?
Solved

Public WiFi separation from the local private network

Posted on 2005-03-10
13
Medium Priority
?
538 Views
Last Modified: 2010-03-17
Our resturant has an internet connection that we need for creditcard processing, ordering and such.
The boss wants to add WiFi wireless for the customers to use in the resturant area.
I am concerned that the customers may try to hack our local network.
I probably need a good router with some way of deviding the subnets.
What is this technology called?
What is a good brand of router to buy?
Where can I read about how to lock down security of the network?

thanks
Millard
0
Comment
Question by:Millardv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
13 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 13515366
Millard

You can approach this a few different ways but I would recommend you use vlans.  Essentially, your wireless APs and clients are all configured by the managed switch on one VLAN and your internal network is on a seperate VLAN.  Inter-vlan communication is only possible by using a layer 3 device, like a router or a layer 3 switch for example.  Vlans are secure and easy to manage and work on a principle that each port on the switch can be assigned to a certain VLAN.  
Your internet router can then be configured - connecting to this switch and route all outbound traffic.

                                                            Internet
                                                                 |
                                                              router
                                                                 |
                                                        Managed Switch
                                                       |                      |
                                            VLAN 10                 VLAN 20
                                          (Wireless)                (Internal)

As regards brands for both, you probably already have an internet router in place but I would go with Cisco on all equipment.  Depending on how many ports you require, a 2950 switch is a good model.  Dell have began selling switches and their managed Powerconnect 3324 and 3348 switches are great value and their operating system is very similar to Cisco IOS.

cheers


0
 

Author Comment

by:Millardv
ID: 13516892
Thanks
This is very helpful.  I understand the managed switch. That will work.

This is a small resturant and doesn't need 24 ports.
I was hoping to find a ROUTER with built in VLAN(s).
Do they make such a thing?

Millard
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13516971
No - routers will pass VLAN traffic but vlans are not configurable on them.  Considering port density, it would not even be practical to have them there.  You could link the 2 networks up with a router and configure access-lists to segregate traffic.  

do you currently have a router for your outbound internet traffic?  If so  - what model is it?

If you do, then a managed switch with vlans with be the ideal solution - VLANS are much easier to chop and change/manage than access-lists unless you are v comfortable with network OS's.

Post any further queries

0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 6

Expert Comment

by:salvagbf
ID: 13517217
They do make routers with for instance, 2 LAN ports that you can configure an ACL on to keep the networks seperate, I use a Cisco 2600 at a high school I admin to accomplish this to seperate the admin and student networks.  However, that's about $2000.  Alternatively, what are you worried about customers accessing? You could just buy a wireless router and plug that straight into your network connection, and put the restaraunt's computers behind another router.  That way the customers would only have access to the Internet.  Now, they'd still be able to sniff traffic coming from the router with your comps on it, but anything that gets there should be on its way to the Internet and if you're concerned about that data, it should be encrypted anyway.

          Internet
               |
     Wireless Router
        |             |||
    Router      Customers
       |
Private Comps


-Bernie
0
 
LVL 6

Expert Comment

by:salvagbf
ID: 13517242
As for brands of routers, I'm a big fan of Linksys.  Never had good experiences with D-Link.  Netgear is OK.

As for reading about network security... Any book that covers the CompTIA Security+ exam would be a good place to start.  

http://www.amazon.com/exec/obidos/tg/detail/-/0782143504/qid=1110552246/sr=8-4/ref=pd_csp_4/102-8996821-7502518?v=glance&s=books&n=507846
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13519482
I would do it with a multiport firewall.  If you had a two ethernet port firewall, you could have the WAP on one, and your internal network on the other.  Then, in the firewall, you don't allow the two net's to communicate - no rule allowing, so denied.  Both nets can talk to the Internet connection.

      Internet
           !
      Firewall
     !          !
WAP    Internal Net
0
 

Author Comment

by:Millardv
ID: 13521480
These answere are great!
I am evaluating and learning.
I can try the 2 router Linksys option this weekend.

Question for pseudocyber:
Can you recommend a brand of firewall?
Is this something Linksys makes or Symantec or Cisco?

Thanks
Millard
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 13534088
Cisco makes excellent firewalls - the Pix is a recognized leader.  I'm more familiar with Checkpoint Firewall - ours runs on Nokia.

The symantec stuff looks interesting, but I've never used it.

If you have Linux expertise, you could get a PC with multiple NICs and run IPTables - and have your own firewall.  Or there are Linux based appliance alternatives, depending on your budget.

HTH
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13534138
To follow the above post, a Cisco PIX 515E with 3 LAN ports would do the job.  Your inside interface would be your internal network, your DMZ interface would connect to your wireless network and both of these can go out through the outside interface to the internet.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13583876
Here's a lower-cost product from D-LINK
http://www.dlink.com/products/?sec=0&pid=349

You can take a Linksys WRV54G and make it a Boingo Hotspot. This makes all the wireless a DMZ that cannot access your internal LAN..and reap recurring profit from Boingo..

0
 

Author Comment

by:Millardv
ID: 13587767
lrmoore
We werent planning to spend $3000+ on this project unless we had to. Tell me if this would work?
What are the negatives?

          Internet
                  |
                Router
            |              |
 Local Network      Wireless router on another subnet
   |   |    |                  Wi-Fi
 local users


We are considering the Boingo idea
Thanks
Millard
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 13587786
In this scenario, the WiFi network is protected from the local users lan, but the local network is not protected from the wireless network.

How about this:
  Internet
    Router w/DMZ interface
          |                          |dmz
     Local network            Wireless router
                                           |
                                         WiFi clients
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 450 total points
ID: 13590280
>The boss wants to add WiFi wireless for the customers to use in the resturant area.
>We werent planning to spend $3000+ on this project unless we had to.

My recommendation is to give your boss two designs, in writing.  One is the best design for security, while accomplishing the objectives.  The other is the best design for price, while accomplishing the objectives.

Try to write some kind of "risk analysis" - search online for how to do it, or pick up a CISSP book.  You want to make sure you document what the risks are, how likely they are to occur, and what the business impact would be.  Then let your boss make the decision.  This is also known as "covering your a__".

You can have it good, cheap, or fast.  Pick two.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question