public wifi

Public wifi from church premises
When it comes to Safeguarding one area of protection and care that the church should not overlook is if it offers wifi facilities for the public from church premises.

There are good reasons why such provision can be positive and helpful. Increasingly the Church seeks to engage with the community around it by offering the church premises for a wider variety of uses. Using the premises for things such as conferences and training, are more attractive if providing an online facility, especially if your church premises have little or no 3G mobile phone broadband signal. Offering public wifi at a church raises two particular challenges: controlling who has access and controlling the content public users might use.

Controlling who has access - Providing wifi in a public arena, such as church premises, must be understood as fundamentally different from a domestic wifi scenario. One reason for this is that offering wifi safely to occasional/infrequent unknown users requires security approaches that are not needed in the domestic situation. A fixed wifi password which must be revealed to the wifi user, if distributed widely, leaves the wifi facility totally open to misuse and abuse. However systems which can give some level of control to the free wifi access must not be so complex that they become unattractive to either use, or administrate.

Controlling the content - Public wifi access is attractive to rogue internet users who might like to either download, or upload, illegal, illicit and pornogrpahic content. Assuming such a user makes an internet connection with their own wifi device, once they have disconnected and removed themselves from the physical location of the wifi hotspot, their is no way to trace who that person was.

Solutions
For every problem there are solutions and there are software and hardware tools which can, and I suggest should, be deployed by churches to ensure that the abuse and misuse of their wifi facilities is minimised as much as possible, this is not least for their own protection; there are serious legal and criminal ramifications of certain types of internet traffic being passed through a church broadband connection.
Controlling access - To control who can use the wifi a system which uses timed vouchers is a reasonable solution. Firstly such systems require users to present themselves to someone inhouse to obtain the voucher, which can be limited to only work for (eg) 4 hours. Each user voucher uses a code or password which is unique, not generic.
Controlling content - To ensure that inappropriate material is not passed through the Church broadband connection a content filtering system should be deployed. Although such systems require some management, they are essential to try and block and filter inappropriate internet traffic of guest users.
Deploying such a solution?
Such systems typically work by replacing the broadband router provided by the ISP with something more sophisticated. Such approaches need not be prohibitively expensive, especially if there are local people who can help with the setup and administration of the systems.
Some very worthwhile solutions which are free are available using opensource software-based routers. pfSense is an excellent example of an opensource solution  which can provide all of the above; it provides many professional features. Although such software is free to download and use it will need to be run on a dedicated PC. Ideally special PC hardware which has a very low power requirement is used. Such hardware can cost less than £200; if that breaks the budget pfsense can be run on a redundant PC which might cost next to nothing.
Other considerations?
Do you have extensive premises? If so one wifi access point (AP) might not cover all the premises, additional APs will be required. pfSense and solutions like it use a 'firewall' which provides robust security between different parts of the Church network, eg the church office. pfSense also has the ability to setup two (or more) wifi networks, one for trusted 'in house' connections and one for 'public' users. Separating these networks helps maintain network security; it does though add to the complexity of the setup. Carefully chosen AP hardware can broadcast both networks simultaneously, saving on hardware and power costs.

If you'd like to know more about deploying such systems post a comment or you contact me at: mark.pengelly AT methodist.org.uk