Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How should I protect my network and computers from my guests?

Question:

I noted in a previous article you mentioned that you set up a
private network for a machine suspected of infection. Then later I saw
that you mentioned you had enabled a separate private network for your
guests, and had enabled wireless security on your own network.

Can you explain what you did, and why you didn't have wireless
security on the whole time? I thought it was important?

Wireless security is important. But if you know what you're doing,
it's not always necessary. You can choose to run without it, if you're
fortunate enough to have other means of security in it's place.

My "other means of security"? A really long driveway.

Let me show you what changes I made, and explain why.

]]>

My home network has, until recently, been a very typical setup that I often recommend to my readers: a high speed always-on internet connection connects first to a router, and then all my computers are connected to that router, via a mix of wired and wireless connections.

Basic single-router home network

The fundamental assumption of this type of configuration is that all the computers on the inside or LAN (as opposed to WAN or internet side) of the router all trust each other and do not need to be protected from each other.

Clearly, bringing an infected machine into my home violates that assumption. But then again, so does having guests, whose computing habits I may not have faith in. If a well meaning guest brings with them an infected computer, that infection could easily and quickly spread to my other computers the moment they connect to my network.

A "second network", protected from the first, is called for.

I've actually discussed this scenario in a previous article, How do I protect users on my network from each other? and in a nutshell it means that each network needs to be behind its own router.

Securing <a href=local networks from each other" title= "Securing local networks from each other" />

Each of the networks created behind each of the routers is distinct, isolated from, and cannot "see" the other networks. This is exactly the security I was looking for. (If your ISP will give you more than one IP address, as mine does, then you may not need the "internet sharing router" shown in this diagram, but could use a simple hub or switch instead.)

So we've set up two networks that share my internet connection, and are protected from each other. Except for wireless networking, we're good.

Wireless, however, adds another small layer of complexity.

First, a word about the lack of encryption on my WiFi here at home.

My reasons are simple: WiFi has an effective or useful range of maybe 300 feet (around 100 meters). I live on a 4+ acre parcel of property, and thus anyone wanting to actually sniff my network would be immediately and obviously visible to me. They'd literally have to drive up my driveway and sit in their car.

I'd notice.

The reason that things get complicated, is that I wanted to provide WiFi access for my guests - the very guests I don't trust (no offense intended, guests Smile). On the surface that seems simple. I should just get another WiFi access point, connect it up to the "other" network I set up for my guests, give it another name and use a different WiFi channel, and they have access.

The problem is that as long as my "trusted" network has an open access point on it, there's nothing to prevent those guests, who are a lot closer than a car in the driveway, from access either network - mine or theirs.

The simple solution is to enable WPA encryption on the access point connected to the network I want to protect, and require a password.

Quickly, and easily done. I had to visit each of the two laptops that we have online right now and reconnect to the now encrypted wireless, and all was well.

The nuances of security are sometimes easy to overlook. Keeping yourself safe from internet threats is certainly one thing we're constantly being reminded of. But we also need to remember that sometimes the threats come from within.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “How should I protect my network and computers from my guests?”

  1. I am with Leo in two network approach.

    My suggestion is: Add a router with no wifi security to your main network (with wifi security enabled) for your guests and keep it out of your main network (in DMZ). When the guests are not around, you can even switch off this second router to prevent someone else using your connection resources, consuming bandwidth etc.

    Alternatively keep your main router at the front end without security and keep your main network behind a second security enabled router. guests get connected through this main router straight out to the Internet and the second router will protect your main network. You won’t be able to switch this front end router off this this case.

    Reply
  2. The explanation that seems to be missing here is that with WPA on my BELKIN router, you are allowed to specify two passwords: one that allows full access to the protected network and another that allows guests to access only the internet connection (and not the protected network).

    That way, I make the main password very difficult but can keep it static. The guest password I made simple, but can change anytime I suspect an intrusion onto my internet connection.

    Reply
  3. I got a strange call from my internet provider (the local phone company) accusing me of hooking up to a neighbor’s wireless connection. I don’t have a laptop and don’t subscribe to WiFi. The phone company said that doesn’t matter, a person could still get a wireless connnection. It made absolutely no sense to me; I was completely flabbergasted. Other neighors are on the wireless connection, but not me; I subscribe to high speed DSL through my phone’s modem. Can someone piggy back off my computer on a wireless connection even though I don’t subscribe to it? I am really paranoid now!

    Wireless isn’t something you “subscribe” to. It’s the WiFi connection used by your laptop and typically provided by your own wireless router or access point. If you don’t have any wireless adapters or laptops and no wireless access point or router, then I have no idea what your ISP is talking about either.

    – Leo
    01-Jul-2009

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.