Early movers in the marketplace have been trying to sell wireless data concepts to hotels and airports since at least 1997. Remember MobileStar Network? They were just a little too far in front of the curve.

Since then, wireless data networks have become commonplace. In addition to countless homes, thousands of wireless access points were installed in hotels from sea to shining sea. Look for 118,000 public access “hotspots” installed worldwide by 2005, according to IDC, but even that number could be low.

The actual security issues generally fall into two categories, packet interception and inappropriate use. Readily available software enables any laptop with a WiFi card to intercept and record the data transmitted over any open wireless network. Inappropriate use problems involve an intruder using an open network to send spam, serve up pornography, launch cyber-attacks on other networks or download copyright-protected materials, typically music. Inappropriate use risks come with any open network, although wireless makes it easier.

For example, someone trying to sell you a wireless access point will tell you, “WiFi is secure! You just have to turn it on.” The salesman is referring to WEP, wireless equivalency privacy, which does in fact provide a measure of security for wireless communications. WEP is known to be “hackable,” but does put a useful roadblock up, and exactly what you should do at home if you have a residential wireless network.

WEP relies on inputting the same alphanumeric code into the access points and the laptops. Transmissions are encrypted using the code. Knowing the code and being able and willing to enter it make WEP an inappropriate security solution for a visitor-facing network, as in your hotel. The only really effective means to prevent packet-sniffing given today’s standards are virtual private networks (VPNs).

David Bankers, CTO of LodgeNet Entertainment, sees VPN support as crucial for wired and wireless networks in hotels. Bankers said, “LodgeNet’s HSIA platform provides the guest with a choice at sign on between a public routeable IP address that supports 100 percent of VPNs , or a private IP address that is hidden behind NAT (network address translation), which offers some level of protection from uninitiated inbound connections to the guest’s laptop.”

Inappropriate use problems can arise if your network becomes identified as a source of spam or pornography. Most Internet service providers (ISPs) try to avoid supporting either class of content, and could cut off service to your location. E-mail black commercial, newspaper or magazine article touting the wonders of wireless data networking and extolling the virtues of WiFi. Enticed by millions of co-marketing dollars from Intel, most of the major hotel chains have obediently lined up to install wireless hotspots to service the Centrino1 -armed road warrior.

The many virtues and benefits of WiFi come with a down side, however. The negative aspects of wireless networking include spotty coverage and connections, particularly if the property’s network of access points is “value-engineered” to minimize costs. Sometimes it has slower performance, but rarely noticeable for Internet browsing. And WiFi has significant perceived security risks. The security risks of wireless networking are real and tangible, not just perceived. Start off with the understanding that Internet-based communications are not secure in the first place, and wireless ones are less so.

Wireless data communications are not private and people should not expect them to be. The privacy issue creates an interesting dilemma for the hotelier. Guests expect and deserve privacy in their guestrooms. Wireless communications are not private. One approach to this dilemma is to not offer wireless services in guestroom areas, but only in public spaces. Mandarin Oriental Hotels employs this tactic. CIO Nick Price said, “We support 802.11 in general and anticipate the day when wireless access can be securely and easily provided. In the meantime, we will cover public areas only as we believe that guests have an expectation of privacy in their guestrooms, a private place. We cannot provide a service that weakens our absolute commitment to the guest’s right to privacy and security in the guestroom.”

In April of this year, a guest checked into a Boston hotel that offers an open wired and wireless network as a complimentary guest amenity. He then started downloading music from a file-sharing service using multiple computers. The download traffic consumed the vast majority of the bandwidth available on the guest network, making performance erratic at best for all of the other guests in the hotel. Needless to say, this led to a fire drill for the hotel’s IT department.

What can the hotelier do to remedy or minimize some of these risks?
• Don’t let the security concerns keep you out of the wireless space. Go on in, just know what to do about it.
• First, ensure that all users logging onto your network (whether a free amenity or a fee-based service) accept a strong Terms of Use statement that clearly states it is an unsecured environment and no expectation of privacy should hold. Stephen Barth professor of hospitality law at the Conrad Hilton School of Hotel Management and founder of HospitalityLaw.com said, “The law in this area is still evolving. Liability potential revolves around an expectation of privacy, and a clear Terms of Use statement that eliminates that expectation is essential.”
• Use a third-party service provider to source and support the service. This can perhaps insulate the hotel from liability as well. Barth recommended that the hotel’s agreement with the service provider include an indemnification and hold harmless clause.
• Ensure that your service provider’s platform supports most of the major VPNs in the market as well as the built-in firewall in current versions of Windows. Most VPNs require public routable IP addresses, so you need a connection to the public Internet that includes a range of addresses.
• Does the service provider have an active network monitoring program in place? This type of program proactively detects sources of spam, network attacks, virus distribution and other inappropriate uses. LodgeNet’s Bankers said, “Our Network Intrusion Detection System (NIDS) identifies and traps network abuse before it gets out on the public Internet, not when it is too late.”
• Use a VPN client for all administrative wireless applications, or at a minimum WEP. This is great for the hotelier but what about advice for the traveler? When you are traveling turn on the personal firewall feature for your wireless data connection. Travelers should also use some form of VPN, either on your corporate network or one provided by a subscription-based network. (See sidebar below.) And no one should venture onto another network without maintaining a self-updating virus protection subscription.

What Is a Hotel To Do?
How does the hotelier make sense of all of this? Here are our recommendations:
• First, don’t allow the standards churn to delay your adoption of this amazingly useful technology. Go ahead and invest now.
• Today, go with 802.11b access points that support future field upgrades (better downloadable) to 802.11g support.
• Don’t spend on 802.11a. Remember Betamax?
• When 802.11g becomes a proven standard, with true cross-vendor interoperability (i.e., my Orinoco card works on your Cisco access point), then upgrade your radios to g if you intend to use local administrative applications. If the only point of the wireless network is to give guests access to the Internet, there is little reason to upgrade to g because b already goes faster than your Internet connection.
• Hope that your field-upgradable radios will be field upgradeable to support 1x.
• Don’t hold your breath for Wi-Max. It is still way out there…at least next week.

Mark Haley is a member of The Prism Partnership, a consulting practice servicing the global hospitality and travel industries based in Boston, Mass. You can reach Mark at (978) 521-3600 or MHaley@ThePrismPartnership.com.