Link to home
Start Free TrialLog in
Avatar of jimcho74
jimcho74

asked on

How to separate one internet into 2 separate LAN network

I have cable modem in my store.
I use this cable modem to use DVR (security camera) and few file servers are running.
I want to setup wireless internet for the customers.  So, they could sit down and surf internet and e-mails and etc.  But I don't want wireless internet to get connected to our network.
Who knows what they have in there computer (viruses,spyware etc) and someone will try to hack in to our file servers for fun.  How could I separate one internet into 2 different LAN network gourps.
I don't want these two groups talking to each others.   I could order separate internet for the wireless but I don't want to spend extra money for this.  
I have Comcast cable with HP procurve 2312 (unmanaged 12 port switch) and 1 Linksys router.
Could anyone help me how would I solve this problem?

and

Could anyone recommend hardware Firewall / Router with virus and spyware protection for small business under 15 Computers?


Thank you so much..
ASKER CERTIFIED SOLUTION
Avatar of Member_2_49692
Member_2_49692

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Of course you can do it but I highly recommend spending the extra few bucks for a new line.  IMO would you rather spend the $40 or so a month or spend a nasty consulting fee if someone hacks your boxes?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Member_2_49692
Member_2_49692

If you want to get fancy you build a linuxbox (using and old PIII pc )with dans guardian on it as a firewall to protect your internal network or one of the linux firewall distros


http://www.devil-linux.org/
http://www.zelow.no/floppyfw/
http://www.smoothwall.org/
http://www.ipcop.org/
http://www.astaro.com/
http://www.fs-security.com/

 or you could reburn the firmware on the linksys so that it becomes a $600.00 network appliance capable of advanced things such as firewall ip tables and so forth
http://www.dd-wrt.com
http://www.openwrt.org

more information here
http://lifehacker.com/software/router/hack-attack-turn-your-60-router-into-a-600-router-178132.php
the only free opensource anti virus I know of is clamwin but it does not do realtime scanning
http://www.clamwin.com/
I should clarify that realtime protection is what I meant to say
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I believe that building a linux box would probably be much more work and money then what would need to be spent here. Keep in mind that your time is money, if you spent 8 hours on a linux box, would that justify supporting a box yourself rather than going with an inexpensive proven wireless router that may cost you $50 or less. Remeber this is just for added conveinece to your customers in your shop.
Of course you can seperate them using 2 pieces of hardware but like anything they can be broken into.
If you would like to go with an advanced wireless router, I wouldnt suggest ripping apart your Linksys' firmware to get this. Spend a few extra bucks and go with a StarOS wireless router or a DemarcTech. These are inexpensive, yet VERY powerful.
With that comment Ryan, it is safe to say that even if you purchase a second ISP line, you are just as susceptible then.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The questioner also asked this question
Could anyone recommend hardware Firewall / Router with virus and spyware protection for small business under 15 Computers?

so I would say a Linux distro with firewall and so forth on it would fit the bill for the most part.

As I had mentioned before the networks can be seperate by just adding another router. and use the existing switch and router and configuring them as mentioned above I mentiioned the firmware for the router as an option and the distros as options as building out a network is all about options.


Nothing is bulletproof security and anyone claming  that I would be very afraid of. You security all depends on what you need to protect the value of it and the collateral damage (monetary or otherwise) a security breach would cost.

True you could spend hours configuring everything but once it is configured just make an image of the system. Then store that image as a backup if the system ever crashes then all you would have to do is reload the image and then update the different packages (if necessary) using yum or rpm or another linux package manager or the ones built into the different software.  

If you want high security at an inexpensive price open source is the way to go otherwise your going to spend $500.00 or more on a router that has similar software prebuilt into it and/or is using opensource software tweaked to that companies specs.

I can tell you from experience in a 30 person user environment we had a juniper networks router with firewall and user tracking / web filtering... it crashed all the time and cost $1,500.00 The engineers at Juniper got involved and still could not make the thing stay up and running. It was designed to handle 50 users. Eventually it was replaced with another more expensive router for $2,500.00.

For the cost of an OLD PIII with 1GB of ram and some time we could have had a linux based router/firewall/content filter with the box only costing $50.00 - $75.00. We also would not have been stuck in a subscription service (extra $500.00) and maintenance contract because it was proprietary hardware.


some other pen source security programs you may want to consider
tripwire, spam assasin, snort, on it and then use nessus to scan your network for vulernabilities and setup IP tables.

http://www.tripwire.com/products/enterprise/ost
http://spamassassin.apache.org
http://www.snort.org
http://www.nessus.org
http://www.untangle.com
http://www.censornet.com/ 
IMHO,
If they are going to gain access to a line it is going to be because of inadequate security.

I understand seperate them out which makes sense from the old school of thought. But even if they are seperated... network security devices, software, tools should still be in place regardless to provide security.

Even if they are seperate the risk still is the same you still have something connected to the internet. As long as it's connected to the internet it will be port scanned and susceptible to attacks.

If you have proper security inplace it should not matter if you are sharing an internet connection or not... This is why you have DMZ's firewalls, honeypots, security on accounts, strong passwords, multiple layers of security. You want to make it difficult as possible for the would be attacker.

To be totally technical about it a linksys router isn't even a REAL router it is a NAT, for it to be a real router your either talking about using a computer with multiple NIC cards or buying a full blown small - large business enteprise router.
Im sorry, I am going to back off of this question. I beleive the purpous of EE is to provide solutions to the questionaire, reasonable and feasible. If this user is not capable of building, managing and supporting a linux box, then I would reccomend against it. If you are not familiar with linux, troubleshooting can be very time consuming. Take into consideration what you are protecting, time, money and real life chances.

And regarding providing real routing, this can be done with inexpensive routers yet. Think about moving your linksys router over to the customer side, and purchase a decent router with anti-virus, maybe a sonicwall or something of that nature, for your network. When secured properly with this router, your network will be well prepared for your curious customers.

Or use a Demarc RWA or a StarOS wireless router, yes they are linux variants. However they provide FULL GUI's and techsupport at an excellent cost with real routing. You will not have anti-virus but you will have a secured (enough with in reason) network.
chuckycharms,

I dont disagree at all with your first statement. The questioner was looking for what I understood as an inexpensive way using existing equipment.

My last comment was more or less in response to the comment ryansoto made about seperating the networks completely.

I agree with you about the linux. However if you use the special distributions I mentioned above all you have to do is pop the cd in and go... then just learn the applications interface which is the same thing you would be doing with a sonicwall, checkpoint, juniper. symantec, cisco etc...  when you go into it's interface to update it and configure it.

If you build a linux based security box by installing fedora and then loading packages then yeah linux knowledge is required and if the person does not have that it could be a problem and a major learning curve.  

My linux knowledge is very minimal and I have setup many linux based things to save myself lots of money. Yes it did cost time and was a learning curve but I think knowing Linux in some regard is a good thing these days -IMHO... Just look at the Evergreen PC's walmart is selling with GoS on them, they sold out...Plus I save on all the licensing fees and pick up old boxes for $50.00 used that run my firewall, web filtering, perfectly fine.  

But I agree utilmately it is going to be up to the questioner and what they are comfortable with. I was just trying to address the issue the best of my ability with was a decent inexpensive solution.

The easiest but not the cheapest is buying an off the shelf appliance but this is going to cost more money and less time. However if it blows up and you don't have a maintenace contract or warranty on the hardware then your out of luck and have to buy another one. Usually you also have to get subscriptions to keep them up to date with the latest software, firmware etc..

The other way is just addressing it through hardware (another linksys router)which accomplishes seperating the network for cheap but does not protect the network in any way other then making them seperate networks

And the other way is how I mentioned above which is minimal monetary cost but possibly a large time cost and learning curve depending on which route is chosen.

It just depends on what the priority is Security, Cost, Time, Ease of Use,
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Cloz,

Cisco by all means is good don't get me wrong I love Cisco...
But whats wrong with using an older PC ?
If you got the parts laying around and there good why not use them rather then put them in landfill ?

Heck I just bought two used HP DL380 G3 servers with Xeon 3.06GHZ processors, 2GB of PC2100 Ram and 3 - 18GB 10k SCSI H.D.'s and HP 5i Raid array for $155.00 each. They work perfectly fine.

What do you think is inside most of your network appliances ?  
Most of them contain older hardware, a good example is Linksys routers contain Pentium 166Mhz - 266Mhz Processors depending on the model.

Most of your network appliances contain between a PIII 800 to a P4 1.8Ghz processor.
Lets not confuse older model part with actual old parts.  While the CPU used in a router might be a PIII its new and is designed to work in high temp chassis without fans and have not moving parts that would fail.  Parts used in firewall and routers are hardened.  The same cant be said about PC components.  Just listen to your DL380 when you turn it on.  It sounds like a jet about to take off.  

Not to mention the OS running on them are specialized kernels designed to run much more efficiently than a full OS like the linux distro youre suggesting. Specialized BIOS and memory bus.  Just compare the through put on an inexpensive Linksys compared to a PC running linux.  You just cant compare the processing through put of a old PC running Linux with a Cisco PIX or 800 series.