Wi-Fi is convenient, can provide adequate throughput, and flexibility to your coworking space. Wi-Fi is not, however, as secure as a hardwired connection due to the way Wi-Fi communicates to devices, and vice versa.
For Wi-Fi to work in a shared environment inexpensively, multiple devices must connect to shared Access Points distributed throughout the workspace. Depending on the features the Wi-Fi device has enabled, it may broadcast its MAC address, IP Address, and client IP and MAC addresses to others on the Wi-Fi network.
Wi-Fi security and shared functionality are a balancing act in a shared space (Coworking) environment. The more you open the Wi-Fi network, the more flexible it is, the less secure it becomes. The more secure you make the network, the less usable and accessible it becomes (see illustration below).
Yardi’s Wi-Fi implementation has additional security options, other than the out of the box configuration, that can be implemented to improve Wi-Fi Security for you and your clients. Upon request, we can implement all, some, or none of these options as desired.
Ultimately, the level of security you want to implement at your location is up to you. Yardi can provide options and recommendations, but the final decision between security and accessibility is a decision you must make for your location.
Security Options
Yardi Out of the Box (OOTB) Configuration:
Private Member VLANs: Provides each member with a dedicated private VLAN and provides the option for wireless devices to BYOD to this VLAN when they connect.
Login Security: Members are required to log in via an assigned username and password combination.
Segregate Member and Guest Networks via IP Addressing: Keeps guests on a different network segment so that infected computers or nosy guests cannot directly access your Member network.
Radius Server Installation: Yardi implemented this security function in 2020 to allow for higher levels of Wi-Fi security for our Yardi KUBE coworking customers who have Ruckus Access Points. Effectively, the user requests to log into the Access Point, which results in an access request packet (which contains the username and password of the user) being sent to the Radius server where it is validated using an encrypted shared key. Once validated, specific security levels and access are provided back to the Wi-Fi user. Also, after being authorized, the device is automatically assigned to the company specific VLAN associated with the user directly at the Access Point further isolating the user and their wireless traffic to the private VLAN. There is a setup and administration overhead to this method, and it is only configurable with Ruckus Access Points in our environment.
No Cost Options:
Implement Separate Wi-Fi SSIDs for Members and Guests: Adds another layer of separation between the Member and Guest networks. This action prevents guests from being able to connect to the same wireless network as members.
Implement WPA2 Encryption on One or Both the Member and Guest Wi-Fi Networks: Prevents people who are not connected to your network environment from being able to capture and decipher any information from your customers (no “drive-by” Wi-Fi).
NOTE: Unless otherwise instructed by the Operator, Yardi now implements WPA2 encryption by default when installing Wi-Fi equipment.
Wi-Fi Isolation: For shared spaces, you usually would only want to initiate isolation on the Guest network. This limits guests from seeing other devices that may be talking to the same Access Point they are connected to. You can isolate the Member network as well, but this will affect the ability of members to connect to other Wi-Fi devices, such as printers, Airtame, Chromecast, Sonos, security cameras, etc.
Public IP Address: Members can set up their own encrypted VLAN, hardware, firewall, etc.
Isolation and Security Upgrade Options Available for Purchase:
Individual Access Points (APs) for Each Company: Isolates all company traffic to a company designated Access Point. This can increase cost as you need to purchase a company specific AP, and it also does not allow for roaming.
Individual SSIDs and WPA2 Encryption for Select Companies: This will isolate the individual company to a WPA2 (password encrypted) SSID that is for their use only. This is not recommended to be used as an across-the-board solution as too many individual SSIDs can cause radio congestion in the Wi-Fi network.
Enable Wi-Fi Isolation for Each Company: This allows for internet connectivity and prevents wireless devices from communicating directly to each other. Enabling Wi-Fi isolation does not allow direct communication to any other Wi-Fi devices, such as Sonos, Airtame, printers, etc.
Best Practices
Even with installed security features, there are actions and restrictions you as the operator need to enforce at your properties. Some examples of what you need to be aware of are:
Do Not Let Members Install Their Own Access Points (APs): When multiple Wi-Fi networks are installed in the same area, this can quickly lead to slow internet speeds and precarious connectivity.
Use Wired Connections: As previously mentioned, wired connectivity is inherently more secure than Wi-Fi. With our Out-of-the-Box implementation, a wired jack is assigned to a space, and a space must be assigned to a company for the port to be live. Also, offering wired connections to your customers minimizes congestion on the wireless network and provides better connectivity for your members.
Limit Available Bandwidth for Your Members: Open bandwidth plans or many members with high bandwidth plans can cause significant slowdowns for the rest of your members.
Some examples of best practices for your members are:
Do not use accounts with shared passwords – keep passwords private, complex, and change them frequently.
Remind members to keep devices secure by including up-to-date security software and antivirus protection.
Remind members to lock their screens when leaving their assigned offices or seats.
Do not share portable devices, such as USBs, Hard Drives, tablets, etc.
Do not trust company data to non-company individuals.
Keep sensitive materials protected.
Do not print confidential or PII documents to an un-monitored “shared” printer. Someone may intentionally or inadvertently pick up a document that is not theirs.
Set up auto logoff or screen locking on computers and handheld devices.
Do not visit sites that are questionable.
Disclaimer:
The information in this document is subject to change without obligation of notification that a change has occurred. Yardi Systems Inc. can not be held liable for any damages caused by the implementation or usage of the network, whether or not that implementation or usage is defined in this document.
Please be aware that information sent over the wireless network, regardless of security implementation, MAY in some form be visible to others.
By connecting to the network, wired or wireless, users acknowledge all associated risks that occur in a shared network environment. If you do not understand and agree to this Disclaimer and Terms of Use you are not permitted to use this service.