Hotspot Security?

hi everyone. here's my first question. any help would be appreciated.

i have had to implement a wireless hotspot in my friends hotel a month or two before i planned. obviously, this hasn't allowed me the time to study up on the security of the hotspot.

the equipment we are using is:

AP's are colubris cn3200 with cn320 for repeaters switches are dell powerconnects 2724's which are managed router is draytek 2950 (their latest enterprise class)

access required is:

secure encrypted access for hotel lan & staff. easily implemented with mac & wpa. this goes to vlan1 which allows access to the hotels private lan and internet

guest access to just the internet. again, it is easily implemented using dhcp and a https logon with no mac or wep/wpa encryption. this goes to vlan2 which only allows access to the internet.

all of the above clients cannot talk to each other and can only talk to the access point itself. all AP's are firewalled.

the question then...... am i as secure as i can be?

------------------------------------------------------------------------ View this thread:

formatting link

Good hardware. Unfortunately, I'm only familiar with the switches.

Quite good or rather good enough. A few suggestions. Please note that security cannot be assumed and needs to be tested.

You don't appear to have a RADIUS server. Therefore the hotel staff machines are using a shared WPA-PSK key. The problem with shared keys is that they are easily leaked and/or recovered from the client machines. See:

for how it's done. If you don't have physical security, or suspect the staff may be leaking the key, I suggest you implement a RADIUS server. This will deliver a unique, one time, per session encryption key, instead of the common shared key.

MAC address filtering is a waste of time. MAC address are NOT encrypted and can therefore be sniffed. It doesn't take much work to extract a valid MAC address and use it.
VLAN's are a great way to isolate separate networks on shared media. Isolation is guaranteed, but needs to be tested. Run a sniffer, such as Ethereal or Wireshark on each network and see if any wrong MAC addresses are appearing on the wrong side of the VLAN. I had a misconfigured ethernet switch do something weird. It would correctly not pass normal traffic between VLAN's, but would pass broadcasts for some odd reason. I never could figure out why, so I just threw in a better switch.
Access Point isolation is mandatory for such a system. You apparently have that running. Again, you should verify that it's working. Simply not "seeing" other clients is not sufficient. Sniff the traffic and look for MAC addresses that don't belong on the VLAN segment.
I suggest you install some manner of SNMP traffic monitoring, probably at the router and the switches. Using MRTG or RRDTool, you'll get graphs that will give you some clue as to what "normal" traffic looks like. When something goes wrong, you can usually tell where and when something changed. You need this because nothing you mentioned is suitable for abuse detection or mitigation. I'll spare you my horror stories, but you do need to do something about detecting and isolating abuse and abusers.
The last time someone asked me about wireless security, I retorted that they really should be concerned about wired and physical security. They had bought the best wireless hardware but had left live ethernet ports all over the place, with no NAC security (network access control) or MS NAP (network access protection). I left the ports live, but implement NAC. Does the hotel have any customer accessible open ethernet ports? Most do.
My guess(tm) is that you haven't enabled any QoS or bandwidth management features. Without QoS or BW, one user can monopolize the entire system. At the least, you should reserve some dedicated bandwidth for the office to prevent the visitors from hogging it all.