Wireless Guest access on routers - how safe is it? Can they be hacked?

Some netgear and Linksys routers offer guest access.
How safe are these?

Is there a risk of someone with knowledge gaining access to you LAN?
feck1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
If the router does not offer open source firmware, I would not trust it.  This is a personal opinion based on the fact that US government agencies have in the past, and continue to, demand back-doors into equipment and software.  If there is an exploitable back door, someone will find it.  There are plenty of people in "eastern Europe" who have time on their hands.

If the router offers open source firmware, I still would not trust it due to the same reason above.  If there's a hole someone will find it.

Either you trust someone enough to give them access to your LAN, or you don't.  "The fact that you're not paranoid does not mean they're not out to get you."

IMO, a better solution is to put a router in front of a router creating a DMZ between.  Use two different manufacturers' products.  Give guests access to the outer router, but not the inner router.  Run your LAN on the inner router.  You then get double protection of the inner LAN, and can periodically change the password on the outer router to re-secure the "guest" network after someone has used it and no longer requires access.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
feck1Author Commented:
Good thinking. DMZ? What that?
0
Dr. KlahnPrincipal Software EngineerCommented:
DMZ is shorthand for DeMilitarized Zone.  It refers to an area located between two routers.  In this case the DMZ and the guests are in the first / outer router (the one which faces the internet), and your own LAN is in the second / inner router (the one which faces the first / outer router.)
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

feck1Author Commented:
Ok so www ---> guest router -----> wan port of internal router
0
Dr. KlahnPrincipal Software EngineerCommented:
Correct.  Outward facing router (any wired port) provides a wired connection to inner router's incoming WAN port.
0
feck1Author Commented:
Very well explained
0
feck1Author Commented:
So the "guest" router wireless would be configured as normal and no "guest" wireless feature required.
0
feck1Author Commented:
Like some routers have a <x> enable guest access. But in this case I don't need it - correct ?
0
Dr. KlahnPrincipal Software EngineerCommented:
That's correct.  Set up one WiFi network on the outer router for guests.  Set up another on the inner router for yourself.  If either router has guest capability, disable it.
0
feck1Author Commented:
So use diff router brands.
What are the chances of someone with vast networking experience hacking into the LAN for the guest router. Not govt / CIA or anything!
0
Dr. KlahnPrincipal Software EngineerCommented:
Given enough time and effort, I believe anything can be cracked.  The probability in this case is small if the router firmware is kept up to date.
0
Asif BacchusI.T. ConsultantCommented:
I would suggest you consider the two networks you are trying to isolate.  Is this for home use, a small business or a large enterprise?  Since you are looking at routers with 'guest networks', I would assume this is for home use.  In that case, what do you consider the likelihood of someone trying to hack your network?  Do you have very sensitive data you need to protect? Are you planning on running the guest network as an open network (no password) or will you still be using WPA2 and then just give your friends the password?

If you are looking at just providing a guest network so that your friends can connect to the internet when they visit but you don't want them on your internal network, then any of the Linksys/Netgear/ASUS/etc. guest-mode routers will more than suffice.  If you are looking at providing an open-authentication wi-fi hotspot, then I would go for at least custom firmware which will do a better job isolating the VLANs (internal vs guest).

For most home or even small business uses, the standard retail routers (custom firmware again is better) isolate traffic quite well.  If you are looking to secure an enterprise or very sensitive data then you are looking at the wrong solutions here and the whole DMZ double router idea proposed by other experts is the way to go.  In fact, I would build a custom BSD box instead of buying a retail router.

Hope that helps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.