Solved

Provide public hotspot keeping private network secure

Posted on 2006-06-23
6
256 Views
Last Modified: 2013-12-14
Hello Experts,

A small office wants to provide internet for visitors without exposing their computers.  They have DSL intenet service.  Will this work?

Use the DMZ port to put a wireless router on the internet.  Both routers use NAT.


           Internet
                 |
           DSL Modem / Router
              |DMZ               |
       Wireless             Office
       Router              Network
              |
          Public
         Hotspot

I think it should be okay to put a second router in the DMZ of the first router.  Here is the big question ... Will this keep the  public hotspot visitors out of the office network?

Thanks,

Ed
0
Comment
Question by:testbenchdude
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 16973378
if both networks are behind NATed Routers, the only thing that either networks will see would possibly be traffic with only the IP address of the other NATed router's WAN interface.  So if you were (able to) to stick a sniffer somewhere between the two NATed routers going egressing to the internet; you would think that there are two really chatty IP addresses only; you will not be able to even guess as to what is behind the IP address.

Regards  
0
 

Author Comment

by:testbenchdude
ID: 16973584
Hi ECNSSMT,

I've been reading that the DMZ feature of consumer routers is only intended for routing to a single PC and does not necessarily provide isolation from other sytems.  I am now thinking about a three router solution.  Also, NAT is not an option for the office because I'm told we'll need to provide VPN access.  So I'm kicking this up a notch.

               Internet
                    |
          DSL Modem / Router  
           (192.168.0.x)
            |                        |
     Wireless                   Wireless
     Router                      Router
     (192.168.16.x)          (192.168.32.x)
      DHCP                      DHCP
          |                          |
     Public                       Office
    Hotspot                     Network

This makes 3 subnets at 192.168.0.x, 192.168.16.x, 192.168.32.x

I believe this would allow for the future addition of many more subnets at:
192.168.48.x
192.168.64.x
192.168.80.x
      ....
192.168.240.x

If I did my math correct this gives me 16 subnets with 4096 devices per subnet.  I can't imagine ever needing that many addresses.

I'm thinking a subnet mask of 255.255.240.0 would be proper for all subnets???

The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

I'll post more info about VPN routing when I have it.
0
 
LVL 14

Accepted Solution

by:
ECNSSMT earned 250 total points
ID: 16975984
253 devices per this subnet. with 192.168.16.0 being reserved for network, 192.168.16.255 being reserved for broadcast and an ip address 192.168.16.X being reserved for the inside NATed address used as the default gateway.

Also, there is a big difference between the SOHO/consumer routers and the Enterprise models.  On the SOHO side, you have the theoretical limit of a class C subnet (255 ip addresses, with 252 IP addresses usable for devices).  Depending on the amount of traffic you have, you may quickly run out of usable bandwidth before you get to that 253 device limit.  So per the SOHO router with the added assistance of a switch; I can definitely say that it can easily handle 10 office users casually accessing the internet; at some point when you get to 30 user you may begin to see latency.  You may want to start to look into higher end devices like a L3 Switch from Netgear that can provide the segregation on one box.  Its going to be $$$ though.

If you use a subnet mask of /20 (255.255.240)
starting at 192.168.0.0, 192.168.16.0,192.168.32.0... you can get your 4095 ip addresses (or 4092 usable; with e.g. 192.168.0.0 being the network, 192.168.15.255 being the broadcast for this subnet and an ip address as the default gateway).  But this implies that you get a router that can do better than a /24 SM (255.255.255.0).

Using 3 SOHO routers will be a bit of a pain, but its do-able.  And with the SOHO router you are only have the capability of allocating a subnet with a max number of 255 IPs per subnet.  In almost all small businesses; this is ample space, when though the outgoing traffic will reach the max capacity way before you hit 253 devices.

>The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  
All the SOHO routers will be using NAT to translate between the "inside" private address and the "outside" public address.  NAT was one of the methodologies used to resolve the IP V4 -  IP address shortage that was looming back in 1994;  now sharing 1 public IP address between many devices with private IP addresses is a common place practice.

>I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

The subnets in general are just a means to segregate your layer 2 frame traffic; if it needs to go outside your subnet, Layer 3 headers are provided per frame traffic and the packet is then routed towards its correct destination; but just think of it as segregating the traffic.  

If the user on the NATed wireless hotspot knows the IP address of the not-NATed office PC and there was a means enabled for logging into that PC; it could be done.  However conversely, the non-NATed office PC will not be able specifically see or readily access a user on the wireless hot spot because that user is behind a NATed Router.  Again a NATed device takes an IP address & port assignment on one side and associates it with an IP address on the otherside; there is no way for any device to look at a router's NAT table to determine what is what.  So, not correct.  But the slight consolation is that users are usually interested in getting to the internet to do their thing and hacking are left to the hackers....

The VPN part will be interesting to say the least and a well plan infrastructure especially in this case will be needed.

Regards
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:testbenchdude
ID: 17012543
Hi ECNSSMT,

After further reflection on the public hotspot I've decided it causes too many headaches to keep a public wi-fi and a secure office network on the same DSL modem.

I've recommended my client to subscribe for a second DSL service.  In our area a basic 256K DSL package costs about $25 per month.  This second DSL circuit will be set up as a dedicated service to provide the public hot spot.  (The office next door may be willing to split the cost so we may only be looking at around $12.50 per month)

Now with the hotspot headache out of the way I can look into the VPN issue for the office network.  This office has 4 employees.  Two of these employees want the ability to map shares on the office file server (Linux) as a drive on their home PC.  This is necessary to be able to use a certain accounting software program that allows multiple accountants to share the same up-to-date client information.  

All of the desktop computers are running Windows XP Home and there is a single Linux based NAS device being used for file sharing.

For VPN I've started reading up on some popular SOHO VPN routers (Linksys BEFVP41, SnapGear Lite+, ZyWall 10).  So far the SnapGear looks attractive.  

Besides the two simultaneous home users it would be good to plan for a roaming system to connect from any clients office using IPSec software.  I've read that Microsofts ipseccmd utility can be difficult and annoying to use so I've got much learning to do here as well.

Ed
0
 

Author Comment

by:testbenchdude
ID: 17012620
I have closed this question.  "Provide public hotspot keeping private network secure"

For this situation my recommended solution is two DSL circuits.  One DSL circuit for a secure office network.  The other DSL circuit for a public hotspot.

Drawbacks
... monthly cost
... duplicate hardware

Advantages
... very simple implementation
... public visitors do not degrade office bandwidth
... no hacker risk from public hotspot

Once I learn more about the VPN issues I will post a new question.

Ed
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17031249
Thanks for the points.

Just a heads up though with the SOHO router based VPNs, it will utilize the internet connection and anyone expecting to use the internet during its operation may be sadly disappointed.  For SOHO classs stuff, you may be looking at a server based solution, or RDP.  But if you don't mind seeing for yourself you can get at second hand Netgear from http://www.justdeals.com/Items/FVS114NAR?. <$50

Regards,
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now