When London-based investment bank Numis Securities, moved to more posh quarters in the city's financial district, it also upgraded its wireless network and streamlined its guest logon process to project a more professional image.

Until the move this past March, the company had to call out its IT architect, Andrew Stephenson, and visitors had to wait around for him to set up guest access to the company's SMC-based wireless network.

"Our receptionist handles that now," Stephenson says. "Before it was me, and quite frankly I have bigger fish to fry than creating guest accounts. We have lots of guests."

Numis's wireless upgrade included switching the SMC gear for Cisco access points. The company also swapped out its Perfigo admission-control software running on a server for a new Cisco NAC Guest Server appliance, which is based on the same software from Perfigo. Numis's corporate Ethernet network supports 160 workers in London plus an office in New York City that is connected to London via two 2Mbps E-1 lines.

When guests at the London office turn on their wireless devices, they get a portal screen on their Web browser advertising the wireless network. For security reasons, the page has no identifying logos to indicate it is affiliated with Numis, he says. "We're in a prestigious section of the financial district and a lot of sniffing goes on," Stephenson says. "We try to maintain as low a profile as possible."

Guests enter their assigned user name and password and the Cisco NAC Guest Server appliance authenticates them, granting them access to the guest virtual LAN (VLAN). If the name and password are invalid, denial of access is enforced by the access point.

The guest VLAN allows access only to the Internet and guest protocols are restricted to HTTP, Secure-HTTP and IPSec VPN, he says. That gives them browsing capabilities, access to their e-mail and if that's not enough, secure access to their corporate Internet connection. "We try to compromise between functionality and security," he says.

Numis has a separate set of access points with unadvertised Service Set Identifiers that are used by company employees to gain wireless access to the general corporate network, he says.

Guest accounts are set up by the company receptionist who has been granted rights to create them via a secure Web page, Stephenson says. The DHCP server for the guest network assigns IP addresses with 28-bit subnet masks that prevent guests from snooping each others' devices, he says.

The company has similar guest-access needs in its New York office, and with the help of WAN optimization gear from Riverbed, plans to use the same NAC Guest Server to control access of t hose guests as well. Guest wireless devices in New York will submit a user name and password that is sent across the Atlantic to the guest server, which will accept or reject access, Stephenson says. The Riverbed boxes at both ends of the trans-Atlantic E-1s will speed up the authentication time so guests don't have to wait so long, he says.

The guest server provides logs of who creates accounts and when. That becomes part of an audit trail that he says could be valuable if it becomes necessary to figure out who admitted a particular guest.

Stephenson says security is his primary concern for the wireless network, hence the separate VLAN and access points for guests as well as the guest server. The ability for the receptionist to quickly grant guests access to the wireless network is a double plus, he says. First it reflects the firm's professionalism, but it also gets him out of the loop for creating guest accounts. "It gets rid of an administrative burden," he says. "It wasn't a priority but it was welcome."