The Basics of Setting Up a Secure, Successful Wireless Network at Your Laundry Business
[This is the fourth in a series of articles written to offer helpful suggestions about where to begin and how to better manage an existing or planned Wi-Fi network. Among the topics to be covered are service providers, network options, security and the implementation of Wi-Fi to better serve you and your customers. The first, second and third parts appeared in the September 2017, November 2017 and January 2018 issues, respectively.]
Welcome once again to “Making Connections.” This will be the final voyage of this four-part Wi-Fi series, and it shall bring this wonderful journey into wireless and security bliss to a close.
We have certainly covered a great deal of information. The following provides a list of various topics we went over in the past three installments. Please reference your past PlanetLaundry magazines or visit www.planetlaundry.com to review this articles. Of course, feel free to play classical music or an adventure movie score in the background while going through some of these previous topic bullet points below:
• Internet Connections
• Quality Cabling
• Wireless Access Point Types
• Wireless Access Point Placement
• 2.4ghz vs 5ghz
• Installation Consideration
• RF/Signal Limitations
• WAP Power Options
• Service Providers
• Service Types
• Wireless Access Points (APs)
• Importance of Good Cabling
• Controller/Controllerless APs
• RF Noise Discovery
• Wireless Signal/Channel Testing
• Securing Your Network
• Technical Requirements/Options
We concluded Part Three with four possible configuration options. Each option, having a percentage of technical difficulty, offered the most popular scenarios for vended laundries. For this final installment will cover the topics below, which also include a deeper view of previous information and a few other critical bits of information.
Managing devices is much simpler using web-based interfaces. Therefore, everything here will be based on devices that are configured via a web browser. Keep in mind though – just because a device has a fancy interface does not mean that everything is straightforward and done automatically for you. The standard disclaimer from the last article must also be inserted here: always seek a technical professional to ensure your settings and configurations are secure, especially with security devices such as firewalls. Please note that we are only focusing on the “Technical Requirements” of Options Two, Three, and Four.
Managing Multiple Applications
ISP > Access Point
ISP > Firewall > Switch > PC’s/Laptops/AP
A firewall is the device or software that protects you from the outside world. Security is always of the utmost importance; therefore, a firewall should always be in place. The firewall can be a dedicated security appliance, such as a Sonicwall, or built into other devices, such as your ISP hardware, router, or wireless access point.
Software firewalls can be very good; however, they are usually installed on the opposite side of your firewall. In other words, traffic comes through and then you rely on software such as the Windows Firewall to protect you. The negative side of this is that you are allowing the traffic in and then relying on your computer to protect you.
On the other hand, dedicated hardware stops traffic before it can even see that your computer is there. People always ask, “Well, if that is the case, and hardware is so much better, then why do I still get viruses or get hacked?” This is simply because you use applications on your computer that allow traffic in – a web browser, a downloader, a movie player, etc. Any of these applications can have holes that open you up to infections. This is one of the reasons we always push for additional protection on your computer.
Since your device is only as secure as the software it uses, having the most up-to-date firmware is extremely important. One of the downsides of using discontinued old hardware or out-of-date (end-of-life) legacy hardware is that the protection is not as strong as up-to-date devices. Always keep this in mind when shopping. Saving a buck can cost you a lot more in the future. Now onto the fun part – configuring!
Backing up your settings is as important as backing up your computer data. You would hate having to reconfigure your devices if anything were to happen. Back those up so that you always have a copy of your hard work.
The first step in configuring your hardware-based firewall is to plug in your internet line to the WAN/internet port. Now, plug your switch into the LAN port, and then your laptop or PC into the switch. Ignore the Wireless Access Point and additional PCs and laptops for now. We first need to configure the firewall. Follow your manufacturer’s quick setup guide to find the default IP address of the firewall. You will connect to your hardware using that IP address via a browser. Since many devices give you an address and access to the network right when you plug into them (via what is called DHCP), you will be able to proceed to Step Two easily.
The second step is to open your internet browser and enter the IP address given to you in the manual directly into the address bar of your browser. Such as http://192.168.1.1. Now enter the default username and password that was provided.
Once logged in, go through the wizard and choose your setup. Depending on the manufacturer, you will be asked what type of connection your laundry has. Cable? DSL? Dialup? Your answer tells the firewall how to give you internet access. At this point, you may also be asked what subnet you want your LAN to be on. Think of a subnet as the street your house is on, and your home address as the IP address. No two houses on your street can have the same address, and different computers should never have the same IP address. The subnet such as 192.168.1.0 is different then 192.168.2.0. Feel free to leave the LAN settings as they are. Depending on the device, that is not uncommon.
The third step is to change the default password of the device to a secure password of your choice. Remember that the more difficult and longer the better. Also document this information in an inconspicuous area – if you lose your password, then you will have no choice but to reset the firewall to factory settings and start all over again.
The fourth step is to register your device and then download and install the latest firmware. Your firewall will most likely warn you that it will need to reboot and then take up to five minutes to come back online. Once it has finished installing the new software, connect back to your firewall and enter the username and your new password that you previously entered.
The fifth step is to ensure everything is secure and working properly. Test the internet and also go to www.grc.com and look for “ShieldsUP!” which has a few wonderful web-based tools to test your security. Again, having an IT professional is always suggested to make certain you are truly secure.
Once you know everything is in order, you can connect your additional devices, which may include multiple PCs, laptops, etc. Are they able to all get online? If so, nice work! We can now begin the configuration of your Wireless Access Point(s).
Wireless Access Point (WAP)
How you log into your WAP will depend on what kind of access point you purchased. Did you buy a “controller-based” AP or a “controllerless” AP? As an example, the firewall you just configured can be seen as “controllerless” since you logged right into the device and did not need a “man in the middle” to configure. Controller-based access points require you to log into a controller, which is “software” separate from the access point. The controller can still be web-based but you don’t log directly into a controller-based access point. Although they can be more involved than controllerless – as previously mentioned – they often offer far more control over one or many access points from one single interface.
Your access point may also have a power injector. The power injector plugs into your LAN (your switch) and the other port on the injector, which is generally labeled as PoE, plugs into your access point. If you purchased a PoE WAP and did not receive a power injector, you must use a PoE switch. PoE stands for Power Over Ethernet, which means exactly what it says. The device receives its power over the ethernet cord, which is plugged into an injector or a PoE switch. All we need at this point is for you to power it up and plug it into your new switch.
Access points can be configured in one of three ways. One, using software that you received. The software will scan the network for your new AP and allow you to configure everything from the software. Two, you need to plug directly into the AP with your computer and give yourself a static IP address to connect to the default IP address of the unit. Or, three – the WAP will receive an address from the firewalls DHCP server, and you connect to the given IP address. We have to assume that you have the IP address and are connecting to the device using one of the methods below. All devices are different and, therefore, the steps shown may not be in the same sequence as the device you have.
1. Open your browser and enter the IP address of the wireless device, as well as the given username and password. Following similar steps as the firewall, go through the default settings.
2. Again, similar to the firewall, if you were presented with a wizard – run through the choices/options and change the default password of the device to a secure password of your choice. Keep to the rule of the more difficult and longer the better.
3. Register your device and then download and install the latest firmware. Your AP will most likely warn you that it will need to reboot and take some time to come back online. Once it has finished installing the new firmware, connect back to your WAP to complete the steps.
4. Create your wireless network. Give your private wireless network a name (SSID) that makes sense to you. Set a difficult password using at least WPA2 encryption. Same rule applies – passwords – do not make them easy!
Important Note: WPA2 security was cracked in 2017 and has put an extremely unfortunate number of devices and personal/private information at risk. Installing the latest firmware and security updates is even more important than ever. Many manufacturers have already patched or are working on patches for WPA2 security. Sadly though, companies often disregard older devices no matter what you paid for them. As an example, I purchased a new smartphone less than a year ago and they just now patched the security flaw despite the many months that have gone by. This brings to mind the importance of keeping up to date with both software and hardware. Research your devices and check with the manufacturers to see if they have patches available. Google “WPA2 Security,” “Krack,” “WPA2 Patch,” etc.
You may have purchased a single access point, which requires a controller (such as a Unifi). Or you may have purchased many. Controllers help manage multiple APs by allowing you to manage and configure them all from one location – the controller.
1. Connect your access point or all of your access points to the network and allow them to power on.
2. Install and run the controller software, which may then open a browser for you to login to.
3. Configure the network settings as well as your wireless network settings similar to the controllerless steps. The joy here is – when done properly – the configurations you make will flow automatically to your access point(s). Future changes and updates will work the same – the controller allows you to control everything from one single point. Yes, this includes firmware upgrades.
4. Once your settings are complete, including your wireless network settings and security, following your particular products manual – allow your settings to propagate down to your single or multiple WAPs.
5. Once you are sure your Access Points are up to date and configured properly (again – always advised to consult an IT professional), begin connecting devices and testing your wireless network.
Configure your guest Access Points using similar steps as your private network. The main difference here is the guest network should not have (nor ever have) access to your private network. Guest networks are not secure, and you have no control over the devices that connect to them. In other words, there is no way for you to know whether or not John Doe’s laptop is full of viruses or if Jane Doe is a hacker looking to steal everyone’s data. Always make absolutely certain that public networks can’t access the private network.
With Option Two, the guest network is plugged directly into the ISP modem and your firewall is blocking the guest network. This option is more secure than Option Three.
Option Three is relying on a device that offers both private and public networks from a single box, which is not a dedicated security appliance. Although this may be business hardware, this is similar to your home setup. Be extremely mindful with Option Three configurations.
Option Four, in which you are using your ISP hardware for your basic private network, is more secure than Option Three. The reason being that this option is taking advantage of the ISP’s public hotspot feature. Unfortunately, however, with Option Four you have no way of keeping track of usage, configuring capture pages, advertising, etc. This option offers convenience for your customers but no possible wireless revenue for you – aside, of course, for the fact that they may choose your location over another due to the available hotspot.
Making changes to your devices, as well as viewing access logs and usage, goes with the territory of managing your own equipment. How do you do this if you are not always in the office or if you want to keep manual tabs on how many people connected to your network after you ran a special or event? Simple. There are multiple ways of going about this. Depending on your hardware, a few choices are:
1. Use remote control software, such as LogMeIn, on a computer at your office. Log into that machine directly and access your devices.
2. Configure the remote administration feature on your devices that allow access from the internet. (Be very careful with this one.)
3. Use a network-based controller, which is always securely available.
4. Use a third-party service from your manufacturer that allows remote access, logging, and reporting of usage, etc.
This concludes our travels, and please consider re-reading all of the articles from one to four. You will then have a fuller understanding of the information and a better flow of knowledge. This has been a wonderful conversation, and I greatly appreciate the time you have spent with me these past few months. My hope is that I provided a wealth of information that you found useful and engaging, and were able to learn from these pages.
With great respect to you – I wish you success and security!