported by an increasing number of newer laptops, tablets and smartphones. The new waveband comes in to its own for multimedia applications like video conferencing or photo and video uploads to social media as well as taking some pressure off the 2.4GHz band for legacy equipment to use.
This can be achieved with a router / gateway or access point that implements simultaneous dual-band operation or you can add a 5GHz access point or a dual-band access point set up for 5GHz operation to your existing network.
Here, you need to make sure you still have your network set up for 802.11b/g/n operation for the 2.4GHz band and 802.11n operation for the 5GHz band. If your equipment supports 802.11ac Wi-Fi, you may have to make sure that the 5GHz aspect works in a compatibility mode for both 802.11n and 802.11ac equipment. As for the SSID (Network Name) which is talked about below, you can use the same SSID for both bands and the clients’ computer equipment switches between the bands automatically.
Your SSID or Network Name
The SSID or network name is very important to your hotspot’s identity. Here, it should reflect your business’s name and have a reference to public or guest Wi-Fi service. An example that I used for a basic complimentary-use Wi-Fi hotspot that I set up at a coffee lounge just recently was MORAVIA-PUBLIC-WIFI. Here this reflected the coffee lounge’s name (MORAVIA) as well as stating that the service was a public Wi-Fi hotspot service hosted by this business. Therefore, you can then identify any “evil-twin” or “fake-hotspot” devices left on or near the premises that exist to capture customers’ sensitive data.
This SSID must be used in all signage advertising your hotspot and the signage must reflect your company’s identity. This means that it either has your company logo and name or be in your company’s styling. In this case, the signage about the hotspot should at least exist beside the cash-register and the door, preferably at eye-level or near the main handle or pull.
Hotspot security
Basic security
Your hotspot network should be secured with a WPA-PSK passcode which your staff should give out to customers who want to use hotspot service. As well, the network should have wireless-client isolation enabled, so that customers who are using the hotspot cannot browse on to each others’ computers.
Previously, there wasn’t any wisdom in implementing link security on a public-use wireless network but now that most computers and handheld devices support WPA-based link security for wireless networks, adding this function to WPA-level is still worth it for achieving some control and security in a public-use wireless network.
It is still important to change the WPA-PSK passphrase regularly such as at least twice a month. Some environments may require the passphrase to the changed every week. This is so that it becomes hard to set up a “fake hotspot” using your service’s credentials or keep a computer logged in to the hotspot service without you knowing.
People who use “open-frame” computing devices based on recent versions of Android or Windows may find that this job may be simplified. One method, which works with both the operating systems, is to use WPS push-button setup on consumer routers that are suitably equipped and are serving as dedicated hotspot devices. But another method is to make a QR code representing the SSID and WPA passcode as a machine-readable form and print this out on to a card that you hand to your customer. Then they scan this code with their Android or Windows 10 device with the appropriate reader software.
As well, your hotspot should properly support VPN pass-through for all protocols so that business users can log in to their workplace VPNs without any headache.
Special hotspot-gateway devices
It may be worth knowing that if you want greater control over your public Internet service, it may be worth implementing a “docket-printer-based” wireless hotspot gateway like the Netcomm HS-1100, Solwise WAS-105R or Zyxel N4100.
Here, these devices direct users to a login page where they have to key in a session login and password that they transcribe from a paper docket that is printed from a docket printer attached to the hotspot gateway. If you intend to offer a paid service, these devices put you in a position to use the payment methods and paths that you use to accept payment for your goods and services.
This is unlike some other hotspot gateway setups that require the potential user to pay another company directly using their credit card or an account maintained by that other company using a payment form hosted by that hotspot. Typically, a lot of these setups are managed in a manner where you don’t have much control over how the service in provided and the service may be provided in a manner not dissimilar to how most vending and amusement machines are provided where you don’t own the equipment, representatives visit the premises to maintain the equipment and you get a small “cut” from the takings.
As well, the session login parameters that your users type in from these dockets exist only for a particular time limit. This is also important for people who run a paid service, but can be useful for managing complimentary service so you can be sure that the people who are using your service are your customers or guests who are in your public areas.
If you do run one of these dedicated hotspot gateway devices, such as a “docket-printer-based” device, the wireless network that these devices operate should still have WPA-PSK security with the passphrase changed regularly. The “docket-based” devices will list the WPA-PSK passphrase on that same docket so your customers can still log in to your hotspot from their device.
Hotspot 2.0 / Wi-Fi Passpoint functionality
Hotspot-gateway devices that supports Hotspot 2.0 or Wi-Fi Passpoint operation, including firmware updates that bring this functionality to existing equipment, is also worth its salt. This provides for improved login experiences including the ability to have your venue described in the list of available Wi-Fi networks when your customers use compatible along with a simplified signup or login procedure. It also supports link-level security between the user’s computer or phone and the access point.
When you enable Hotspot 2.0 or Passpoint functionality on your hotspot gateway device, make sure that your establishment’s details are properly entered when you fill out the setup form for this function. Here, if your users have equipment that supports this technology to the letter, they can identify your establishment in a more qualified manner so they are sure that the Wi-Fi service they are connecting to is the one you are providing at your business.
Of course those of us who use devices that don’t support this functionality can still benefit from Wi-Fi hotspot service on these services as long as “universal” authentication is enabled on the gateway device.
Branding options
If you do implement these devices, make sure that you know how to brand the customer-facing user interfaces.
Most of these devices can allow you to upload a graphic and integrate it in to the login interface or they can allow you to upload customised login screens or point to a Web server for the login interface graphics. The latter option may appeal to you if you have a good hand with creating basic HTML Web pages.
Here, make sure that you have your business name and logo and, if you can do it, set the colour scheme to your business’s colour scheme. As well, make sure that your business name appears on the access dockets that your hotspot gateway prints out.
Power outlets
With a hotspot, always expect that some of your customers will use the power outlets on your premises to power their laptops or smartphones from AC power to avoid compromising battery runtime. This is more so with customers are operating older equipment that has batteries that are “on their last legs” or are working VPN sessions in order to “pick up” files from work and want to be sure this is done properly.
Here, a few double outlets near the tables can work wonders here and if an outlet is used for powering a device like a lamp, the device could be connected to the outlet via a multi-socket power-board with extra outlet space for a few appliances.
Conclusion
Once you know how to choose and set up your public-use wireless network properly, you can make sure that this is a service that your customers and guests will benefit from fully. This may even put your business “on the map” as far as customer-service extras are concerned.
UPDATES
I have done some revisions to this article which was originally published in August 2011 to reflect the arrival of newer technologies like 802.11ac dual-band Wi-Fi wireless technology, Wi-Fi network credentials via QR codes, and Wi-Fi Passpoint technology.
