Useful tips for secure hotspot operation
Whether you run a café, restaurant or hotel, a secure hotspot offers a useful service to your customers and guests. However, hotspot operators need to consider a number of issues in order to provide your guests secure access to the Internet. The following steps will give hotspot operators helpful expert tips on how to set up a secure and reliable hotspot while providing maximum convenience for your users.


Technical tips:
  • Do not use an open Wi-Fi network:
    • Always protect your network by means of access control, e.g. by using a professional hotspot solution. If you go without, you risk unauthorized access to your network and losing control over it.
  • Professional hotspot solution:
    • Use a professional hotspot solution that offers various possibilities to authenticate with proper access credentials. For example, the LANCOM Public Spot option provides web-based user authentication, so you can be sure that only your guests are able to login to your Wi-Fi with the access credentials that you issue to them.
  • Use reliable equipment:
    • When operating a hotspot, you should expect the radio field to be under heavy load especially at peak times. Your hardware should be able to withstand this load. 
    • Avoid purchasing low-priced equipment and instead rely on quality products that can deliver high bandwidths, handle high client densities, and offer a great user experience thanks to optimized Wi-Fi.
  • Issuing access credentials:
    • Make sure that issuing access credentials for your employees and guests is as easy and flexible as possible. For example, by printing out vouchers, by requiring then to accept the terms and conditions of use, or by registering themselves via e-mail or SMS.
  • Separate subnets (guests, administration and service):
    • The different subnets each need their own SSID (e.g. for the guest network, the administration network, the restaurant network, etc.).
    • Current standards require all of the SSIDs to be encrypted with WPA2, with the exception of the guest network. This is generally unencrypted, since guest authentication is performed via a web-based interface. Consequently, only guests with access credentials are able to log in. To maximize security, the SSID of the guest network can be additionally encrypted with WPA2.
    • It is important that you also separate the subnets at the network level. There are a number of options for doing this. Your IT system vendor can advise you on this matter and implement network separation accordingly.
    • For information about configuring separate subnets, see this Knowledge Base document.
  • Block access to the configuration from the Public Spot:
    • Make sure that the Public Spot network does not allow access to the configuration of the LANCOM router or access point.
    • For information about preventing access to the configuration from the Public Spot, see this Knowledge Base document.
    • How to prevent access to the configuration of access points managed by a LANCOM WLC is described in this Knowledge Base article.
  • No communication between clients on the guest SSID:
    • On the guest SSID, you should prevent the clients (tablets, smartphones, laptops) from communicating with one another. There is no need for clients to communicate directly in a guest network that is solely intended to provide Internet access. On the contrary, this represents a security risk if guests have inadvertently set up shared directories on their devices. LANCOM access points provide this feature.
  • Dedicated Internet connection for Wi-Fi guest access:
    • Your Wi-Fi guest access should have its own Internet connection, or it should be assigned its own public IP address.
  • Securing against the direct connection of a client to the Ethernet socket intended for the access point:
    • If an access point is installed in a publicly accessible area, we recommend that you use RADIUS authentication of the access point to ensure that a client (e.g. a notebook PC) is unable to gain access to a company network even if it is connected by cable to the Ethernet socket that is intended for use by the access point.
    • Information about this configuration is available in this Knowledge Base article.
  • Limiting web access:
    • Using firewall rules to block ports:
      • Some ports should be blocked, such as those used by the peer-to-peer connections that are often used by illegal file-sharing networks. The best option is to block the ports by means of the firewall integrated into the central network component (e.g. the router). 
      • In practice, a “Deny All” strategy is advisable: Block all ports and only open those required for the services you want to allow: For example, port 80 for surfing, port 53 for DNS, port 443 for HTTPS (secure web sites), and port 500 and 4500 for VPN applications.
      • For information about firewall rules, see this Knowledge Base document.
    • Content Filter:
      • We also recommend that you use a web Content Filter that ensures that inappropriate Internet content is blocked. This software allows you to block access to certain web page categories, such as “Violence” and “Pornography”.
    • For information about the Content Filter, see this Knowledge Base document.
    • Please note that you should inform your guests about restricted access to Internet content in your Terms and Conditions.
  • Use your own HTTPS certificate:
    • LANCOM Systems is not an acknowledged certification authority, so using HTTPS in the Public Spot will result in an error message that reports an insecure certificate. To fix this, the application must either be switched to HTTP or an SSL certificate must be purchased from a recognized authority (e.g. VeriSign) and uploaded to the Public Spot gateway. Most web browsers already feature a corresponding root certificate.
    • LANCOM Systems recommends purchasing an SSL certificate from a well-known certification authority so that HTTPS can be used to login to the Public Spot.