?
Solved

Public WiFi separation from the local private network

Posted on 2005-03-10
13
Medium Priority
?
542 Views
Last Modified: 2010-03-17
Our resturant has an internet connection that we need for creditcard processing, ordering and such.
The boss wants to add WiFi wireless for the customers to use in the resturant area.
I am concerned that the customers may try to hack our local network.
I probably need a good router with some way of deviding the subnets.
What is this technology called?
What is a good brand of router to buy?
Where can I read about how to lock down security of the network?

thanks
Millard
0
Comment
Question by:Millardv
  • 3
  • 3
  • 3
  • +2
13 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 13515366
Millard

You can approach this a few different ways but I would recommend you use vlans.  Essentially, your wireless APs and clients are all configured by the managed switch on one VLAN and your internal network is on a seperate VLAN.  Inter-vlan communication is only possible by using a layer 3 device, like a router or a layer 3 switch for example.  Vlans are secure and easy to manage and work on a principle that each port on the switch can be assigned to a certain VLAN.  
Your internet router can then be configured - connecting to this switch and route all outbound traffic.

                                                            Internet
                                                                 |
                                                              router
                                                                 |
                                                        Managed Switch
                                                       |                      |
                                            VLAN 10                 VLAN 20
                                          (Wireless)                (Internal)

As regards brands for both, you probably already have an internet router in place but I would go with Cisco on all equipment.  Depending on how many ports you require, a 2950 switch is a good model.  Dell have began selling switches and their managed Powerconnect 3324 and 3348 switches are great value and their operating system is very similar to Cisco IOS.

cheers


0
 

Author Comment

by:Millardv
ID: 13516892
Thanks
This is very helpful.  I understand the managed switch. That will work.

This is a small resturant and doesn't need 24 ports.
I was hoping to find a ROUTER with built in VLAN(s).
Do they make such a thing?

Millard
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13516971
No - routers will pass VLAN traffic but vlans are not configurable on them.  Considering port density, it would not even be practical to have them there.  You could link the 2 networks up with a router and configure access-lists to segregate traffic.  

do you currently have a router for your outbound internet traffic?  If so  - what model is it?

If you do, then a managed switch with vlans with be the ideal solution - VLANS are much easier to chop and change/manage than access-lists unless you are v comfortable with network OS's.

Post any further queries

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 6

Expert Comment

by:salvagbf
ID: 13517217
They do make routers with for instance, 2 LAN ports that you can configure an ACL on to keep the networks seperate, I use a Cisco 2600 at a high school I admin to accomplish this to seperate the admin and student networks.  However, that's about $2000.  Alternatively, what are you worried about customers accessing? You could just buy a wireless router and plug that straight into your network connection, and put the restaraunt's computers behind another router.  That way the customers would only have access to the Internet.  Now, they'd still be able to sniff traffic coming from the router with your comps on it, but anything that gets there should be on its way to the Internet and if you're concerned about that data, it should be encrypted anyway.

          Internet
               |
     Wireless Router
        |             |||
    Router      Customers
       |
Private Comps


-Bernie
0
 
LVL 6

Expert Comment

by:salvagbf
ID: 13517242
As for brands of routers, I'm a big fan of Linksys.  Never had good experiences with D-Link.  Netgear is OK.

As for reading about network security... Any book that covers the CompTIA Security+ exam would be a good place to start.  

http://www.amazon.com/exec/obidos/tg/detail/-/0782143504/qid=1110552246/sr=8-4/ref=pd_csp_4/102-8996821-7502518?v=glance&s=books&n=507846
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13519482
I would do it with a multiport firewall.  If you had a two ethernet port firewall, you could have the WAP on one, and your internal network on the other.  Then, in the firewall, you don't allow the two net's to communicate - no rule allowing, so denied.  Both nets can talk to the Internet connection.

      Internet
           !
      Firewall
     !          !
WAP    Internal Net
0
 

Author Comment

by:Millardv
ID: 13521480
These answere are great!
I am evaluating and learning.
I can try the 2 router Linksys option this weekend.

Question for pseudocyber:
Can you recommend a brand of firewall?
Is this something Linksys makes or Symantec or Cisco?

Thanks
Millard
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13534088
Cisco makes excellent firewalls - the Pix is a recognized leader.  I'm more familiar with Checkpoint Firewall - ours runs on Nokia.

The symantec stuff looks interesting, but I've never used it.

If you have Linux expertise, you could get a PC with multiple NICs and run IPTables - and have your own firewall.  Or there are Linux based appliance alternatives, depending on your budget.

HTH
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13534138
To follow the above post, a Cisco PIX 515E with 3 LAN ports would do the job.  Your inside interface would be your internal network, your DMZ interface would connect to your wireless network and both of these can go out through the outside interface to the internet.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13583876
Here's a lower-cost product from D-LINK
http://www.dlink.com/products/?sec=0&pid=349

You can take a Linksys WRV54G and make it a Boingo Hotspot. This makes all the wireless a DMZ that cannot access your internal LAN..and reap recurring profit from Boingo..

0
 

Author Comment

by:Millardv
ID: 13587767
lrmoore
We werent planning to spend $3000+ on this project unless we had to. Tell me if this would work?
What are the negatives?

          Internet
                  |
                Router
            |              |
 Local Network      Wireless router on another subnet
   |   |    |                  Wi-Fi
 local users


We are considering the Boingo idea
Thanks
Millard
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 13587786
In this scenario, the WiFi network is protected from the local users lan, but the local network is not protected from the wireless network.

How about this:
  Internet
    Router w/DMZ interface
          |                          |dmz
     Local network            Wireless router
                                           |
                                         WiFi clients
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 450 total points
ID: 13590280
>The boss wants to add WiFi wireless for the customers to use in the resturant area.
>We werent planning to spend $3000+ on this project unless we had to.

My recommendation is to give your boss two designs, in writing.  One is the best design for security, while accomplishing the objectives.  The other is the best design for price, while accomplishing the objectives.

Try to write some kind of "risk analysis" - search online for how to do it, or pick up a CISSP book.  You want to make sure you document what the risks are, how likely they are to occur, and what the business impact would be.  Then let your boss make the decision.  This is also known as "covering your a__".

You can have it good, cheap, or fast.  Pick two.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Last month, the FCC voted to repeal Title II, the framework supporting net neutrality across all broadband ISPs. We sat down with Doug Walton, database administrator at Experts Exchange to gauge his opinion of what will happen next.
Integration Management Part 2
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month9 days, 21 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question