In reference to your article “
Is the WiFi connection provided by my landlord safe, and if not, how
should I protect myself?“, while I am not *that* landlord, I am *a*
landlord. I don’t know how to look at my tenant’s data, but how do I
protect myself from my tenant and for that matter someone in another
apartment or someone just driving by the apartment building? According
to my tenant, there are 8 different networks registering on his laptop
(including mine). Because my tenant shares the cost of the connection
with me, I feel I have to protect the both of us from “problems.”
I have wireless broadband router I am wired directly to the router
and my tenant uses the wireless connection. The router itself has a
password on it and you need to enter an encryption key to gain access
to the network to which my router is attached.
There are a few issues here, some of which are common and have
standard solutions, which it sounds like you’ve already
However protecting you from your tenant, your tenant from you, and
for that matter all your tenants from each other gets … well, things
Become a Patron of Ask Leo! and go ad-free!
Let’s start with what you’re already doing correctly: password
protecting the wireless connection. As long as that router is
configured to use WPA encryption and not WEP, that should prevent
random people from connecting to your network when they are in
Make sure also that you change the administrative password on the
router itself. The defaults are well known, and if you don’t change it
any of your tenants could gain administrative access to the router and
do all sorts of nasty things with it.
Finally, as to those other 8 wireless networks that appear in range:
just don’t connect to them.
Now, let’s look at protecting you and your tenants.
First, let’s diagram what you’ve described:
In fact, I’ll expand that a little to a more general case:
As you can see, the internet comes into the router, where it’s then
shared with both your computer via a hardwired connection, and with one
or more tenant computers over wireless.
This is a perfectly acceptable solution to sharing an internet
connection, and is an extremely common configuration in homes and
The problem is simply this: it assumes that everything on the local
network is trustworthy.
To put it simply, a router used in this fashion protects one side,
the local network, from the other side, the internet. It does
not provide any protection between equipment on the same side.
By that I mean that the router does not protect machines on the local
network from each other. It assumes that they can all be completely
network is trustworthy.”
In your case, that’s a bad assumption. Tenant A’s computer could,
for example, become infected with a virus that could then migrate to
Tenant B’s computer or to yours. Or, even more worrisome, they could
actually purposely attempt to perform a malicious act.
Any time you have a collection of computers that share an internet
connection but can still not be trusted, you need to take extra steps.
And by “not trusted” I mean things like being operated by tenants whose
activities or expertise you have no knowledge of, or even your own
children whose inexperience you’re all too well aware of. You need to
protect yourself in either case.
In a case like this the assumption you need to make is very simple:
assume your computer is connected directly to the internet, and take
appropriate steps. Even though you’re connected behind a router, assume
the worst and pretend you’re not.
That means either making sure that everyone has appropriate firewall
and other security software installed on all machines, or devising a
hardware based solution.
And what’s my first reaction when I hear that someone is connected
directly to the internet?
Install a router.
Or, in this case, install another router.
There are two approaches, depending on what kind of internet
connectivity you’ve been given by your ISP.
Approach One: Your ISP will give you more than
one IP address.
In this case we use a hub (or a switch) to “split” the internet in
two before attaching a router.
In this configuration you have completely isolated yourself from
your tenants. Their machines can’t see your machines, and vice versa.
You’re totally protected from anything that they might try to do.
But note that by putting all the tenants behind a single router,
they are once again unprotected from each other. A more
complete solution might be something like this:
Here we’ve installed a router for each tenant. What this does is
create a private and protected network for each tenant, completely
isolated from each other. Each wireless network would have its own
unique ID and password, shared only with the tenant that is supposed to
be using it.
Personally, that’s a little over the top (though you’d be considered
a great landlord for providing this level of connectivity). A
much more common approach is to provide a “naked” wired
connection to each tenant, and let them install their own
router as needed. The diagram is identical to the previous one, the
only difference is in where the router might be physically located, and who
actually provides it.
All of the preceding assumes that your ISP will hand out more than
one IP address. The result is that each router is granted it’s own,
unique IP address on the internet.
The following scenario is actually slightly more common.
Approach Two: Your ISP will give you only
one IP address.
In a nutshell, the approach here is to replace the hub that’s been
“splitting” the internet with another router.
The function of what I’ve labeled the “Internet Sharing Router” is
simply that: to share the internet connection and the single IP address
that your location has been given. Each of the next level routers get a
unique local IP address on the tiny local network that exists only
between the routers. Each of those second level routers then creates a
unique, and once again private and protected, local area network for
the machines connected to it.
It’s tempting to think that all these routers are not needed – that
it’s overkill – but that’s simply not true, from either a functional,
or a security perspective:
Remove the “Internet Sharing Router”, and all but one of the other
routers will likely stop working, or connectivity will become
intermittent and unpredictable. Because your ISP is handing out only
one IP address, only one device can be connected directly to the
internet. This router is required to share that single IP between
Remove any one of the second level routers, and the machines that
were behind it could be exposed to malware originating on any
of the other network segments.
Remove two or more of the second level routers, and the machines
that were behind them are now completely exposed to each other.
All this security comes at a price. What we’ve created results in
something called “double NATting” where the path from any one computer
to the internet traverses two NAT routers. That can interfere with some
communications protocols, mostly peer-to-peer services. “Port
forwarding” becomes, if not a nightmare at least a very bad dream, as
ports would now have to be forwarded at two routers: first at the
sharing router, and then again at the local second level router.
But for basic operations like the web and email, this scenario
works, and works quite well.
There are other solutions, but I focus on the two presented here as
perhaps the most inexpensive and conceptually simple of the lot.
There are higher-end routers that can actually do everything the
collection of hubs and routers above do, in a single device. They can
be extensively configured to share a single IP address (without double
NATting), and protect sub-networks connected to the router from each
other. In fact, this is what you’ll usually see in larger installations
and corporations. The downside to this approach is simply cost and
complexity. Purchasing, connecting and configuring consumer-grade hubs,
switches and routers is well within the means of most average computer
users. The same is decidedly not true for the higher-end solutions,
where you really do want a professional to install and maintain the