Hotels: How Safe is Your Guest Internet Network?
Regardless of whether your hotel's guest network is hardwired or wi-fi, it is possible that malicious users could attempt to intercept your guests' sensitive business information. The ease (or difficulty) of attacking a guest network depends in large part on that network's architecture. In a report published by the Center for Hospitality Research, a team of Cornell researchers explained why virtual local area networks (VLANs) currently form the most secure defense for guest networks.
The report, "Network Security: A Study of the Computer Networks in U.S. Hotels," by Josh Ogle,
Erica L. Wagner, and Mark P. Talbert, tested the security of 147 hotels. Ogle visited the hotels with the intent of determining whether he could, first, log onto their guest network, and, second, intercept other guests' data. Of the 147 hotels, he was able to log on to the networks of 46, often without being a guest of the hotel. Although authentication might have been a barrier, Ogle was able to find employees who would assist him. Ogle also found that only six of 39 hotels with wi-fi used encryption. It is important to note that this applies to guest networks only, and Ogle found that hotels kept their own business network separate and secure.
Network architecture
Looking at the possible network architecture, Ogle, Wagner, and Talbert found that some hotels still use relatively rudimentary hub technology, which is particularly subject to hacking. Other hotels upgraded to switches or routers. While these are better than hubs, they can still be subject to malicious attacks. Instead, the report suggests that hotels upgrade to VLANs for all users.
In a VLAN, each node on a network is isolated by being its own local area network, or intranet. That way, data transmissions bypass the other nodes on the network. In a typical attack, a person would use software to set up the attacker's computer to imitate the hotel's main server (a process known as ARP spoofing). If that attack is successful in a hub or router system, all data would then flow through the attacker's computer. However, the VLAN would isolate that attacking computer in a network of one device.
As a best-practice example, Ogle, Wagner, and Talbert cite the case of the W Dallas Victory Hotel, which established a VLAN for every node on its network. They believe that this should protect against stolen data because it gives the hotel more control over its network. Management can isolate any particular node, if need be. That way, the hotel can disable any particular port if that becomes necessary. Finally, the researchers point out that the VLAN approach is transparent to guests. Thus, they receive a higher security level without the need of any special technical ability.
The report, "Network Security: A Study of the Computer Networks in U.S. Hotels," by Josh Ogle,
Erica L. Wagner, and Mark P. Talbert, tested the security of 147 hotels. Ogle visited the hotels with the intent of determining whether he could, first, log onto their guest network, and, second, intercept other guests' data. Of the 147 hotels, he was able to log on to the networks of 46, often without being a guest of the hotel. Although authentication might have been a barrier, Ogle was able to find employees who would assist him. Ogle also found that only six of 39 hotels with wi-fi used encryption. It is important to note that this applies to guest networks only, and Ogle found that hotels kept their own business network separate and secure.Network architecture
Looking at the possible network architecture, Ogle, Wagner, and Talbert found that some hotels still use relatively rudimentary hub technology, which is particularly subject to hacking. Other hotels upgraded to switches or routers. While these are better than hubs, they can still be subject to malicious attacks. Instead, the report suggests that hotels upgrade to VLANs for all users.
In a VLAN, each node on a network is isolated by being its own local area network, or intranet. That way, data transmissions bypass the other nodes on the network. In a typical attack, a person would use software to set up the attacker's computer to imitate the hotel's main server (a process known as ARP spoofing). If that attack is successful in a hub or router system, all data would then flow through the attacker's computer. However, the VLAN would isolate that attacking computer in a network of one device.
As a best-practice example, Ogle, Wagner, and Talbert cite the case of the W Dallas Victory Hotel, which established a VLAN for every node on its network. They believe that this should protect against stolen data because it gives the hotel more control over its network. Management can isolate any particular node, if need be. That way, the hotel can disable any particular port if that becomes necessary. Finally, the researchers point out that the VLAN approach is transparent to guests. Thus, they receive a higher security level without the need of any special technical ability.
To read this and other reports, click here.
Glenn Withiam is director of publications for the Cornell Center for Hospitality Research.
Glenn Withiam is director of publications for the Cornell Center for Hospitality Research.