October 21, 2004
Canadian startup Sesame Networks takes the muss and fuss out of supplying secure Wi-Fi Internet access to corporate visitors. The system is simple and easy to use, but folks without cell phones won't be able to play.
One problem, though, is how to control access to the network. Some companies with guest Wi-Fi services hand out scratch cards with User IDs and passwords` la commercial hotspot services. Some have a relatively small pool of reusable IDs and passwords available at the reception desk. Neither is entirely satisfactory because they require staff to administer and monitor the process, and/or they don't tell the host organization who is using their networkor what they might be doing on it.
Enter Sesame Networks. Sesame, a one-year-old Wi-Fi start-up, recently introduced a product/service that lets guest users "self-authenticate" by typing in their cell phone number at a log-in page. The system sends an Short Message Service (SMS) text message to the cell phone with a password.
"They get the SMS in about five seconds," explains Sesame vice president of product marketing Cliff Grosner. "They take the password they receive, put it in the password field and click Log-on. They're redirected to the company's welcome screen and from there they can get access to the Web."
The system also asks users to re-authenticate periodically. Most customers opt for a one-hour re-authentication interval, some four hours. "It all depends on the type of users and how long they expect them to be there," Grosner says. The system doesn't cut users off in mid-download, though, he's quick to point out. It waits until their next new request from the browser and asks them then.
Costs in most implementations work out to about $1,500 a year over five years and $1,000 a year thereafter. Customers pay for the authentication service, plus lease-purchase of access points and the Sesame Access Manager (SAM), a Linux server running proprietary (and patent pending) Sesame software, which manages the authentication process.
"Now you're traceable," Grosner says. "There's implied accountability in the fact that you're using your personal identification when you log in. I don't think anyone expects to be anonymous if they're logged in under their own ID and password."
The concern is not so much that guests might try to hack in to the host's office LAN through the guest Wi-Fi LAN. Most companies implementing this kind of system know enough to use Wi-Fi equipment that supports the use of Virtual LANs (VLANs)discrete networks separated by firewall, with different security policies and log-on procedures but running over the same network infrastructure.
In the majority of Sesame's 25-plus deployments to date the company has implemented a complete solutionmeaning it installs a new Wi-Fi LAN in public areas in the facility, in some cases even when there's already a Wi-Fi office LAN present. It can also use existing Wi-Fi infrastructure. Either way, Sesame-engineered systems always use a separate VLAN for guest access to provide a base level of security.
The greater concern is what unsupervised guests might do out on the public Internet. "It's partially a liability issue, but it's as much or more an embarrassment issue," Grosner says. Consider the implications of a guest using your courtesy Wi-Fi service to, say, mount a denial of service or spam attack or distribute child pornographyand the victim of the attack or the police tracing the activity back to your network.
"We have talked to lawyers about what it would take to be sued for damages under such circumstances, but they say that's still unclear," Grosner says.
With a Sesame system, the host organization can track exactly who was responsible for what activity on its network and where individual users have gone on the Internet during a session. Big Sesame is watchingwhich may be no bad thing. If CALEA (Communications Assistance for Law Enforcement Act) rules about traceability of phone calls are extended to Internet access, the Sesame system will be compliant, Grosner points out.