Visitor Based Network

Last updated October 02, 2022

A Visitor-based network (VBN) is a computer network intended for mobile users in need of temporary Internet access. A visitor-based network is most commonly established in hotels, airports, convention centers, universities, and business offices. It gives the on-the-go user a quick and painless way to temporarily connect a device to networks and broadband Internet connections. A visitor-based network usually includes hardware (such as VBN gateways, hubs, switches, and/or routers), telecommunications (an Internet connection), and service (subscriber support).^[1]

What is a VBN Gateway?

Virtually any Internet-based Ethernet LAN can become a visitor-based network by adding a device generally termed a "VBN gateway". The function of a VBN Gateway is to provide a necessary layer of management between public users and the Internet router to enable a plug and play connection for visitors. Typical VBN Gateway provide services and support for billing and management application integrations, such as PMS systems (in hotels), credit-card billing interfaces, or Radius/LDAP servers for central authentication models.

A common criteria for VBN gateways is they allow users to connect and access the available network services with little or no configuration on their local machines (specifically modification to their IP address). In order to accomplish this a layer 2 (See: OSI model#Layer 2: Data link layer) connection is required between the user and the VBN gateway. Aside from the layer 2 (or bridged) network requirement, there are really no other restrictions for using a VBN gateway to enable a network. As such, Ethernet, 802.11x, CMTS, and xDSL are all acceptable mediums for distributing networks to use with VBN Gateways.

In the simplest form a VBN gateway is a hardware device with a minimum of two network connections. One network connection is considered the subscriber network, and the other the uplink to the Internet. The majority of VBN gateways on the market today all use Ethernet interfaces for their connection, but as stated above, any layer 2 connection is acceptable for this.

Types of VBNs

Generally speaking there are three models of operation for a VBN: Transparent, Pay For Use, and Authenticate For Use.

Transparent VBN

A transparent VBN's purpose is to provide network services to users to reduce support and/or IT infrastructure costs. Generally these networks are not concerned with security but rather fast and easy access. Metro Wi-Fi networks, or free to use Hotspots are examples of this type of VBN.

Billing VBN

A billing-based VBN is one where users are required to pay to obtain network services. Traditionally these types of VBNs are found in hotel or Hotspot (Wi-Fi) networks. Payment services are provided in a variety of methods, most commonly with a credit card Merchant account in hot spot environments or integration to a property management system in hotel environments.

Authentication VBN

An authenticate for use VBN is most commonly found in business environments. In these cases the VBN gateway requires users to authenticate to the gateway in order to be allowed access to network services. Commonly this authentication is achieved via integration to RADIUS or LDAP servers or by implementing access-codes which a user would be required to enter.

How does a VBN work?

While manufacturers offer many different configurations for VBN gateways, a set of common features exist. Even the most basic VBN gateways provide DHCP and Proxy ARP to allow users to connect to the network with no IP address configuration required. A captive portal is used for a variety of functions including, billing or authentication and acceptance of terms and conditions. Once the user successfully meets the criteria in the captive portal, the VBN gateway then allows the user's traffic to be routed through.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this context, virtual, refers to a physical object recreated and altered by additional logic, within the local area network. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources that are inaccessible on the public network and is typically used for remote workers. Encryption is common, although not an inherent part of a VPN connection.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

In computer networking, a wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. As a standalone device, the AP may have a wired connection to a router, but, in a wireless router, it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

A broadband remote access server routes traffic to and from broadband remote access devices such as digital subscriber line access multiplexers (DSLAM) on an Internet service provider's (ISP) network. BRAS can also be referred to as a broadband network gateway or border network gateway (BNG).

Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server, is a discontinued network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It ran on Windows Server and works by inspecting all network traffic that passes through it.

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

Technical Report 069 (TR-069) is a technical specification of the Broadband Forum that defines an application layer protocol for remote management and provisioning of customer-premises equipment (CPE) connected to an Internet Protocol (IP) network. TR-069 uses the CPE WAN Management Protocol (CWMP) which provides support functions for auto-configuration, software or firmware image management, software module management, status and performance managements, and diagnostics.

Windows Rally is a set of technologies from Microsoft intended to simplify the setup and maintenance of wired and wireless network-connected devices. They aim to increase reliability and security of connectivity for users who connect the devices to the Internet or to computers running Microsoft Windows. These technologies provide control of network quality of service (QoS) and diagnostics for data sharing, communications, and entertainment. Windows Rally technologies provide provisioning for the following devices:

Application Defined Network (ADN) is an enterprise data network that uses virtual network and security components to provide a dedicated logical network for each application, with customized security and network policies to meet the requirements of that specific application. ADN technology allows for a simple physical architecture with fewer devices, less device configuration and integration, reduced network administration and a lower tax on IT resources. ADN solutions simplify businesses' need to securely deploy multiple applications across the enterprise footprint and partner networks, regardless of where the application resides. ADN platforms provide policy-based, application-specific delivery to corporate data centers, cloud services and/or third-party networks securely and cost-effectively. Some ADN solutions integrate 3G/4G wireless backup services to enable a second internet connection automatically and instantly when connectivity is lost on the primary access connection. The ADN design provides an application-to-application (A2A) based model that evolves enterprise networks beyond the site-to-site (S2S) private model.

A software-defined perimeter (SDP), also called a "black cloud", is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black”, without visible DNS information or IP addresses. The inventors of these systems claim that a Software Defined Perimeter mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

References

↑ Definition partially sourced from: Visitor Based Networking Definition

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Definition partially sourced from: Visitor Based Networking Definition

[1]