NoPorts Secures & Simplifies Guest WiFi for Bus Stop Cafe

Author/Solution Architect: Larry Karantzios - Cyber Security Professional

Business Driver: NYC Restaurant, Bus Stop Cafe needed a self-service guest wireless captive portal to allow customers Internet access, especially tourists.  

Solution: NoPorts for secure, Zero Trust remote management (configuration and monitoring) for a Raspberry Pi-based guest WiFi hotspot, and Cloudi-Fi for forwarding web traffic securely to a cloud-based captive portal for account registration, authentication, and content filtering.

‍

‍

Overview: The Bus Stop Cafe, established in 1995, is a family-owned cafe that has been serving fresh dishes and friendly service in the historic New York West Village for over 30 years. The Bus Stop Cafe uses a Raspberry Pi as a WiFi access point to provide guest WiFi network access for customers through the Cloudi-Fi cloud-based captive portal solution. Customers connect to the Internet after viewing promotional content and agreeing to the restaurant captive portal’s terms of service. 

Secure remote access management is required to monitor the network’s performance, modify configuration, upgrade Raspberry Pi software, manage user access, perform reboots, and ensure network security. Before NoPorts, this sometimes required inconvenient on-site intervention. Here’s an overview of how the NoPorts remote management solution has added both security and simplicity to the guest WiFi setup. 

Roles:

1. Restaurant Manager/IT Administrator: The individual responsible for maintaining the guest WiFi network and ensuring a smooth experience for customers.
2. Raspberry Pi Captive Portal: A Raspberry Pi device configured to serve as a guest WiFi access point. It securely redirects traffic to Cloudi-fi’s cloud-based captive portal, and provides self-service Internet access with content web-filtering after user authentication or agreement.
3. Restaurant Guests: Customers who use the restaurant's guest WiFi network for Internet access.

Preconditions:

1. The Raspberry Pi is configured with software (such as hostapd and dnsmasq) to operate as a WiFi access point. 
2. Once a WiFi connection is established, the Raspberry Pi forwards Guest Wifi traffic via an IPsec VPN tunnel to the Cloudi-Fi cloud-based captive portal to be authenticated, accept the terms, and view promotional content.
3. The restaurant manager/IT administrator has the necessary credentials and tools for remote access with NoPorts, and that access does not require any open inbound connection ports on the Raspberry Pi. 

Result: The Raspberry Pi has no network attack surface. 

‍

Main Flow:

1. Network Monitoring:
   • The restaurant manager remotely accesses the Raspberry Pi using the NoPorts client software.
   • They monitor the number of connected people, bandwidth usage, and network performance to ensure that the guest WiFi network is operating smoothly.
   • IPsec tunnel configuration and monitoring capabilities are available via NoPorts.
2. Captive Portal Content Management:
   • The manager can remotely update the Cloudi-Fi cloud captive portal page to display new promotional content, such as special offers, menus, or events.
   • They can change the terms and conditions on the captive portal or update the privacy policy as needed.
   • The appearance and functionality of the portal can be adjusted to enhance people’s experience based on feedback or promotional needs.
3. Access Control Management:
   • The manager sets up and modifies access control policies remotely, such as setting usage limits (e.g., time limits or bandwidth caps) for users.
   • Unauthorized devices, or those flagged for inappropriate use, can be remotely disconnected or quarantined.
   • New user authentication methods (like social media login integration) can be tested and implemented without needing to be on-site.
4. Performance Optimization:
   • The manager analyzes network performance metrics remotely to identify congestion or interference.
   • Adjustments to the WiFi settings (e.g., changing channels or power levels) are made to optimize coverage and performance within the restaurant.
   • The manager can remotely reboot the Raspberry Pi to resolve minor connectivity issues or apply new settings.
5. Security Management:
   • The manager regularly checks for security updates or patches for the Raspberry Pi and applies them remotely to ensure the network is secure.
   • Firewall rules and network security protocols are managed to prevent unauthorized access or attacks.
   • Regular audits of connection logs and access attempts are performed to identify any suspicious activity.
6. Troubleshooting and Diagnostics:
   • If guests report issues with the WiFi, the manager can remotely access diagnostic tools on the Raspberry Pi via NoPorts to check for connectivity problems, device status, or configuration errors.
   • Logs are reviewed to identify patterns or recurring issues, allowing for proactive problem resolution.
   • The manager can reset individual user sessions or restart services to resolve specific issues without needing to visit the location.

Alternative Flows:

• Network Outage: If the guest WiFi network goes down, the manager receives an alert and attempts remote troubleshooting. If the issue cannot be resolved remotely using NoPorts, a technician is dispatched to the site.
• Security Breach Detected: Upon detecting a potential security breach, the manager remotely updates all access credentials, applies additional security measures, and temporarily restricts access until the issue is resolved.

Postconditions:

• The guest WiFi network remains functional, providing reliable and secure Internet access to restaurant guests.
• The Cloudi-Fi captive portal content is kept current, offering relevant promotions and information to customers.
• The restaurant manager can efficiently manage the network and respond to issues without the need for on-site visits.

NoPorts Benefits:

• Improved Guest Experience: Ensures a smooth and seamless guest WiFi experience for customers, enhancing their overall experience at the restaurant.
• Operational Efficiency: Reduces the need for physical interventions, saving time and reducing costs associated with on-site network management.
• Enhanced Security: Allows for timely updates and monitoring to protect against unauthorized access and maintain a secure network environment.
• Flexibility: Provides the ability to quickly update promotional content and adapt to changing business needs or customer feedback.

Cloudi-Fi Description:

• 100% Cloud-Based Captive Portal solution for optimal scalability
• Infrastructure agnostic for a frictionless deployment 
• Compliant with data privacy regulations in over 100 countries 
• One admin for all your sites 
• Easy to customize to your brands assets

The Cloudi-Fi platform offers a unique 100% cloud-based captive portal solution for managing secure internet access to onboard all untrusted devices (guests, BYOD -Bring Your Own Device—and IoT). The platform offers Zero Trust security, compliance, and scalability, integrating easily with existing infrastructure vendors and offering customization options for branding, digital advertising, and retargeting requirements for a frictionless integration and deployment on multiple sites.”

The above solution highlights how remote access management of a Raspberry Pi used as a guest WiFi Access point with seamless integration with the Cloudi-Fi cloud-based captive portal can improve operational efficiency, enhance customer experience, maintain a secure, Zero Trust and reliable self-service guest WiFi access network in a restaurant setting.