Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to secure your LAN if giving wireless access to random people?

Posted on 2012-09-22
19
Medium Priority
?
392 Views
Last Modified: 2012-10-24
If a coffee shop wants to give access to wireless but wants to protect itself from hackers on own work pc x2 how is this done?

Are there reasonably priced routers for the job? Something like a guest access? Not permitting access to any other client?
0
Comment
Question by:fcek
  • 7
  • 6
  • 5
  • +1
19 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 38424213
Depending on your network hardware,you can set up vlans, acl's, or just physically separate your LAN fro the wireless network by directly connecting the wifi router to your firewall. On an available port.
0
 
LVL 17

Expert Comment

by:pergr
ID: 38424253
Go for the FortiWifi-20C and use the guest access feature. It is about $300.

Effectively, it uses a different SSID for guests.
0
 
LVL 17

Expert Comment

by:pergr
ID: 38424257
Note that this will replace whatever router you have now. PCs can connect to the Ethernet ports, or via any switch you may have now.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 38424461
Ideally you want a totally separate network for guests.  Most business class routers have this capability, but some less expensive ones like some of the D-Links have a Guest wireless network.  Alternatively you can do it as outlined in the following article with a pair of basic home routers.  Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/
Even though business and guest are sharing the same internet connection, guests cannot access the business network.
0
 
LVL 17

Expert Comment

by:pergr
ID: 38424532
By the way, the Apple Airport Extreme can also do the guest WiFi, but it does not have the UTM features.
0
 

Author Comment

by:fcek
ID: 38427121
Hi,

I like this option 3.....

" Alternatively you can do it as outlined in the following article with a pair of basic home routers.  Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/ 
"

But please see pic attached ....

On the second router (has its WAN port feed from router 1 )
I select "DHCP" from the list and it works fine.
 
But should I be choosing a different option?
choice-.jpg
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38427128
DHCP will work but I recommend statc
0
 
LVL 17

Expert Comment

by:pergr
ID: 38427563
Note that with this solution your own users will have NAT twice, or double NAT, and depending on what routers you have (and their ALG) the double NAT may break some applications - meaning, typically some two-way-applications, like instant messaging, etc.

If that happens, I recommend to get the Apple Airport Extreme, unless you also want UTM features in which case the FortiWiFi.
0
 

Author Comment

by:fcek
ID: 38429335
NAT twice, or double NAT - doesnt sound good :-(
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38429370
A router is a NAT device, Network Address Translation.  When you have two routers in series you have double NAT. Safe, secure, and works fine for internet access but as pergr pointed out some services, primarily incoming services that you might use to access your site from the internet require special configuration or will not work.

Do you host your own mail server or web server?  Do you access your office by VPN?  Those are the types of services that can be affected.  There is no security risk, as a matter of fact double NAT can be more secure.
0
 

Author Comment

by:fcek
ID: 38429472
Do you host your own mail server or web server?  - No  
Do you access your office by VPN?  - No

I was thinking it would affect Skype and MS Messenger ett and people would be annoyed.

It a simple setup.  1 PC.  1 more max going in.
The rest are randomer.  any VPN will be outbound by coffee shop punters contacting their offices.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38429495
Firstly it won't affect the guest network as it is not in a dual NAT position.  It is the business that is behind 2 routers.  I have not seen it affect any outgoing services other than some VPN connections, but pergr may be right with messenger and or Skype, I use either very seldom.  Other than some VPN's it usually only affects services that require manually configuring incoming port forwarding such as hosted mail servers and such.
0
 

Author Comment

by:fcek
ID: 38429645
RobWill - Just to make sure I understand this.

Router 1 and 2. The start of the daisy chain is the business = Router1 . The end of daisy chain is the randomers / customers Router 2.  Is this how you see it?

Thanks.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38429775
Not sure I follow your description.

Assuming you are using option #3
Internet=>modem=>wireless router (guests connect)=>business router=>business users connect

The reason this is protected is the guest users are on the internet side of the business router, thus have no more access to the business than your neighbors do.

Fairly familiar with the configuration, I wrote the article :-)
0
 

Author Comment

by:fcek
ID: 38429900
Hi RobWill.

I was thinking it the other way around!
Ive look at your diagram again and see what you are thinking.  

Im using 2 routers.  

Theirs - The first has a built in modem and is installed there.
Mine - i was thinking of daisy chaining on and using for randomers only.

My router has better range but no modem.  From theirs I see two other cat5 cables that are going somewhere .... for what I will have to see.  On site tomorrow to see whats what.

This may turn out a lot more complicated that I thought.
Wish I could just add an access point that would do wireless and block any hackers.
Anyway will see what happens
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38429933
If you configure:
Internet=>modem=>business router=>wireless router (guests connect)

Guests have full access to your network and you cannot access them.  definite no,no.

Think of a router as a one way valve as far as the security goes.

If you have a combined modem router you need to either put it in bridge mode (makes it a simple modem) and add two routers, or grant guests access to the combined modem/router unit and add another router for the business.

Or....as a other suggested buy a router with guest support, but that requires also putting the modem in bridge mode.
0
 
LVL 17

Expert Comment

by:pergr
ID: 38429958
If you do get something like the Apple Extreme, or the FortiWifi, that has a guest feature, it is good if you put the modem in bridge mode, but not strictly necessary.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 38429987
The combined router/modem is a router or a NAT device.  Adding anything else, without enabling bridge mode, creates double NAT.  That is not a security risk but can conceivably block some client access to their services such as connecting to their offices by VPN.  

More importantly if you are connected to the modem/router  and you add connect another router to it for guests,  you are not protected from the guests, their connection flows through yours.

This is probably not the place to ask this, and not questioning your doing so at all, but does it pay to offer wireless in a coffee shop?  I have always wondered that as I see 2/3 of the chairs occupied by folk buying 1 coffee and sitting there all morning on their laptop.  I suppose in this age it is almost a requirement to offer wireless.  Just thought it would be interesting to hear your point of view.
0
 

Author Comment

by:fcek
ID: 38477097
Will report back soon.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This program is used to assist in finding and resolving common problems with wireless connections.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question