I noted in a previous article you mentioned that you set up a
private network for a machine suspected of infection. Then later I saw
that you mentioned you had enabled a separate private network for your
guests, and had enabled wireless security on your own network.
Can you explain what you did, and why you didn’t have wireless
security on the whole time? I thought it was important?
Wireless security is important. But if you know what you’re doing,
it’s not always necessary. You can choose to run without it, if you’re
fortunate enough to have other means of security in it’s place.
My “other means of security”? A really long driveway.
Let me show you what changes I made, and explain why.
My home network has, until recently, been a very typical setup that I often recommend to my readers: a high speed always-on internet connection connects first to a router, and then all my computers are connected to that router, via a mix of wired and wireless connections.
The fundamental assumption of this type of configuration is that all the computers on the inside or LAN (as opposed to WAN or internet side) of the router all trust each other and do not need to be protected from each other.
Clearly, bringing an infected machine into my home violates that assumption. But then again, so does having guests, whose computing habits I may not have faith in. If a well meaning guest brings with them an infected computer, that infection could easily and quickly spread to my other computers the moment they connect to my network.
A “second network”, protected from the first, is called for.
I’ve actually discussed this scenario in a previous article, How do I protect users on my network from each other? and in a nutshell it means that each network needs to be behind its own router.
Each of the networks created behind each of the routers is distinct, isolated from, and cannot “see” the other networks. This is exactly the security I was looking for. (If your ISP will give you more than one IP address, as mine does, then you may not need the “internet sharing router” shown in this diagram, but could use a simple hub or switch instead.)
So we’ve set up two networks that share my internet connection, and are protected from each other. Except for wireless networking, we’re good.
Wireless, however, adds another small layer of complexity.
My reasons are simple: WiFi has an effective or useful range of maybe 300 feet (around 100 meters). I live on a 4+ acre parcel of property, and thus anyone wanting to actually sniff my network would be immediately and obviously visible to me. They’d literally have to drive up my driveway and sit in their car.
The reason that things get complicated, is that I wanted to provide WiFi access for my guests – the very guests I don’t trust (no offense intended, guests ). On the surface that seems simple. I should just get another WiFi access point, connect it up to the “other” network I set up for my guests, give it another name and use a different WiFi channel, and they have access.
The problem is that as long as my “trusted” network has an open access point on it, there’s nothing to prevent those guests, who are a lot closer than a car in the driveway, from access either network – mine or theirs.
The simple solution is to enable WPA encryption on the access point connected to the network I want to protect, and require a password.
Quickly, and easily done. I had to visit each of the two laptops that we have online right now and reconnect to the now encrypted wireless, and all was well.
The nuances of security are sometimes easy to overlook. Keeping yourself safe from internet threats is certainly one thing we’re constantly being reminded of. But we also need to remember that sometimes the threats come from within.