Is Cisco Linksys Guest mode secure enough?

Is Cisco Linksys Guest mode secure enough? The question I am trying to ask is does the guest mode really work and keep guests out of the main network. In short yes it does keep people out of internal networks. The problem is far from over though.  Here is my research:

1. connecting to the guest SSID says it is unsecure. I am not too worried as cisco has it's own password to allow people onto the internet...but wait this is a problem.  since this is an open network with no encryption everything is sent in clear text. This is a potential disaster. In theory after connecting to this network and opening the web browser cisco the browser window will ask for its password. if you send this password isn't it in clear txt? someone simple on the network with a packet sniffer can grab the password when someone logs on. Is this an issue? well sort of. I wanted to use this for select people, not everyone. These select people would be employees on break or a 3rd party company in the store doing a demo and wanting internet access. So for someone to get into the the Guest account would only need to do some sniffing around to get the guest password. Biggie? Well I won't want people on my network that I don't know which is why I am so picky.

2. This wireless should only allow internet access, no file sharing between clients connected to the network. In other words HTTP or HTTPS and that is it. This will have to be tested at a later time.

3. if you have your main page open in HTTPS the login screen from Cisco to type in the password doesn't pop up, it times out making you think something isn't connecting right. This is a potential problem since most home pages used are in HTTPS.

4. I cannot specify how long to release an IP to this guest. You can select from 1 to 10 guests on your your guest wireless. So if I wanted only 5 people on my guest access at a time DHCP would only release 5 and then the pool would be full till DHCP releases the oldest. The problem lies in I cannot say how long it takes for DHCP to delete entries not being used...This is only handled in the main settings effecting all connections and not just the guests in the guest wireless. This also means with lots logging on this even though maybe someone is gone it still doesn't allow any one one till the oldest expires. I wish there was a DHCP release time for Guest access. 

5. there is no way to filter what guest access actually details. I cannot filter traffic to only allow HTTP traffic for example. If I do any type of white list it has to be done to all wireless devices, and not just what is on the guest list. This is a bummer. I would of liked a rule saying "I want my guests only access to these websites and nothing else". I  would have also liked to not allow traffic between guests...making it more secure per guest.

6. I would have also liked to see some QOS on guest vs internal networks. I want to make sure my internal networks don't suffer because someone decides to watch hulu and download the next big game on bittorrent in our guest SSID.

7. Some other things: I cannot change the Guest access SSID, so I am stuck with "name-guest" with "name" being my internal SSID. I cannot change the IP address scheme. I don't know what would happen if I decided I wanted my internal network to be 192.168.33.0....

now for some good news.

trying to access the internal network while logged on to the guest network doesn't work. In all practicality they have made it separate from the internal network. This is great.



so to summarize yes guest mode keeps guest just guests on you network. The problems with guests on the network however, are very troubling. With no QOS, no filtering, and no encryption I don't see this working for very many.

If you want the types of controls to guest access I would like to send you to DDWRT or Tomato Firmware for your router. The router must be "open-source" and be on their lists on their website for it to work. It is a little tidus but newer routers actually make the process really simple. As to how to setup the DDWRT with guest access...that is a whole other animal and probably should go to another post sometime.

This is a great leap in the right direction Cisco, I just was expecting a little more.