Open Sesame!

By Gerry Blackwell

October 21, 2004

Canadian startup Sesame Networks takes the muss and fuss out of supplying secure Wi-Fi Internet access to corporate visitors. The system is simple and easy to use, but folks without cell phones won't be able to play.

Offering free Wi-Fi Internet access to guests is no longer just a phenomenon of the hotel and restaurant industries. The notion of offering visitors to your office courtesy Wi-Fi access while they're on the premises is beginning to catch on. Earlier this year we wrote about a law firm in Toronto that set up a Wi-Fi WLAN throughout its offices expressly for the use of visiting clients, suppliers, and opposing counsel. Others have followed this lead.

One problem, though, is how to control access to the network. Some companies with guest Wi-Fi services hand out scratch cards with User IDs and passwords—` la commercial hotspot services. Some have a relatively small pool of reusable IDs and passwords available at the reception desk. Neither is entirely satisfactory because they require staff to administer and monitor the process, and/or they don't tell the host organization who is using their network—or what they might be doing on it.

Enter Sesame Networks. Sesame, a one-year-old Wi-Fi start-up, recently introduced a product/service that lets guest users "self-authenticate" by typing in their cell phone number at a log-in page. The system sends an Short Message Service (SMS) text message to the cell phone with a password.

"They get the SMS in about five seconds," explains Sesame vice president of product marketing Cliff Grosner. "They take the password they receive, put it in the password field and click Log-on. They're redirected to the company's welcome screen and from there they can get access to the Web."

The system assigns the user device an IP address as part of the authentication process. The IP address is associated with that device's MAC address for the duration of the session. Only one IP address at a time can be issued per account. As soon as the device passes out of range of the local Wi-Fi network, the session ends.

The system also asks users to re-authenticate periodically. Most customers opt for a one-hour re-authentication interval, some four hours. "It all depends on the type of users and how long they expect them to be there," Grosner says. The system doesn't cut users off in mid-download, though, he's quick to point out. It waits until their next new request from the browser and asks them then.

Setup factors
Costs in most implementations work out to about $1,500 a year over five years and $1,000 a year thereafter. Customers pay for the authentication service, plus lease-purchase of access points and the Sesame Access Manager (SAM), a Linux server running proprietary (and patent pending) Sesame software, which manages the authentication process.

The main selling points of the Sesame "Wi-Fi mobility solution" are that it's very simple for users, requires no administration or monitoring by the host organization and effectively makes guests responsible for what they do on the network. Their cell phone number, which (at least theoretically) is associated with their name and other personal information, becomes their log-on User ID.

"Now you're traceable," Grosner says. "There's implied accountability in the fact that you're using your personal identification when you log in. I don't think anyone expects to be anonymous if they're logged in under their own ID and password."

Security factors
The concern is not so much that guests might try to hack in to the host's office LAN through the guest Wi-Fi LAN. Most companies implementing this kind of system know enough to use Wi-Fi equipment that supports the use of Virtual LANs (VLANs)—discrete networks separated by firewall, with different security policies and log-on procedures but running over the same network infrastructure.

In the majority of Sesame's 25-plus deployments to date the company has implemented a complete solution—meaning it installs a new Wi-Fi LAN in public areas in the facility, in some cases even when there's already a Wi-Fi office LAN present. It can also use existing Wi-Fi infrastructure. Either way, Sesame-engineered systems always use a separate VLAN for guest access to provide a base level of security.

The greater concern is what unsupervised guests might do out on the public Internet. "It's partially a liability issue, but it's as much or more an embarrassment issue," Grosner says. Consider the implications of a guest using your courtesy Wi-Fi service to, say, mount a denial of service or spam attack or distribute child pornography—and the victim of the attack or the police tracing the activity back to your network.

"We have talked to lawyers about what it would take to be sued for damages under such circumstances, but they say that's still unclear," Grosner says.

With a Sesame system, the host organization can track exactly who was responsible for what activity on its network and where individual users have gone on the Internet during a session. Big Sesame is watching—which may be no bad thing. If CALEA (Communications Assistance for Law Enforcement Act) rules about traceability of phone calls are extended to Internet access, the Sesame system will be compliant, Grosner points out.

Pages: 1 2

Comment and Contribute
(Maximum characters: 1200). You have
characters left.