ZyXEL North America Tel: 714.632.0882 Fax: 714.632.0858 Email: sales@zyxel.com http://www.us.zyxel.com Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited. All other trademarks are the property of their respective owners. Business Guest WiFi Access 0807v100BGWA
Contents Introduction Problem Statement Previous Options ZyXEL s Solution Implementation Summary 3 4 4 5 9 9-2-
Problem Statement or dedicated switches if the run is over 100m in I want to provide Wi-Fi access to my guests, length. without exposing my internal network, and without changing my network architecture. Probably the most popular method currently being used is to use access points that support multiple SSIDs, and then use VLAN tags to separate guest traffic from internal traffic. This Previous Options solves many of the issues brought up by the DMZ method, by sharing one set of access points for both employees and guests you can Introduction Wi-Fi based networks have proliferated in recent years. Today it is next to impossible to buy a laptop that doesn t have Wi-Fi capabilities built-in; even devices like MP3 players and cellular phones have Wi-Fi built-in. With so many Wi-Fi enabled devices, Wi-Fi has become the solution of choice to provide guests visiting businesses with Internet access. In fact, many guests delivering presentations today expect Internet access to be available to provide real-time demonstrations or access to supplemental materials. One of the biggest challenges facing IT departments is how to provide guests with Internet connectivity, without giving guests access to private LAN resources. In the past, a common way to provide guest access was to install a dedicated access point for guests. This access point would be connected directly to a DMZ port on the firewall. This however requires a dedicated access point just for guests; in larger offices it might be difficult to provide coverage where it is needed, and if the company is already operating a wireless network for employees, the additional guest access point might cause RF interference with the corporate WLAN. Another pitfall of this method is that guests don t have access to local network resources that they might need such as a printer, a network share for leaving their presentation behind, or IP based display devices. In addition, with larger offices, it may require a new Ethernet drop to get the access point connected to the firewall get total coverage more easily and need to install less hardware. The VLAN method also allows guests to access network resources approved by the IT department. The drawback to this solution is that it requires a VLAN-aware network. Many businesses have a network infrastructure that is made up of unmanaged switches which don t support VLANs. So in addition to needing to upgrade to access points that support multiple SSIDs, they also will need to upgrade their switches to layer-2 managed switches. Furthermore, the configuration and ongoing maintenance of VLANs can be difficult and time intensive, taking away IT resources or being unmanageable to businesses without a dedicated IT department. -4-
ZyXEL s Solution ZyXEL currently supports all of the previously mentioned solutions. However, with the introduction of our NWA3000 series of Access Points for Business (NWA3160, NWA3163, etc), ZyXEL has introduced a new, easier way to provide guest access. This new method uses multiple SSIDs, however it does not require the use of VLANs. This gives you the same benefits as the previously discussed multiple SSID solution, but removes the drawbacks. This new solution requires no new hardware other than the use of compatible access points, and provides much simpler configuration. sharing files with other guests. To make configuration even simpler, all NWA3000 series access points have a built-in Guest SSID pre-configured with layer-2 isolation and intra-bss blocking already enabled. Just activate the guest profile, and add the MAC address of your router or other devices you want guests to have access to. BENEFIT 1 Just add access points. Our solution works with your existing network infrastructure so there s nothing else that needs to be replaced, added, or upgraded. BENEFIT 2 Super simple to set-up and configure. We ve already configured a guest SSID on all our access points. You merely need to enable it and tell it what resources guests should have access to. Instead of VLANs, the access point itself restricts access to network resources using Intra-BSS blocking and layer-2 isolation. Layer-2 isolation can be configured on a per-ssid basis, giving you freedom of configuration options. Layer-2 isolation works by blocking all traffic from wireless devices connected to the access point to network resources. You must whitelist any device on the network that you want guests to be able to access. Adding devices to the whitelist is easy: just go into the GUI on the NWA3000 series access point, select the layer-2 isolation screen for the guest SSID, and enter the MAC address of any device to which the guest should have access. The access point will then allow your guests to send/receive packets only from those devices you have specified. The intra-bss blocking feature is used to provide further security, blocking users connected to the same SSID from being able to communicate with each other. This reduces the spread of viruses, and prevents guests from accidentally BENEFIT 3 Enhanced security. Keep your guests off your internal network while giving them Internet access. BENEFIT 4 Save money. Use the same wireless network for your guests that you use for your employees. Only one set of access points required. BENEFIT 5 Powerful. In addition to the Guest SSID functionality, the NWA3000 series offers a range of advanced features such as Rogue AP detection, automatic QOS for VoIP, hybrid AP for easy management. -6-
Guess Access Employee Access Guest s to Guest to sales Employee s Guest s to Guest to sales Employee s NO Guests and employees are blocked from seeing or communicating with each other NO Guests and employees are blocked from seeing or communicating with each other Wireless Business Access Point NWA3160/NWA3163 SSID Guest (No encryption) SSID Sales (WPA + 802.1x) Wireless Business Access Point NWA3160/NWA3163 SSID Guest (No encryption) SSID Sales (WPA + 802.1x) Any Switch Any FIrewall/ Gateway Internet Any Switch Any FIrewall/ Gateway Internet Corporate Network NO Guest is denied access to the corporate Network Corporate Network The guest connects to the guest SSID. This SSID only allows communication to your gateway routers MAC address, blocking access to the corporate network. Employee s connect to the same access point, but different SSID. This SSID is protected by WPA and/or 802.1x to keep guests off. Employees can access all network resources. -8-
Implementation Simply access the easy to-use Web GUI on your ZyXEL access point, activate the preconfigured guest SSID, and add the MAC address of your router. Your guests can now access the Internet, but can t access the rest of your network. Want to share a printer? Just add the printers MAC address into the access point. Summary ZyXEL s NWA3000 series is the affordable, easy way to provide your guests with Internet access while keeping your internal network secure. The NWA3000 series also provide a number of advanced features making them the ideal access point to use in your business. Sales/Information Contact About ZyXEL ZyXEL Communications, Inc., with North American headquarters in Anaheim, California, is one of the world s foremost suppliers of broadband networking and Internet connectivity/routing products. ZyXEL is focused on developing wireless and security solutions for a large target audience including ISPs, small-to-medium sized businesses, SOHO, residential, and institutional MxU (multi-tenant unit/multi-dwelling unit) markets. ZyXEL s North American distributors include Ingram Micro, Tech Data, Wynit, Jenne, and ASI.