July 2009 IT Business Consulting Newsletter

Securely Implement a Public Wireless Hot Spot

By Tom K

Implementing a Public Wireless Hot Spot in your office is a GREAT idea! It is very inexpensive, provides your guests with a nice value add, and can draw walk-ins who will get to experience your wonderful staff, observe your outstanding operation, and potentially leave with a brochure or property listing. It is also a good way to differentiate your business from your competitors!

To do it right, however, the Public Hot Spot has to be COMPLETELY ISOLATED from your private business network.

The simplest way to achieve this is to lease a separate Internet circuit dedicated to your Public Hot Spot, and then plug a Wireless Access Point into the router (or use a wireless router). This is somewhat inefficient as you’d be paying around $1200/yr to provide bandwidth to the public, but it does completely isolate the public traffic demands from your business Internet traffic.

If you’d like to reduce your costs, another method is to use your firewall to isolate the Public Hot Spot from your Private network, while securely sharing your company’s existing Internet bandwidth. Here’s how…

Firewalls 101

The primary function of a firewall is to rigorously regulate the traffic coming into your Private business network from the Internet (Public network), and vice-versa. It is like a security checkpoint having two gates, the public gate and the private gate. The firewall rules can granularly control who can come through a gate, and where they can go and what they can do once on the other side. Typically, anyone inside the Private network is allowed to go anywhere in the Public network, but no one from the Public network is allowed inside the Private network, unless they are invited. If they ARE invited, they are only allowed access to very specific resources for very specific purposes.

Many firewalls have a third gate, referred to as the DMZ. Some firewalls require a key be purchased to enable this feature, some (like those we recommend) include the feature in the core product. The DMZ can be configured in many ways, but for our purposes, it is just another gate with a specific set of rules that allow anyone inside the DMZ full access to the Public network, but allows NO access to the Private network. The end result is a very secure means to share your company’s Internet access with your guests, at no additional cost.

Wireless Hot Spot

So now that we have the DMZ gate configured with the proper rules to secure the Private Network, we need to provide wireless devices with hassle-free access to the Internet via the DMZ gate. We simply plug a $30 - $60 Wireless Access Point (AP) into the DMZ, and configure it for open access. Any wireless device that comes within range will automatically connect.

While true “open access” makes it very simple for anyone to use your Public Wi-Fi, you may want to set a simple password on this network to restrict its use to your guests and staff.

If you want to provide wireless coverage across a wide area, like a large office or your office and your pool, multiple APs can be teamed, and the wireless device will lock on to the strongest signal (the closest AP). And, when an AP team is configured properly, a user can walk through your facility using a smart phone, seamlessly hopping from AP to AP, with no signal degradation and no service interruption. Way Cool!

Bandwidth Considerations

So, you are now sharing your precious Internet bandwidth with the Public Hot Spot. What happens when multiple guests start gobbling up all of your bandwidth??? Fortunately, many firewalls include a mechanism that allows us to allocate the maximum bandwidth available to the DMZ, often by percent. If your company has 16 MB of Internet bandwidth and you set the DMZ throttle at 10%, your guests will have up to 1.6 MB and your staff will never have less than 14.4 MB.

And, you might consider bringing in that second Internet circuit. But instead of dedicating it to your Hot Spot, add it to your firewall as a load balanced circuit, which can double your Internet bandwidth while virtually eliminating Internet outages (see my April 2009 newsletter Improving the Reliability & Speed of Your Business Internet Connection for details). If we couple this with percentage based DMZ throttling, using the 10% example, your staff would get at least 90% of the combined bandwidth of both circuits. If one circuit goes down, your staff still gets at least 90% of the bandwidth from the circuit that remains up.

Extra Value Add

Another nice touch we’ve often added when implementing this service is setting up a kiosk for those guests who didn’t bring a laptop but still need to check email or hit the Internet. All this takes is an OK PC with a nice flat panel, and an inexpensive $30 - $60 USB wireless adaptor to connect the PC to the Public Hot Spot, completely isolating it from your private network. To be REALLY appreciated, connect a $100 - $200 color ink jet photo printer to the PC.

Wireless for Staff

Can you provide secure wireless access to your Private network for your staff, while providing open wireless access to the Public network for your guests?? Yes! (But I don't recommend this for security reasons. See my March 2013 article "Provide Wireless Access to Business Systems???" for details.)

The Public APs plug into the DMZ, and do not require security codes. Your secure Private APs plug into your Private network and do require security codes. When properly configured, the general public can’t even see or scan your Private APs. And, as discussed above, the Private APs can be teamed to provide seamless coverage over larger areas.


As you’ve seen, all the components necessary to implement this service are very inexpensive. The implementation itself is not overly complex. The few downsides are easily mitigated. Our clients have seen that the advantages in guest relations and meeting new prospective guests are huge compared to the minimal cost. We recommend you roll it out, advertise it on your web site, and prepare to become appreciated!

If you have any questions concerning securely implementing Public Wireless Hot Spots (or any other topics concerning utilizing your infrastructure to enhance your business), I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.