Solved

Can I isolate a wireless router with a switch

Posted on 2010-08-13
20
617 Views
Last Modified: 2013-11-05
At present my computer is wired to a DSL modem which is wired into the phone jack to connect to my Internet provider. I have always avoided wireless connections because there are inherent insecurities.

However, for various reasons, I would now like to provide a wireless connection to the internet. I assume this involves a wi-fi router. However, I would like to arrange things in such a way that none of the internet traffic from my wired desktop ever reaches the wireless router. I wondered whether a switch between the modem and my desktop, with the wireless router connected to the switch would do the trick. Something like this:

Phonejack
      |
      |
DSL Modem
      |
      |
  Switch  ---------------------- Wi-fi router
      |
      |
Desktop

Now I'm not clear on exactly how a (unmanaged?) switch works. On the face of it the task of a switch is to only send traffic where it needs to go, so as to not needlessly burden parts of the network (unlike a hub, which broadcasts everything everywhere, which chews up bandwidth).

So that would seem to mean that traffic between my desktop and the internet would never go by the wireless router. Is that right?
How does the switch know where to send the traffic from my desktop? Could it send traffic to the wireless router if I wanted it to? How would the switch know to do that?
0
Comment
Question by:imladris
  • 4
  • 4
  • 4
  • +4
20 Comments
 
LVL 15

Expert Comment

by:deepdraw
ID: 33433691
If you use a cisco wireless router you could put the wireless on a seperate VLAN.
 
This page should give you some idea of price as they are more expensive than the average router.
http://www.hardware.com/routers/cisco-routers/cisco-800/
Greg
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33433697
I would like to arrange things in such a way that none of the internet traffic from my wired desktop ever reaches the wireless router.

not possible without creating a vlan, which is typically created on a switch that has vlan capabilities, but then you would need a router that has the capability of 2 layer 3 interfaces, or one router port that has the capability of 802.1q tagging (The switch will need to support tagging as well). You could also connect the AP directly to the Router that has an available layer 3 interface, this negates the need for the switch to have any other capabilities that have been mentions so far.

Anything that is broadcasted on a layer 2 network, the access-point will see; you also have the ability of ARP poisoning, MITM attacks, etc. and really any other layer 2 attacks, some of which are really interesting.
0
 
LVL 16

Author Comment

by:imladris
ID: 33434034
OK. I am certainly willing to buy a VLAN capable router.

Purely for the sake of understanding, though, if a switch winds up passing traffic to the router as well as the modem, how is it different from a hub?
0
 
LVL 2

Expert Comment

by:gelgin
ID: 33434151
With a VLAN capable switch you can define which ports will participate in which broadcast domains. (VLANS)

Also a switch limits the collision domain to the wire from each connected device to the switch port and no further.  

In a hub all ports are part of the collision domain.  

Switches are sometimes described as providing micro-segmentation.

In your case the router and modem would be in one broadcast domain ( which also typically includes a subnet)

The router would have a separate interface in another broadcast domain with the AP.

The switch then associates the MAC addresses to ports and VLANs and only allows flows to occur within the defined vlans.



0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33434235
You get a low end router like a Cisco 2621, or you can get a Juniper NS5GT firewall; The NS5GT has the capability of tagging vlans by utilizing sub-interfaces, as does the Cisco 2621.

Concept is this:

Router capable of vlans and trunking, switch capable of vlans and trunking:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

Or you can you the NS5GT and create 3 security zones: Untrust (WAN), WLAN zone (Wireless) and a LAN (Hardwire). The AP would connect directly to the NS5GT and you would create a new layer 3 subnet. You would not have to worry about vlans and trunking in this configuration. You can use any firewall/router, just ensure that the device is capable of at least 2 layer 3 interfaces (Essentially creating 2 separate broadcast domains).

>if a switch winds up passing traffic to the router as well as the modem, how is it different from a hub?
Yeah; no offense, but there much more to learn this just this. I can go on for hours. Just know that a hub is a layer 1 device and essentially every port hears everything from every other port, whereas a switch (most switches) are at layer 2; a switch will forward a frame based on the destination MAC address, typically, one to one switch from switchport to switchport (Typically, unicast traffic between the ports are only seen by those 2 ports and no other ports. Just know, that all ports are in a single broadcast domain (unless of course if some switchports are members of other vlans). Broadcasts, unknown unicasts, etc are flooded out all ports except the port that it was sent out on, so some traffic is seen on other ports. Also a hub shares bandwidth, whereas, a switch, the bandwidth is dedicated between 2 ports. There is of course much much more that a switch is and what it can do over a hub

Billy
0
 
LVL 27

Expert Comment

by:Steve
ID: 33434246
@imladris

The setup you have described above works in exactly the way you suggested and your understanding of how a switch works compared to a HUB is spot on.
The switch will only route the data to the wireless router if the data is intended for the router or an item on it. Any traffic between your desktop and internet will only be presented to the necessary ports.

The only extra traffic that vlans and routers will filter out is broadcasts. I doubt your PC/internet are making many broadcasts but if they are they are usually quite safe.

Although your switch layout should be fine, you can completely seperate the wireless box if you want to by addding a cheapo router between the wireless router and the switch. This would seperate traffic at a lower level that the switch and would not pass ANY traffic not specifically intended for the wireless router (incluidng broadcasts)

Completely ignore the VLAN suggestions as that is greatly overcomplicating your request.
0
 
LVL 15

Expert Comment

by:deepdraw
ID: 33435536
Wont the above make the configuration almost impossible?
How do you route the traffic from the wireless clients and then through nat (adsl modem) and can you give an example of a cheapo router that could do this.
 
Greg
0
 

Expert Comment

by:asanchgo
ID: 33435693
Hi,

I have a similar configuration at home. Since a wireless router is already a router, you don´t need another router. I think there is not VLAN concerns here, but 2 different subnetworks. For example, we could have network 192.168.0.0/24 for Desktop LAN and ADSL Modem Ethernet port and network 192.168.1.0/24 for wireless clients.

Let´s assume that your ADSL Modem has not router capability. In this case, you should have configured on your desktop a gateway IP address that is the ADSL Modem Ethernet Port IP, for example 192.168.0.1. The wireless router ethernet port of this LAN side could be 192.168.0.2 for example, and your desktop 192.168.0.3.
- What happens if the desktop wants to send data to any network different from 192.168.0.x? It will send it it the gateway, that is, 192.168.0.1, ADSL Modem. Then, if there is no router capability, it will send it to the ISP router by ADSL technology. So you can never go to your wireless network from your desktop.
If your ADSL Modem has router capabilities, like mine, once the packet has got into the ADSL Modem router, it will know how to go to 192.168.1.x network, so it will send the packet to 192.168.0.2 and then the wireless router would send the packet to the right host.
- What happens if a wireless host want to go to any network different from 192.168.1.x? It will send the packet to its configured gatway, that in this case would be 192.168.1.1, because wireless hosts are on a different subnet than the desktop. Then, the wireless router will know 192.168.0.x network as well as internet gateway (192.168.0.1), so the wireless host will able to send data to the desktop.
- The switch decision is based on MAC addresses, every NIC has a MAC address associated, so 192.168.0.1 will have MAC A and 192.168.0.2 will have MAC B, and your desktop will have MAC C. If your desktop decides to go to the gateway, it will know that has to send the data to MAC A (by using ARP) and then the switch reads MAC A destination and knows that is on the port connected to the ADSL modem. The Desktop packets will always go to the ADSL modem unless I want to go to 192.168.0.2 IP Address, that is unprobable because it´s just the IP of the wireless router (only if you want to enter the management web page of the wireless router).
- To avoid communication between the desktop and wireless network, you need a kind of firewall feature at the wireless router, or a kind of ACL at the switch that says "every destination 192.168.1.x from 192.168.0.3 source is not permitted and every destination 192.168.0.3 from a 192.168.1.x source is not permitted either). I don´t know if there is a commercial switch that has Access Lists feature or this kind of behaviour.

If you detect anything wrong on my comments, please let me know.

0
 
LVL 15

Expert Comment

by:deepdraw
ID: 33435832
hehehe
0
 
LVL 2

Expert Comment

by:Genestet
ID: 33439117
I know this doesn't answer your question directly and forgive me if my assumption of what you are wanting to achieve is wrong. If you are wanting to provide wireless internet access but keep your wired computer secure, you could buy a wireless router with built-in "guest zone" access such as the Dlink Dir-655.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 16

Author Comment

by:imladris
ID: 33446879
Well, this is disturbing. Lots of answers, but little commonality to them. I could, of course, simply select the answer that I like and understand and go with that. On the other hand, if I just take what I like, why ask the question?

So I would like to refocus the question. How does a switch work? Does my proposal work? And, more importantly, if not, exactly *why* not?

Let's also take a new starting point. Suppose I arrange my little network as follows:

Phonejack
      |
      |
DSL Modem
      |
      |
  Switch  ---------------------- Wi-fi router
      |
      |
 Router
      |
      |
Desktop


This is the same as before except for the router between the desktop and the switch. The purpose of the router is to block any (possibly unsanctioned) traffic from the Wi-fi router getting to the desktop.

So, with this setup, the desktop is clearly as secure as it was before. It is no more or less vulnerable to "outside" traffic. Stuff can come in from the wireless router the same as it can come in from the internet. The "desktop" router provides equivalent hardware based protection against both. The threats from the internet are no more or less serious than threats through the wireless router. Right?

The remaining issue is possible eavesdropping on desktop internet traffic by the wireless router. An ethernet, by nature, has all traffic everywhere on the wire. Hence the switch. My understanding remains that, in general, a (simple unmanaged) switch will "switch" traffic to the intended destination. This is the key difference between a switch and a hub. A hub broadcasts all the traffic it gets to all the lines it has, thus chewing up bandwidth. A switch will, conceptually, switch the traffic between the two ports that need it, and not send traffic onto any other ports.

So, on to the switch. How does it work? To what degree is my proposal wrong and why?

Now I gather that the answer to one of my questions ("How does the switch know where to send the traffic from my desktop?") is that it "discovers" this by broadcasting something or some initial part of it, observing where it gets a response from, and then subsequently only sends it to the target port.

If that is correct then there is *some* traffic that will "leak" from the switch to the wireless router. But I would expect it to be very minimal.

Is that right? Why or why not? How does a switch figure out where to send stuff?
0
 

Expert Comment

by:asanchgo
ID: 33449830
Well...I will try to summarize the response...although it´s not easy.

Try to read:

http://www.cisco.com/warp/public/473/lan-switch-cisco.pdf
http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Routing-Basics.html

And now with my words:
- Switches are used to connect devices within the same subnet (broadcast domain), that is, their subnet ip address part is the same. Every ethernet device has a physical address called MAC, and comes from the manufacturer, it something you cannot configure (unlike IP address). What a switch do is "listening" its ports, so when a packet comes, it reads its source MAC address (for example MAC A), and then the switch gets to know that if he wants to send a packet with MAC A destination, it has to send it to that port. A switch doesn´t read IP address, they don´t care about them.
- a host, for example a PC, has IP address, gateway and mask (something you have to configure unless you use DHCP). If I want to send something, the first thing that happens is that the device host reads the IP destination and check whether that IP belongs to the same network that the host belongs to. If that is the case, the host sends the packet by using the MAC address of the destination host, and that is the only thing the switch needs to know to resend the packet to the appropriate port. What if I know the IP desitnation address but not the MAC destination address? Then the host has to use ARP protocol, that consists of asking by using a broadcast MAC address, "who has this IP address send me please your MAC address" .
If the destination host is not on the same subnet, it has to send the packet to the GATEWAY IP that I configured, and that is normally the IP of the router that subnet is connected to. So:
- What a router does is connecting subnetworks to "route" the packets between them. Every port of a router is within a subnetwork, The router needs to know the IP address to forward the packet, not the MAC address, why? because the MAC address has only sense within the subnet domain. When I send a packet to the gateway, I send the packet to a MAC destination that belongs to the router port configured with that Gateway IP. Using MAC comes from the time where Ethernet consisted of a shared physical bus and there had to be a way to distinguish the different hosts in that bus.

So a normal topology is connecting hosts or server to a switch, and then maybe switches to other switches, but some time I have to connect them to a router to be able to go to another subnet or internet. Your suggested topology is a bit complicated, you are trying to avoid one subnet getting to the other, but if the router works, your last configuration doesn´t avoid that., the only thing that happens is routing between wifi router and desktop router. You need a firewall feature ar access list feature in any of the router or the switch (Cisco professional switches have this feature, don´t know about normal price switches). So it´s not a matter of using a switch or a router, or where to place them.

Maybe you can use a firewall configuration on your desktop to drop packets coming from the wireless subnet (I think McAfee can do that), it would be a software firewall, but it could work.

Remember: a switch "switches" packets of devices belonging to the same subnet, a router "routes" packets that belong to different subnets, and a firewall can be configured to drop packets that belongs to a rule that I configure (for example, not letting a packet from wireless subnet to get to the desktop).
0
 
LVL 16

Author Comment

by:imladris
ID: 33459554
OK, I have read through both documents. It appears to again confirm that, apart from initial, or special, activity, a switch will only send information to the intended destination. Quoting from the document (there's a diagram that goes with this):

Since the switch does not know where Node B is, the switch sends the packet to all the segments. But
the switch does not send the packet to the segment on which the packet arrived, Segment A. When a
switch sends a packet out to all segments to find a specific node, this is flooding.
· Node B gets the packet and sends a packet back to Node A in acknowledgement.
The packet from Node B arrives at the switch. Now the switch can add the MAC address of Node B
to the lookup table for Segment C. Since the switch already knows the address of Node A, the switch
sends the packet directly to the node. Because Node A is on a different segment than Node B, the
switch must connect the two segments to send the packet. You call this action forwarding.
· The next packet from Node A to Node B arrives at the switch. The switch now has the address of
Node B, too, so the switch forwards the packet directly to Node B.

So, in my configuration, the switch would send the *first* packet it receives from the desktop to both the wireless router and the DSL modem; but thereafter the traffic would go straight to the DSL modem, right? Also, I gather, if the desktop were to do a broadcast it would get passed to all destinations.

So, speaking shortterm, the wireless router would see the initial URL request of a website access, but none of the subsequent traffic. Right?

Remaining question would be how often, or under what conditions, the switch would lose its address tables, or feel the need to refresh them. The address tables would presumably not survive the switch being powered down (so when it powered back up, it would have to flood the initial packets again). What about amount of time passed (there are only three segments here, it certainly won't run out of room in its address tables)? What about rebooting the desktop? What about power cycling the wireless router?

So, again, I understand that there will be *some* traffic that will "leak" from the switch to the wireless router, because the switch needs to send some stuff onto that segment in order to discover what MAC addresses are there. But it still seems to me that it is pretty minimal, and that the associated security risk is commensurately small. I'm not looking for perfect security. This is a household, not the Pentagon. I'm not concerned with someone driving by and being able to find out what websites I visit. I am concerned about them being able "eavesdrop" on traffic to do with banking details or other such internet traffic needing security.

So it still sounds like the setup has enough security for my needs. To what extent am I wrong and why?

0
 

Expert Comment

by:asanchgo
ID: 33459939
well, what usually happens is that the host sends an ARP request to know the MAC address of the IP destination. It´s not that the switch necessary floods the first packet of every sending host, maybe an ARP dialog has happened before and the switch listens to those packets and know that MAC A is on port x and MAC B is on port y. If the MAC table of the switch is full and the switch doesn´t know where to send a packet, then it will do flooding, but not always with the first packet. When a packet arrives to a host and the IP destination address is not for that host, the host drop the packet. So every packet from the Desktop that doesn´t go to wireless network but arrives to the wireless router will be dropped by the router and won´t get into the wireless network (as in the case that flooding existed).

The entries of the MAC table of a switch has a duration, but new packets arriving from the same MAC refresh that entry.

Routers also forward packets to the intended destination. Security concern is not that a packet from desktop to internet won´t go to the wireless network. That´s how it has to be and how switches and routers have to work, they have to try to switch or forward the packet to the port where the best path to the destination is.

Security is about protecting your network and letting get into it just what you want, so the question is: Can a host from wireless network send a packet to my desktop and that packet arrives to the desktop NIC? If the answer is YES, then there is no security or protection against wireless users. You need again a firewall feature.
0
 
LVL 27

Accepted Solution

by:
Steve earned 250 total points
ID: 33459999
Woah, this is getting complicated!

@deepdraw

>>>"Wont the above make the configuration almost impossible?"

No reason it should. Its a very simple layout.

>>>"How do you route the traffic from the wireless clients and then through nat (adsl modem) and can you give an example of a cheapo router that could do this."

I'd be hard pressed to find a router that COULDNT do this. The wireless box is on one side dishing DHCP addresses out to the clients on a particular subnet and pointing their gateway to a router. the router sits between the wireless box and the rest of the network and acts as a gateway. It points any internet traffic to the Main router which happily communicates back with it and provides the wireless clients with internet access but easily limit access to the rest of the network. Its basically a DMZ in reverse.

@imladris
I agree a new starting point is a reasonable idea.

I know this will result in a long post but have included your post below to respond to your points in order:

>>>So I would like to refocus the question. How does a switch work? Does my proposal work? And, more importantly, if not, exactly *why* not?

Your original proposal would work, with the exception of the point below (*1) about broadcasts
The switch simply looks at who a message if for and only sends it out of the corresponding port. The other ports do not even know the packet was sent.

>>>This is the same as before except for the router between the desktop and the switch. The purpose of the router is to block any (possibly unsanctioned) traffic from the Wi-fi router getting to the desktop.

Understood. The router protects the desktop from any internet based threats and also any wireless based threats. The wireless box has a router built in which protects the wireless clients from the internet and any threats from the desktop.
The dual firewall/routers effectively separate this into two networks that do not communicate with each other.

>>>So, with this setup, the desktop is clearly as secure as it was before. It is no more or less vulnerable to "outside" traffic. Stuff can come in from the wireless router the same as it can come in from the internet. The "desktop" router provides equivalent hardware based protection against both. The threats from the internet are no more or less serious than threats through the wireless router. Right?

Right.

>>>The remaining issue is possible eavesdropping on desktop internet traffic by the wireless router. An ethernet, by nature, has all traffic everywhere on the wire. Hence the switch. My understanding remains that, in general, a (simple unmanaged) switch will "switch" traffic to the intended destination. This is the key difference between a switch and a hub. A hub broadcasts all the traffic it gets to all the lines it has, thus chewing up bandwidth. A switch will, conceptually, switch the traffic between the two ports that need it, and not send traffic onto any other ports.

Spot on, except for broadcast traffic (*1)

>>>So, on to the switch. How does it work? To what degree is my proposal wrong and why?

Stop doubting yourself. You're right! :-)


>>>Now I gather that the answer to one of my questions ("How does the switch know where to send the traffic from my desktop?") is that it "discovers" this by broadcasting something or some initial part of it, observing where it gets a response from, and then subsequently only sends it to the target port.
If that is correct then there is *some* traffic that will "leak" from the switch to the wireless router. But I would expect it to be very minimal.
Is that right? Why or why not? How does a switch figure out where to send stuff?

Again, you're right. At regular intervals (and when first powered up) the switch has no clue where everyone is. When it receives a message for a client it doesnt know about it sends the packet out of ALL ports (except the one it came in one) to see which one responds. When the client responds it saves its port in its memory so it knows which port to send it to next time.

*1 Also, as mentioned above, some traffic is sent as a broadcast which goes to all ports. Broadcasts dont happen that much on small home networks but can include DHCP and auto discovery systems (like window's new home network discovery and Itunes homeshare). generally, information in broadcast traffic is very simple and almost never contains anything you would like to keep secure. The data in broadcast traffic is usually of a discovery nature.

Both of these issues mean that at regular intervals a small amount of traffic will be passed to all ports on a switch. This is for efficiency, as switches were designed for speed not security.

Routers were designed for security & routing, so do not suffer the same issues.
Routers will specifically only pass traffic across that is destined for the other network. All other traffic, including broadcasts, are ignored.

Both of your network diagrams would work fine.
The first one would let some small, regular leaks of packets to the wireless network, but would be very minimal and could easily be solved if the wireless box is also a router. Set the wireless box to give out DHCP addresses to the wireless clients on a different subnet to the desktops network. Broadcast traffic would be ignored by each others network anad traffic would be seperated. The wireless box would route traffic to the gateway set in its internal config (the main router/DSL modem) and would allow the wireless clients to access the internet without revealing any IPs/MACS etc from the desktop.

The second one would also work fine. It is basically very similar to a DMZ setup but instead of having the DMZ between the internet and your network, your DMZ would be between your two networks.

My apologies if this makes as much sense as a Microsoft error message, but its getting late and This thread has got very complicated ;-)
0
 
LVL 2

Expert Comment

by:Genestet
ID: 33460156
I understand your concern for security but sometimes you have to place trust in those that build our network security devices so as not to spend time "reinventing the wheel".  Also you have to look at cost versus benefit when choosing an enterprise product over a perfectly capable SOHO device. As a security consultant, I have to reiterate that you take a look at the D-Link DIR-655. With the available "Guest Zone" feature, you can have two separate wireless networks with independent network names (SID), independent security modes and networks (subnets). And with the check of a check box you can turn routing on or off between the untrusted "Guest Zone" and the other wired and wireless trust zones.  There are many security features with most of them defaulted "on". I configure routers that cost 20 to 30 times more than this one that don't have much more builtin security.
Here is an emulator to familiarize yourself with the DIR-655 interface. The DIR-655 can be purchased for around $100.00
http://support.dlink.com/emulators/dir655/121/Guest_Zone.html
0
 
LVL 16

Author Closing Comment

by:imladris
ID: 33460467
Much, much clearer than a Microsoft error message  :)  
0
 

Expert Comment

by:asanchgo
ID: 33461520
I agree, that guest zone feature is what I was calling a firewall feature, I didn´t know DIR-655 could do that, I have another brand of router at home.
0
 
LVL 27

Expert Comment

by:Steve
ID: 33462240
@imladris

Glad to be of help :-)
0
 
LVL 15

Expert Comment

by:deepdraw
ID: 33494396
Is it possible to foward a port to the PC?
How will nat work?
to configure the nat on the dsl router you would need policy-nat as the ip of the device( your PC) is now on a different subnet.
I still dont think the above is a working solution as described.
The idea of having a guest wireless looks to be a good secure option. And you only need one device which makes sense
I would suggest cisco ONLY if you wish to learn about networking.
 
Greg
 
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now