I noted in a previous article you mentioned that you set up a
private network for a machine suspected of infection. Then later I saw
that you mentioned you had enabled a separate private network for your
guests, and had enabled wireless security on your own network.
Can you explain what you did, and why you didn’t have wireless
security on the whole time? I thought it was important?
Wireless security is important. But if you know what you’re doing,
it’s not always necessary. You can choose to run without it, if you’re
fortunate enough to have other means of security in it’s place.
My “other means of security”? A really long driveway.
Let me show you what changes I made, and explain why.
My home network has, until recently, been a very typical setup that I often recommend to my readers: a high speed always-on internet connection connects first to a router, and then all my computers are connected to that router, via a mix of wired and wireless connections.
The fundamental assumption of this type of configuration is that all the computers on the inside or LAN (as opposed to WAN or internet side) of the router all trust each other and do not need to be protected from each other.
Clearly, bringing an infected machine into my home violates that assumption. But then again, so does having guests, whose computing habits I may not have faith in. If a well meaning guest brings with them an infected computer, that infection could easily and quickly spread to my other computers the moment they connect to my network.
A “second network”, protected from the first, is called for.
I’ve actually discussed this scenario in a previous article, How do I protect users on my network from each other? and in a nutshell it means that each network needs to be behind its own router.
local networks from each other” title= “Securing local networks from each other” />
Each of the networks created behind each of the routers is distinct, isolated from, and cannot “see” the other networks. This is exactly the security I was looking for. (If your ISP will give you more than one IP address, as mine does, then you may not need the “internet sharing router” shown in this diagram, but could use a simple hub or switch instead.)
So we’ve set up two networks that share my internet connection, and are protected from each other. Except for wireless networking, we’re good.
Wireless, however, adds another small layer of complexity.
First, a word about the lack of encryption on my WiFi here at home.
My reasons are simple: WiFi has an effective or useful range of maybe 300 feet (around 100 meters). I live on a 4+ acre parcel of property, and thus anyone wanting to actually sniff my network would be immediately and obviously visible to me. They’d literally have to drive up my driveway and sit in their car.
The reason that things get complicated, is that I wanted to provide WiFi access for my guests – the very guests I don’t trust (no offense intended, guests ). On the surface that seems simple. I should just get another WiFi access point, connect it up to the “other” network I set up for my guests, give it another name and use a different WiFi channel, and they have access.
The problem is that as long as my “trusted” network has an open access point on it, there’s nothing to prevent those guests, who are a lot closer than a car in the driveway, from access either network – mine or theirs.
The simple solution is to enable WPA encryption on the access point connected to the network I want to protect, and require a password.
Quickly, and easily done. I had to visit each of the two laptops that we have online right now and reconnect to the now encrypted wireless, and all was well.
The nuances of security are sometimes easy to overlook. Keeping yourself safe from internet threats is certainly one thing we’re constantly being reminded of. But we also need to remember that sometimes the threats come from within.
4 comments on “How should I protect my network and computers from my guests?”
So you think you are OK because your property is 4 acres? Have I got news for you!
Maybe with 400 acres, you’d have a chance. Bottom line? Use all the security that’s within your financial capabilities and don’t do anything risky online.
I am with Leo in two network approach.
My suggestion is: Add a router with no wifi security to your main network (with wifi security enabled) for your guests and keep it out of your main network (in DMZ). When the guests are not around, you can even switch off this second router to prevent someone else using your connection resources, consuming bandwidth etc.
Alternatively keep your main router at the front end without security and keep your main network behind a second security enabled router. guests get connected through this main router straight out to the Internet and the second router will protect your main network. You won’t be able to switch this front end router off this this case.
The explanation that seems to be missing here is that with WPA on my BELKIN router, you are allowed to specify two passwords: one that allows full access to the protected network and another that allows guests to access only the internet connection (and not the protected network).
That way, I make the main password very difficult but can keep it static. The guest password I made simple, but can change anytime I suspect an intrusion onto my internet connection.
I got a strange call from my internet provider (the local phone company) accusing me of hooking up to a neighbor’s wireless connection. I don’t have a laptop and don’t subscribe to WiFi. The phone company said that doesn’t matter, a person could still get a wireless connnection. It made absolutely no sense to me; I was completely flabbergasted. Other neighors are on the wireless connection, but not me; I subscribe to high speed DSL through my phone’s modem. Can someone piggy back off my computer on a wireless connection even though I don’t subscribe to it? I am really paranoid now!