Saturday 8 March 2014

Enhancing Visitor Security


Beware of the dangers of
allowing access to Wi-Fi
If you have visitors to your premises they will sometimes ask if they can use your Wi-Fi. Usually you will agree as you want to help someone else out or not appear rude.

There is a potentially dangerous security flaw with this though. In effect, it’s like giving someone the keys to your house and trusting them not to steal or damage anything.

The source of the risk is what might be on their computer. So if their laptop or tablet has viruses or malware then you have allowed it access to your server. This is particularly risky if the visitor can send emails using your mail server. It is possible that the malware on their device will send itself to everyone on the contact list saved on the server, meaning you have helped spread a dangerous piece of software and probably getting yourself blacklisted as a result.

Removing yourselves from blacklists is technically complex, expensive and time-consuming but the most immediate impact is that until you resolve it, emails you send will go into spam filters, so may never get through.

But in the worst-case scenario you may have allowed malware with criminal intent on to your server and therefore into your systems.

Prevention is much better than cure in this case and there are two potential solutions if you want to continue allow visitor access to your Wi-Fi. If you don’t, then there isn’t an issue so long as you don’t give them your password.

Firstly, if you have a mail server, configure access so that visitors cannot send email from it. They can still use the server to download messages but not send or reply, which prevents your mail server from transmitting any malware which might be contained on their computer. This doesn’t mean they can’t send email when they are at your premises, it means they will have to use their own ISP's webmail facility instead.

The second solution is to have a router with what’s known as a VLAN. This creates an isolated area that visitors can use, which is separated from your systems. So even if their device is infected with something, it cannot gain access to your system because it is fenced off.

The VLAN approach works whether you have a mail server or not. But if you do have a mail server we would suggest also using the first approach, i.e. configuring the mail server to refuse access to visitors so that they have to use webmail.