Solved

How do I separate two wireless home computers that are a security risk to the rest of my home network, using two routers?

Posted on 2010-11-14
20
782 Views
Last Modified: 2012-06-21
We have a basic Linksys wireless router using a cable modem for home internet access, and want to isolate two of the hosts on our home network from dangerous traffic coming from the other three devices (two computers & a wireless I-Pad).  I was going to use another router to accomplish this, but most of what I am reading about this is confusing.  Do I need three routers, or two routers to accomplish this.  I need two distinct networks using basic routers if possible.  And how do I configure them generally speaking.  Thank you.
0
Comment
Question by:lextec
  • 7
  • 5
  • 3
  • +3
20 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 34133911
You can accomplish this if you have a Router that supports DMZ. You will only need one Router for this.
0
 

Author Comment

by:lextec
ID: 34133934
Traffic must be completely separated from each other yet remain NATed behind the firewalls.  As of now there is a single IP address for the cable modem.  How, using your suggestion of DMZ, can we isolate traffic.  We are fighting an intruder who is extremely adept at penetrating.  Thank you.
0
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34133935
I agree with JBond2010

My suggestion for a router.  Lots of features for $100. :)

http://www.google.com/products?q=netgear+wnr3500&um=1&ie=UTF-8&sa=N&hl=en&tab=wf

Thanks!
mug
0
 

Author Comment

by:lextec
ID: 34133995
Ok, I must use two routers for this reason, and I appreciate your suggestion to use a DMZ but, two computers are used by children and the attacker is gaining access through various means including emails, Facebook links, etc., but the childrens computers ARE the weakspot.  If the attacker compromises these systems he/she can damage and cause great harm to the two adult computers which carry many important docmuments, etc.  The attacker is one of the best, so based on my reseach, it seems two distinctly separate networks is the way to go.  I am am mistaken, please explain and perhaps we can go the DMZ route.   The DMZ allows for connections from the hosts on the same network right?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34134306
With DMZ this will give you the option to create two seperate networks, via subnets. As security is a concern you should look into intrusion software.
0
 
LVL 2

Expert Comment

by:handoo_shuchit
ID: 34134326
Hi Lextec,

My first suggestion (in case you are fighting an intruder) would be NOT TO ENABLE DMZ. It would allow complete access to the intrude into your Network. Now, There would be two ways of getting into your network :

1). Via the Router
2). Via Internet

I would be explaining both the ways for you.

In Way 1 - The Intruder needs a direct/remote connection to the router. this can be done by simply plugging a laptop to one of the Ethernet ports of your Router (If you are fighting an intruder, I think you would have already taken care of this), or connecting wireless with your router and getting into your LAN. This can be taken care of by Securing your Wireless network with a WEP or WPA key and keep constantly changing them.
Also, you can bind your Laprop's / desktop's / iPad's MAC Addresses with your router, and so, the router will only provide an access to only your devices. This would be the best way to ensure that no other person/device can log into your network.

In Way 2 - Via the Internet.
Your IP can be traced once you are trying to access the web by packet sniffing. I would give you a wonderful Idea ! Change the DHCP configuration of the router : i.e if the router has got the DHCP range of 192.168.1.1, change this to 10.1.2.1, and then Install "IP Changer" software on your computer.

With this application, you can surf the internet and no one need to know your original address!! The Ip Changer 0.2 in this way allows you to keep changing your Ip settings, save them for future use and then apply them.

URL : http://download.cnet.com/IP-Changer/3000-2155_4-10065756.html

This way, you will secure your entire network, and will not spend for purchasing any other Router.

Or in case you want, you can Always buy another Router and connect it the way shown below :



   | Cable | ======== | Router 1 |========== | Router 2 | =====|==== Comp 1
                                                                                                    | === Comp 2
                                                                                                    |=== Comp 3 / iPAD
In this case, you will get an IP Address of 244.212.43.35 (for E.g) on the cable Modem, that it will pass on to Router 1. Router 1 would then Generate an IP Address of the Series of 192.168.1.1( (for E.g) which it will give as an input to Router 2, which will convert it into 10.0.25.1 (for E.g) and give the three computers IP Addresses accordingly.

As per my suggestion. In case you have anything else in mind / an Add On, please let me know and I shall assist you further.


Till then,

Happy Surfing.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 34138409
I believe your wireless access is your greatest weakness.  
I had one system that was being hacked, I started by changed the WEP key and it only took less that 2 minutes and he was back in.  
For any hint of wireless security, you must use MAC address filtering, and even that can be overcome.

The only truly secure wireless is no wireless.  I know it is extremely convenient, but also convenient to the hackers.

To start your security:
First update your anti-virus software, then download malwarebytes and install.  Once Malwarebytes has updated, disconnect the computer from the internet.  Run full malwarebytes scan, remove problems, then run your anti-virus full scan, remove problems, then run malwarebytes again.  Repeat this process (back & forth) until both are come up clean.  Each product helps uncover files / settings hidden from the other.  I have not discovered a single product that can find everything.

Put one computer (wired) back on to the network (with internet access) and log in to your modem and change all the passwords.  Do not use correctly spelled words and include capitals, numbers & symbols.  

You can use the double router system handoo_shuchit shows above but I suggest that your kids computers be connected to router 1as long as they are accessing pages / sites that are not secure.

A real boost for you would be to use a router (for router 1) like a Sonicwall tz200, or comparable, that has a better proactive firewall.  It's more expensive and there is a paid yearly agreement, but you won't believe the difference (if you can swing it).
Let us know.  :-)

0
 

Author Comment

by:lextec
ID: 34138692
Thanks for you comments.  Physical security is not an issue (yet!).  But all steps have been taken to secure the current wireless router from outside interference.  Again, the threat comes from our children's systems from a known stalker and expert programmer.  We must have ours kids computer's up on the wireless network as well as mine and my wifes.  I am fairly well trained in this area but want to ensure that Zero network packets including ARPs get to my wired and wife's wireless systems.  The attacker in the past has used the children's lack of judgement skills to plant rookkits etc into their machines to compromise the adult's machines.  For reasons I won't go into here, the attacker has access to an IPAD that wirelessly connects to our home network.  I want to continue to give the children their access but separate all those devices COMPLETELY, from ours.  I want the parents personal business to continue without fear of intrusion.  It seems to me the only way to accomplish this is thru the use of a second router.  I am thinking: three routers, maybe.  The first would be attached to the Cable Modem, then two more attached to the LAN ports on the first router.  The kids would have access to one of the wireless routers and we adults to the other wireless router (understanding that the first router is simply there as an interface to the modem).  The IP software suggested doesnt' address the internal danger we have.  It seems we must have two physical networks.  Where am I wrong, and can you suggest the best way to set this up.  Thanks so much for helping us with a very dangerous situation.
0
 

Author Comment

by:lextec
ID: 34138755
As a minor footnote I should mention we are giving up securing the kid's computers beyond the standard AV and softward firewall, and MAC filtering.  We have cleaned them and he attacks them again, exposing the rest of the computers to the worms, and trojans.  But we must have 4 devices wirelessly and one wired.  There is no changing this and we don't want the added expense of another internet subscription.  Many thanks again.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:lextec
ID: 34138910
Thank you Handoo, but the computers in your diagram are all on the same LAN which doesn't implement protection for the two adult computers who are participating in the unsecure LAN.  The two adult systems have been certified threat free and have NIS.  MAC filtering has been implemented and passwords to administer the router have been changed to extremely strong passwords, as has the encrpytion WPA2 AES scheme.
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34139138
Problem #1, the attacker has access to a device which logs on to the wireless network.

--Remove this access.

Problem #2: the attacker tricks the children into doing XYZ

--Monitor the usage. Shut it down when you aren't there.

If you truly have a stalker harassing your family, you _don't _ continue to provide access to the network.  Furthermore, if the stalker is using email, chat, and social networks to harass your children, you _don't_ continue unfettered and unmonitored access for your children.

I cannot see why any sane person would continue in this manner.
0
 
LVL 8

Accepted Solution

by:
dosdet2 earned 250 total points
ID: 34139141
Actually in Handoo's diagram, If you put the kids computers as attached to Router 1's network, then they are not on the same LAN.  Router 2 sees Router 1's Network in the same way as Router 1 sees the internet (modem). You would be able to see your kid's computers but they could not see yours unless you initiated a connection, much the same way you would with a web page.


   | Cable | ======== | Router 1 |====== | Router 2 | =====| Comp 1
                                                  \======| Comp 3    \          | === Comp 2
                                                    \=====| iPad  
     
  This would give you the same protection between the networks as 3 routers.



0
 
LVL 8

Expert Comment

by:dosdet2
ID: 34139166
Another note - I agree with aleghart.  
Your kids are much important that their access to the internet?



0
 
LVL 8

Expert Comment

by:dosdet2
ID: 34139266
re:  "as has the encrpytion WPA2 AES scheme."

It doesn't really matter what encryption scheme is implemented.  If the Perp is monitoring your wireless, all he has to do is capture the initial handshake packets and those have all the information he needs for him to clone the MAC address and encryption keys.  That packet is not encrypted yet because the encrypted link has not yet been established.  Every packet - even after the encryption, contains the MAC address or the level 2 devices (switch) wouldn't know where the packet is going.  

0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 250 total points
ID: 34139475
Getting a second internet connection won't solve the problem.  It exacerbates it, because (given the current behavior) you are likely to abandon the children to their own devices and ignore the new network.

The most effective method to segregate the traffic would be to have a router with an integrated wireless access point that can handle VLANs.  You can do the same with a separate access point, but you need the ability to handle VLANs.  SonicWall is a good source for that.  Netgear can get you a router plus WAP with VLANs.

If you aren't willing to spend that kind of money, then you can accomplish a cheap solution with three routers.

R1 connects to the internet.  Turn off wireless. Admin via wired only.
R2 connects "safe" network.  Turn off wireless. Admin via wired only.
R3 connects "dangerous" network.  Turn on wireless with WPA2 encryption.  Admin via wired only.

R1 LAN -> R2 WAN.  R2 WAN IP address is 192.168.11.2
R1 LAN -> R3 WAN.  R3 WAN IP address is 192.168.11.3

This segregates "safe" from "dangerous".  At any time, you can pull the plug between R1 & R3, disconnecting internet access, but not affecting R2 "safe" network.

This can be done with cheap $40 Linksys routers.

routers-3-nets.jpg
0
 

Author Comment

by:lextec
ID: 34140005
Thank you Aleghart and Dosdet2.  Very helpful information.  I think Aleghart that you have confirmed what I had believed to be the only "sure" solution.   I will wait for additional comments before awarding points.  Any further information on how to tweak the two inside routers will be appreciated. Otherwise, we will move to set this baby up and call it a victory for the good guys.

I am curious that the encrypted keys are at level 2 decipherable as WPA2 AES.  If it was that easy why have encryption at all.  Capturing packets is one thing, decryption is much more difficult if not impossible using AES and WPA2.  I am sure he monitor and sniffs but the real danger is the perps physical access to the IPAD.  This will not be a problem under algeharts scenario.

Excllent input thank you everyone!!
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34140378
Suffice it to say that it's not sane to operate a network in this fashion.  But...that doesn't mean that there isn't a way to keep your personal network safe.

It's similar to an apartment situation where there are multiple units sharing one internet connection.  In addition to R2 & R3, you'd have R4, R5...one for each private network.  At some point the bandwidth sharing falls apart, but you get the idea.  Keeps your network safe from direct access.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 34140936
I'm sorry.  I really didn't intend my comments to sound harsh, I'm not so good with words sometimes.

But to answer encryption question:

It's not that it is easy, but it's very doable for someone who is motivated enough.  Encryption is very good once it is established. There is a handshake that happens when the connection is established.  This handshake initiates the connection and encryption. A person monitoring this handshake can extrapolate the information needed to clone the handshake.   The MAC address (layer 2 - sorry - I mistyped this as `level') always has to be correct (cannot be encrypted) for the packets to know where to go.  The MAC address CAN be easily cloned once you know what it is.  Also you can't use it if the original MAC address is already on line.  That's where it's main security comes from.

The handshake only takes place at the point where the computer first initiates the connection to the AP.  The person must be capturing at the time of the handshake and be able to identify the correct packets. If they live outside your broadcast range, then they have to somehow "camp-out' within your broadcast range until a connection is made or reset.  Otherwise the encryption must be broken, and that is very hard.  IE: The motivation factor.
The real problem is that instructions for doing this can be found on-line.
 
0
 

Author Closing Comment

by:lextec
ID: 34143035
Two ways to skin a cat; both solutions helped.  I will go with multiple routers (3) just because I feel safer under that model.  Thanks for all of your help.

-LEXTEC
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now