Public and Guest WiFi networks are pervasive around the world, and their risks are, too. A single rogue user on a regular public or guest WiFi network in many cases can pivot and attack others on the same network. Xirrus is now introducing a new approach, called EasyPass, which provides an easier way to get devices onto a network and keep them secure.
"EasyPass Personal is a better way to deliver guest Wi-Fi and onboard BYOD devices by making the Wi-Fi connection secure and isolated from other users," Bruce Miller, VP of Product Marketing at Xirrus, explained to Enterprise Networking Planet. "It is not a VPN [end-to-end security], but rather focuses on making the local Wi-Fi network secure."
Miller added that EasyPass can be positioned as an alternative to a Virtual Private Network (VPN), since VPN typically comes with the additional challenges of cost, complexity, and performance. Potential use cases for EasyPass Personal include public Wi-Fi scenarios such as cafes, restaurants, and hotel rooms as well as university dormitories and retirement homes.
"Office spaces are not a typical use case, since they will enforce corporate-wide as opposed to individual security," Miller said.
For public WiFi in particular, many organizations choose to deploy without even the benefit of WPA2 encryption, meaning that everything is sent in the clear. Even for those WiFi networks with a password, Miller said that it's not exactly securing users against each other.
"Public Wi-Fi networks are typically open [unsecured], but even if a WPA2 password is used, the password is shared among all users, so traffic is still not secure given the availability of tools that can decrypt it," Miller said.
Miller explained that EasyPass Personal uses WPA2-Personal security as well, but with several key differences: 1) the security (PSK password) is unique per user; 2) the user themselves specifies the network (SSID) and password (PSK); and 3) each user’s devices operate on their own separate personal network (a separate NAT’ed IP subnet), which also supports inter-device communication.
From an isolation perspective, Miller said that the isolation with EasyPass Personal is on the Wi-Fi side.
"Each user is on a separate SSID with separate security," Miller said. "Each secure personal network can be optionally mapped back to separate VLANs on the wired side as well."
From a use-case deployment perspective, Miller said the first time the user connects their first device to the Wi-Fi network, they are given the option via captive portal of creating their own personal network. They enter SSID/PSK, then that Wi-Fi network is dynamically created on the spot. Their device(s) will then connect to the network automatically if they have that Wi-Fi profile (SSID/PSK combo).
"We recommend users use a travel Wi-Fi network on all their devices," Miller said. "So the captive portal only has to be configured by the first connecting device, then all others will connect. The system remembers them, so the next time they show up at the venue, they will connect with just one click."
Miller added that taking things a step further, if the travel Wi-Fi network profile information is maintained by the company providing the Wi-Fi, for example, as part of a customer loyalty program, the Wi-Fi network can be automatically and dynamically created when the user shows up on site, such as a traveler checking into their hotel room. In that case, their devices will automatically connect to the Wi-Fi network with zero configuration.
While EasyPass provides isolation for end users, there is still plenty of visibility for network administrators. Miller explained that administrators enable Personal Wi-Fi functionality on a given SSID, typically an open SSID. They can specify a duration or expiration time for the personal networks, whether the SSIDs are hidden or broadcasted, and whether the system remembers them for automatic connection the next time.
"As personal networks are created, the administrator can monitor them, delete them, export them, etc," Miller said.
EasyPass is part of Xirrus's XMX-Cloud WiFi management service, though deployment of EasyPass Personal requires a firmware update on the Xirrus AP, that can be automatically configured through the cloud service.
Sean Michael Kerner is a senior editor at Enterprise Networking Planet and InternetNews.com. Follow him on Twitter @TechJournalist.