Wireless Guest access on routers - how safe is it? Can they be hacked?

Some netgear and Linksys routers offer guest access.
How safe are these?

Is there a risk of someone with knowledge gaining access to you LAN?
feck1Asked:
Who is Participating?
 
Dr. KlahnPrincipal Software EngineerCommented:
If the router does not offer open source firmware, I would not trust it.  This is a personal opinion based on the fact that US government agencies have in the past, and continue to, demand back-doors into equipment and software.  If there is an exploitable back door, someone will find it.  There are plenty of people in "eastern Europe" who have time on their hands.

If the router offers open source firmware, I still would not trust it due to the same reason above.  If there's a hole someone will find it.

Either you trust someone enough to give them access to your LAN, or you don't.  "The fact that you're not paranoid does not mean they're not out to get you."

IMO, a better solution is to put a router in front of a router creating a DMZ between.  Use two different manufacturers' products.  Give guests access to the outer router, but not the inner router.  Run your LAN on the inner router.  You then get double protection of the inner LAN, and can periodically change the password on the outer router to re-secure the "guest" network after someone has used it and no longer requires access.
0
 
feck1Author Commented:
Good thinking. DMZ? What that?
0
 
Dr. KlahnPrincipal Software EngineerCommented:
DMZ is shorthand for DeMilitarized Zone.  It refers to an area located between two routers.  In this case the DMZ and the guests are in the first / outer router (the one which faces the internet), and your own LAN is in the second / inner router (the one which faces the first / outer router.)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
feck1Author Commented:
Ok so www ---> guest router -----> wan port of internal router
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Correct.  Outward facing router (any wired port) provides a wired connection to inner router's incoming WAN port.
0
 
feck1Author Commented:
Very well explained
0
 
feck1Author Commented:
So the "guest" router wireless would be configured as normal and no "guest" wireless feature required.
0
 
feck1Author Commented:
Like some routers have a <x> enable guest access. But in this case I don't need it - correct ?
0
 
Dr. KlahnPrincipal Software EngineerCommented:
That's correct.  Set up one WiFi network on the outer router for guests.  Set up another on the inner router for yourself.  If either router has guest capability, disable it.
0
 
feck1Author Commented:
So use diff router brands.
What are the chances of someone with vast networking experience hacking into the LAN for the guest router. Not govt / CIA or anything!
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Given enough time and effort, I believe anything can be cracked.  The probability in this case is small if the router firmware is kept up to date.
0
 
Asif BacchusCommented:
I would suggest you consider the two networks you are trying to isolate.  Is this for home use, a small business or a large enterprise?  Since you are looking at routers with 'guest networks', I would assume this is for home use.  In that case, what do you consider the likelihood of someone trying to hack your network?  Do you have very sensitive data you need to protect? Are you planning on running the guest network as an open network (no password) or will you still be using WPA2 and then just give your friends the password?

If you are looking at just providing a guest network so that your friends can connect to the internet when they visit but you don't want them on your internal network, then any of the Linksys/Netgear/ASUS/etc. guest-mode routers will more than suffice.  If you are looking at providing an open-authentication wi-fi hotspot, then I would go for at least custom firmware which will do a better job isolating the VLANs (internal vs guest).

For most home or even small business uses, the standard retail routers (custom firmware again is better) isolate traffic quite well.  If you are looking to secure an enterprise or very sensitive data then you are looking at the wrong solutions here and the whole DMZ double router idea proposed by other experts is the way to go.  In fact, I would build a custom BSD box instead of buying a retail router.

Hope that helps.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.