• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 398
  • Last Modified:

How to secure your LAN if giving wireless access to random people?

If a coffee shop wants to give access to wireless but wants to protect itself from hackers on own work pc x2 how is this done?

Are there reasonably priced routers for the job? Something like a guest access? Not permitting access to any other client?
0
fcek
Asked:
fcek
  • 7
  • 6
  • 5
  • +1
1 Solution
 
lruiz52Commented:
Depending on your network hardware,you can set up vlans, acl's, or just physically separate your LAN fro the wireless network by directly connecting the wifi router to your firewall. On an available port.
0
 
pergrCommented:
Go for the FortiWifi-20C and use the guest access feature. It is about $300.

Effectively, it uses a different SSID for guests.
0
 
pergrCommented:
Note that this will replace whatever router you have now. PCs can connect to the Ethernet ports, or via any switch you may have now.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Rob WilliamsCommented:
Ideally you want a totally separate network for guests.  Most business class routers have this capability, but some less expensive ones like some of the D-Links have a Guest wireless network.  Alternatively you can do it as outlined in the following article with a pair of basic home routers.  Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/
Even though business and guest are sharing the same internet connection, guests cannot access the business network.
0
 
pergrCommented:
By the way, the Apple Airport Extreme can also do the guest WiFi, but it does not have the UTM features.
0
 
fcekAuthor Commented:
Hi,

I like this option 3.....

" Alternatively you can do it as outlined in the following article with a pair of basic home routers.  Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/ 
"

But please see pic attached ....

On the second router (has its WAN port feed from router 1 )
I select "DHCP" from the list and it works fine.
 
But should I be choosing a different option?
choice-.jpg
0
 
Rob WilliamsCommented:
DHCP will work but I recommend statc
0
 
pergrCommented:
Note that with this solution your own users will have NAT twice, or double NAT, and depending on what routers you have (and their ALG) the double NAT may break some applications - meaning, typically some two-way-applications, like instant messaging, etc.

If that happens, I recommend to get the Apple Airport Extreme, unless you also want UTM features in which case the FortiWiFi.
0
 
fcekAuthor Commented:
NAT twice, or double NAT - doesnt sound good :-(
0
 
Rob WilliamsCommented:
A router is a NAT device, Network Address Translation.  When you have two routers in series you have double NAT. Safe, secure, and works fine for internet access but as pergr pointed out some services, primarily incoming services that you might use to access your site from the internet require special configuration or will not work.

Do you host your own mail server or web server?  Do you access your office by VPN?  Those are the types of services that can be affected.  There is no security risk, as a matter of fact double NAT can be more secure.
0
 
fcekAuthor Commented:
Do you host your own mail server or web server?  - No  
Do you access your office by VPN?  - No

I was thinking it would affect Skype and MS Messenger ett and people would be annoyed.

It a simple setup.  1 PC.  1 more max going in.
The rest are randomer.  any VPN will be outbound by coffee shop punters contacting their offices.
0
 
Rob WilliamsCommented:
Firstly it won't affect the guest network as it is not in a dual NAT position.  It is the business that is behind 2 routers.  I have not seen it affect any outgoing services other than some VPN connections, but pergr may be right with messenger and or Skype, I use either very seldom.  Other than some VPN's it usually only affects services that require manually configuring incoming port forwarding such as hosted mail servers and such.
0
 
fcekAuthor Commented:
RobWill - Just to make sure I understand this.

Router 1 and 2. The start of the daisy chain is the business = Router1 . The end of daisy chain is the randomers / customers Router 2.  Is this how you see it?

Thanks.
0
 
Rob WilliamsCommented:
Not sure I follow your description.

Assuming you are using option #3
Internet=>modem=>wireless router (guests connect)=>business router=>business users connect

The reason this is protected is the guest users are on the internet side of the business router, thus have no more access to the business than your neighbors do.

Fairly familiar with the configuration, I wrote the article :-)
0
 
fcekAuthor Commented:
Hi RobWill.

I was thinking it the other way around!
Ive look at your diagram again and see what you are thinking.  

Im using 2 routers.  

Theirs - The first has a built in modem and is installed there.
Mine - i was thinking of daisy chaining on and using for randomers only.

My router has better range but no modem.  From theirs I see two other cat5 cables that are going somewhere .... for what I will have to see.  On site tomorrow to see whats what.

This may turn out a lot more complicated that I thought.
Wish I could just add an access point that would do wireless and block any hackers.
Anyway will see what happens
0
 
Rob WilliamsCommented:
If you configure:
Internet=>modem=>business router=>wireless router (guests connect)

Guests have full access to your network and you cannot access them.  definite no,no.

Think of a router as a one way valve as far as the security goes.

If you have a combined modem router you need to either put it in bridge mode (makes it a simple modem) and add two routers, or grant guests access to the combined modem/router unit and add another router for the business.

Or....as a other suggested buy a router with guest support, but that requires also putting the modem in bridge mode.
0
 
pergrCommented:
If you do get something like the Apple Extreme, or the FortiWifi, that has a guest feature, it is good if you put the modem in bridge mode, but not strictly necessary.
0
 
Rob WilliamsCommented:
The combined router/modem is a router or a NAT device.  Adding anything else, without enabling bridge mode, creates double NAT.  That is not a security risk but can conceivably block some client access to their services such as connecting to their offices by VPN.  

More importantly if you are connected to the modem/router  and you add connect another router to it for guests,  you are not protected from the guests, their connection flows through yours.

This is probably not the place to ask this, and not questioning your doing so at all, but does it pay to offer wireless in a coffee shop?  I have always wondered that as I see 2/3 of the chairs occupied by folk buying 1 coffee and sitting there all morning on their laptop.  I suppose in this age it is almost a requirement to offer wireless.  Just thought it would be interesting to hear your point of view.
0
 
fcekAuthor Commented:
Will report back soon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 7
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now