Home page logo

basics logo Security Basics mailing list archives

Re: Require password for network access
From: "J. Theriault" <administrator () maginetworks com>
Date: Fri, 07 Jul 2006 17:11:51 +0200

rolando_ruiz () jetaviation com wrote:
Hello Security world.
I would like to know if anyone can provide best solutions for password
protecting access to network (internet) from unauthorized users,
particularly from visitors. We would like to have a solution in place
like most hotels have where you connect and are prompted to pay for
internet access. In our case, we don't want to charge but we would like
to restrict access unless we provide a password to obtain an IP address
and internet access. This solution will be for wired network, and
preferably, each user will need to contact IT for temporary username and
password. Right now anyone can come in and connect to any live jack and
get network access. Although we can unplug all unused network jacks, we
would rather have a more centralized management solution.

Hello Rolando,

Since you used a very generic terminology and this is a "basics" list, I'm going to give a fairly nontechnical reply, but one that should tell you everything you need to know.

I'm going to assume that you are representing a small hotel of ~50 rooms and not part of a larger chain, but the suggestions scale fine if you are larger.

Well, personally, you have two viable options that I can think off of the top of my head, and one sucks so that makes it easier. ;-)

You could install a captive portal or install switches that support authentication.

The switching solution is more for big enterprise, schools, secure computer labs and the like - it is more secure and offers more control and management of each and every end user - but that doesn't do anything for what you want, and they cost more money. A *lot* more money. They also mean that your backbone is far less expandable, so you might get crunched up in the future - not too smart an idea. Of course, they offer the better security and segregation between end nodes, and can totally prevent users snooping on each other and so on - but that's not what you're looking for.

What you want is to segregate the users from *your* network, to authenticate them before they can access the *Internet* (who cares if they can snoop on *each other* if they break several computer laws and do so - it's not your issue if it's in your terms of service, it's not likely, and it's their own known risk. The rest of the 'net is open, wouldn't the last link be...), and to provide a nice cheap easily expandable system that works for everyone. If you tell a user he's going to have to create a virtual dialup connection he's going to give you a nasty look. Mention that he needs to configure RADIUS and he's going to decline paying for your service as it's wasting his time and too complicated for the Average Joe.

I think a captive portal better fits your situation as a hotel - it's basically a small embedded computer you stick somewhere on your network - where your users are and you aren't - between your net and your connection to your ISP that denies everyone (the users, not you) access to the Internet until they login (when someone opens up a webbrowser and tries to go to any website, the captive portal will redirect them to a logon page). The usernames and passwords are either specified by someone or generated as a batch. Good captive portals will let you, say, generate 50 "cards" with usernames and passwords (and your logo, for example) that will expire after a certain time of usage - so you could click "50 cards that last for 24 hours" and print them out. When someone wanted one, you just hand them the card with their room number as the username, for example, and a randomly generated password. Good captive portals also let you do content filtering (either against unwanted surfing or also by file types, such as preventing users from downloading mp3s, which, if not in your Terms of Service could lead to litigation - of course, getting each user to sign a "Terms of Use" form that they are responsible for anything they do means this isn't required in most cases) if you need it...

Captive Portals aren't expensive and you can easily buy one or build your own with little experience or effort.

http://www.publicip.net/ - An example of a complete free, and good, captive portal that I suggest you look at to "get a feel" for the technology

About expandability with a captive portal:

For a small hotel network that doesn't currently have network cabling and only wants to pay for one connection (such as a DSL2 connection, which offers the ability for 16 concurrent users to get full high-speed DSL speeds simultaneously for only 40$ a month or so), I'd recommend a network like so:

|                       |
Captive Portal          |
|         Firewall/router for hotel systems
Switch--                |
|      |         Hotel Systems
AP*    PL*

(Looks more complicated and expensive than it is... The point of this is that it's easy to manage, troubleshoot, monitor, anything - while keeping everything simple and cheap)

With such a configuration, you can upgrade any main part without bothering the others. If you want to get two DSL2 lines, all you need to do is buy good router that supports two WAN ports simultaneously or if you want to install fiber lines later on, you just add them to the switch behind your captive portal...

The AP (a wireless Access Point) connected to this switch can be used as a wireless "base station" with several "slave" (repeater) access points on the other floors (I've seen 2APs per floor work fine for >10 rooms with concrete walls - get someone who can test the signal to stick an AP in the hall and test it for you with various wifi cards and angles in EACH ROOM). That would mean that you would then have good high-speed reliable WiFi access, secured with your captive portal, and at speeds up to 16x normal DSL (depending on usage), for the cost of a normal DSL2 line (40$/month here) a captive portal (200-300$ bought, less if self-made), and a few (say, perhaps 9 for a 4-floor 50-room hotel?) 40$ Linksys access points. Also, if you have a conference room, you can simply stick in an encrypted access point just for conferences that would still have Internet connectivity, but not be accessible by hotel patrons or people trying to snoop from the outside - and generating a new key for each conference takes only a second or two. Also, I would recommend buying perhaps 4-5 old ORINOCO wireless PCMCIA cards off of eBay in case someone does not have wireless connectivity or is too stupid to know how to operate his machine - old ORINOCO gold/silver cards are very powerful cards with good transmit rates and very good receive rates, but, most importantly, they're PCMCIA cards (normal laptop cards) that are hot-swappable (you can just plug it in and out when the machine's running) and they are NATIVELY supported in Windows XP (I believe Windows 2k, as well) and most *NIX distributions. That means you plug the card in and it works. No configuration, no drivers, no nothing. You can get them off eBay for perhaps 20$ each. Then you have wireless covered for unlimited normal users, with a few spare cards for idiots who either don't have one but thought they did or who are trying desperately to log on to their AOL dialup ;-)... Now you should have something for the few devices that don't have wireless capability.

PL stands for PowerLine; it would probably be too much work, and cost too much, to bore holes through to each room and run a load of network cable - even if you used just one cable and connected each room to it - but there is a good wired solution, aswell. PowerLine Networking. "PowerLAN". Basically, you get a phase coupler (perhaps it's a different word in English, I'm not sure, ask whatever company you're looking at the power line products of...) installed on your power lines for 100-200$, then you buy one "master" adapter (70$?), like your "master" AP, and plug it into your Captive portal's switch with network cable, then plug it into the normal electrical socket. Then buy a few more "slave" adapters (40$ for 14mbps, 70$ for 85mbps or so - normal "high speed Internet" is ~1mbps in comparison) for the few people that have older laptops without wireless cards, or the few people with never laptops without PCMCIA slots or any other non-wireless devices. When they ask for Internet access, just give them the small adapter (imagine a normal AC-DC power adapter with a LAN cable sticking out) which they plug into the power socket in their room, and plug the network cable into their computer, which sees a normal lan. Again, works with ALL programs and operating systems and every device with a normal network jack - fast, cheap, expandable, upgradeable, and easily managed. Users would plug it in, turn on their laptop, open their browser, get the normal captive portal login page, login, and then access the Internet at high speeds without worrying about drivers, installation issues, or incompatibility. Now you have wired and wireless access, all of which require a user and password and are segregated from your company's network, and all components are easily upgradeable, scalable, and replaceable.


So, that should be all that you need.


Joe Theriault
administrator () maginetworks com

This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]