Why WISE WiFi is Secure
If you’re building a hotspot, it’s important to consider the security of your internal broadband network, and your end-users’ privacy and security. Your internal network is most likely connected to the WAN (Wide Area Network), or “Internet” port of your Wi-Fi router; end-users connect on the WLAN (Wireless Local Area Network) or LAN (Local Area Network) side of your Wi-Fi router.
WISE WiFi is committed to providing secure solutions. The WISE WiFi Agent, which resides on the Wi-Fi router or an equivalent type of 2-NIC gateway, can protect the internal network from guests while allowing trusted users access. It can also block end-users from seeing each other’s traffic. Since each end-user must be authenticated and once authenticated becomes a “known” entity, various network policies can be applied to all users, groups of users, or individual users.
Here is a brief overview of how WISE WiFi security works. (For simplicity, we will refer to the Wi-Fi router or 2-NIC gateway as an access point, or AP.)
Built in Support for Security Standards
WISE WiFi advocates network security standards. That is why our products support ratified standards for wired and wireless security. For example, we fully support:
WEP™, WPA™ and WPA2™. WEP (Wireless Equivalency Protection) requires that the end-user know a password in order to even connect to the AP. Based on the ratified IEEE 802.11i standard, WPA (Wireless Protected Access) is a far more secure successor to WEP. It provides government-grade Wi-Fi security, also requiring end-users to supply a password before obtaining connectivity to the AP. While WEP and WPA are supported, most of our customers choose not to enable it. That is because when providing hotspot service, they want to be sure that end-users don’t have to hassle too much during the first step, which is to get connected to the AP. Instead, they use WISE WiFi technology to limit Internet access to only those end-users who pass a more straightforward means of authentication via their web browser.
VPN pass-through. VPNs (virtual private networks) secure private communications over public networks. Once authenticated, end-users utilizing corporate VPNs can seamlessly establish secure connections between their client device (usually a laptop) and their company network across a WISE WiFi Powered AP.
Secure web (https). End-users who make purchases over the web or who enter secure information into web pages protect their privacy by using https, which is the normal http (web) protocol carried over SSL (secure socket layer). Once an end-user establishes an https session using their browser, everything sent between their client device and the web server they’re using is encrypted, while traversing both wireless and/or wired networks. Today, all authentic ecommerce sites automatically support https.
Secure email. End-users can and should enable SSL in their email client so that they can securely send and receive email. As with secure web communications, this level of security works end-to-end, across all wireless or wired networks.
Authentication: Knowing Who is on Your Network
End-users who connect through a WISE WiFi-Powered AP and attempt to surf the Internet are presented with a captive portal (login page).
Before they can get onto the Internet, they must provide credentials – prepaid username and password – that meet whatever type of authentication systems we have applied to your AP location. Username and password information are encrypted and sent securly via SSL, and are stored in the WISE WiFi Control Center database in an encrypted format.
Because all end-users who connect through a WISE WiFi-Powered AP must authenticate themselves with the WISE WiFi Control Center server, we always know who is on our Wi-Fi network. We can identify which end-users access which APs, and when. We track how much bandwidth they consume. We can see how many end-users are on-line at any given moment. In general, we will know how many total people access your AP location. All end-user sessions are tracked and recorded in a database for further analysis.
Client isolation: Protecting Wi-Fi Users
For the LAN, WLAN, or Wi-Fi side of your network, WISE WiFi enables client isolation. This means wireless clients are unable to “see” each other. Each wireless connection is private, preventing wireless hackers from attacking other wireless users’ computers. Client isolation is supported on all WISE WiFi-Powered APs.
Block Private Networks: Protecting Private Network Resources
For the WAN or “Internet” side of your network, WISE WiFi-Powered APs act as per-user dynamic firewalls. That means we can set network policies to prevent specific users or groups of users from obtaining access to your internal network.
For example, an end-user who has had the Block Private Networks policy applied to their session would be able to get Internet access but would be prevented from accessing any part of your company network. An employee or unrestricted end-user could connect and authenticate through the same AP, yet access the internal corporate network. Block Private Nets is easily applied as an existing policy – all we have to do is check a box. Additional network policies, including destination NAT and port forwarding are also available to be applied to end-user groups. This enables you to use content filtering, for example to protect underage users from viewing inappropriate online sites. It is easy to link network policies to end-user accounts, not just APs.
WISE WiFi Software Security: Protecting Your Investment
WISE WiFi software is built utilizing best-of-breed open-source software such as Linux, Apache, PostgreSQL, and Perl. We integrate these components using best-practices security methodologies to provide a highly secure and robust platform for network management and user authentication.