Guest networks are a great Wi-Fi security feature for many reasons.
Just having a second (or third) wireless network creates a number of security options.
The most obvious is using a different password. Visitors can be given a simple Wi-Fi password (something like "iamaGUEST") while the private Wi-Fi network uses a much longer one.
An additional network can also be turned on when you have visitors and off when you don't. No one can hack into a network that doesn't exist. It can also be used to support older Wi-Fi devices, those that can't do WPA2-AES encryption, without lowering the security on the main network.
Windows 10 includes a feature called WiFi Sense that makes it all too easy to accidentally share a Wi-Fi password with a horde of people. To defend against this, you may want to isolate Windows 10 devices on their own Wi-Fi network, leave it off as much as possible and frequently change the password.
That's the obvious stuff. Guest networks however, can offer a couple forms of isolation that other Wi-Fi networks do not.
ISOLATION FROM LAN
The first type of isolation keeps guest users away from the private LAN. That is, a guest user can not see any Ethernet connected devices, nor can they see any Wi-Fi devices that are logged on to a private Wi-Fi network (many routers can create a private network on both the 2.4GHz and 5GHz frequency bands).
This prevents guests from being able to access files on a NAS (Network Attached Storage) device or print to a network printer. Isolated guests can get to the Internet, they just can't get to any device on the private LAN.
An example of this, from the TP-LINK Archer C8 is shown below (see larger) The relevant checkbox is "Allow Guests To Access My Local Network".
Explaining is not something Asus does (see below). Their RT-N66U refers to this feature as "Access Intranet" expecting average consumers to understand the terminology. Asus owners that don't know that "intranet" is synonymous with LAN (Local Area Network), are left to their own devices. There is no explanation in either the router interface or the 70 page User Guide.
On the other hand, the RT-N66U can create three Guest networks on each frequency band.
The D-LINK DIR-890L calls this "Internet Access Only" and it is in the Home Network Access section (see below).
The older D-Link DIR-860L, which I wrote about recently, has an option called "Routing Between Zones" which D-Link says controls whether "Guest clients" can access "Host clients' data". To confuse things, they use the term "Zone" rather than network or LAN and throw in "host" too, a term with a specific meaning to techies, but that may sound like we are arranging a dinner party to some.
Playing with the online emulator for the DIR-890L, I found no option for encryption on its guest network, which contrasts with the DIR-860L that does offer WPA2 encryption on both of its Guest networks.
Sadly, the DIR-890L is not the only router that fails to offer Guest network encryption. Back in June, I wrote about the Linksys EA6200 which not only fails to offer encryption, but forces you to use a captive portal for the guest network; the worst of all worlds.
According to Jason Fitzpatrick of How-To Geek, older Netgear routers have an option to "allow guests to access my local network". Newer Netgear routers offer it too, more on this below.
ISOLATION FROM EACH OTHER
For extra credit, some routers let you ratchet up the isolation of devices connected to a Guest network.
These routers can isolate guest users from each other. This prevents something malicious on a Guest computer from seeing, let alone infecting, any other device on the same Guest network. Every guest device will think it is the only one on the network.
TP-LINK calls this "Allow Guests to See Each Other" and you can see it in the first screen shot above.
TRENDNET calls it "Wireless Client Isolation" (screen shot above) and they explain that it "isolates guests from each other".
From the earlier screen shot we that Asus does not offer this option, at least not on the RT-N66U. The same goes for the D-LINK DIR-890L.
Interestingly, Netgear used to offer this, but no more. Jason Fitzpatrick writes that
One complaint we’ll make about the guest network feature on the Nighthawk X6 that we also made about the original Nighthawk is that the guest network option for network isolation and local network access is the same toggle labeled “allow guests to see each other and access the local network.” Yet in older Netgear routers we’ve owned/tested the option was split into “allow guests to access my local network” and “enable wireless isolation.” ... there’s no good reason why the settings aren’t more granular on such a high-end router.
NOT JUST FOR GUESTS
Guest networks, by the way, don't have to be limited to visitors.
You may want to use the isolation they offer for children. If your router can schedule Wi-Fi networks, then having one exclusively used by children, allows it to be automatically turned off at bedtime.
Another option is to isolate Internet of Things (IoT) devices such as a thermostat, security camera or a smart TV. IoT devices are infamous for their poor security and how often does a ROKU box really need access to a network printer?
My stereo receiver plays Internet radio stations but also has Telnet port 23 open on the LAN side with no way to close it. And port 443, used for HTTPS, uses the old vulnerable SSL version 3 rather than the newer, more secure, TLS. The safest thing I can do for the receiver is to isolate it from other devices on my LAN.
Anyone who works from home probably uses a VPN for an encrypted connection to the home office. But, the operating system on this income-producing computer can still be impacted by malware on another device on the home network. Home workers are safer the more isolated they are.
If you do chose to use a Guest network for one of these alternate purposes, then, like any other Wi-Fi network, it should use WPA2-AES with a long password.
By the way, if you employ an isolated guest network, congratulations - you are ahead of the technical backwater that is Wi-Fi on an airplane. When I fly, I like to use a LAN scanning app, just for fun. If the airplane's network was securely configured, the scanner would not be able to see anyone else on the network. It should only see itself and the router. But, as of this past summer at least, GoGo and their Cisco Access Points are not that advanced.
If you are considering a new router be sure to look for guest networks that offer WPA2 encryption, isolation from the main network and isolation of guest users from each other. You will have to check the manual, this is not the sort of thing manufacturers put on the outside of the box.
For more security features that every router should offer see my Router Security Checklist.