If you have a wireless network and your friend brings over his
computer, how do you let them on your network as a guest without giving
out your wireless encryption key?
Time for my most popular … no, my most common, answer:
It depends on how much you trust your friend.
And since you don’t want to share your wireless encryption key, I’m
going to assume that while you probably trust your friend to a point,
there’s clearly a limit.
If you trust someone completely, then when it comes to your home network you just give them the WPA encryption key. (As an aside: good for you for using an encryption key to keep your wireless connection safe.) (As a second aside: you’re not using WEP, right? That’s no longer secure; use WPA.)
Unfortunately most wireless equipment is set up to operate at either one extreme or the other: require an encryption key to connect, or let anyone connect. You don’t want to hand out your key, so your friend can’t connect that way, and you don’t want to reconfigure your wireless access point to remove all security, so you can’t allow him to connect that way either.
It’s not a simple problem to solve.
If you trust your friend “sort of” you could allow him to connect to your network via a wired cable. No encryption key is needed, and it’s likely you already have an open port on your router available. The risk is that he’s on your network at all. If you don’t have firewalls on all your machines (common, if you’re using a router as your single firewall for all) then his machine could carry malware that might travel to your machines, or he might even be able to poke around on your network in ways that you might not want him to.
Honestly, if there’s a question of trust at all, I don’t recommend it. There are just too many things that could go wrong.
So what do you do instead?
In a nutshell, “split” your internet connection using a hub or a switch (or a router) before it reaches your router, and put all of your equipment on one side protected behind your router, and then everyone else – your guest for example – on the other side:
This example above assumes that your ISP will give you more than one IP address – one for your router, and one for your guest. If that’s not the case you’ll need to replace the hub/switch in the example with another router.
Here’s the same setup, using wireless connections:
Here you can see that the router on the left, your existing router I might add, continues to use a WPA key for wireless encryption. The router on the right is dedicated to your guests use, and can either be a completely open (no encryption, no key needed) hotspot that anyone can connect to, or you can set it up to use a different WPA key that you don’t mind sharing with your guests.
Using this setup, the two separate networks are isolated from each other. Neither can “sniff” the other’s traffic, and neither can access the other’s machines.
For the record, this is what I have in my own home: a private wireless network secured by WPA, and then a separate guest network that is open to anyone within range.
And as a fairly interesting side note, we are starting to see equipment that effectively bundles the equivalent of two routers and wireless access points into a single box, for exactly this scenario.
Now, there’s one final gotcha, that is once again a matter of trust.
Remember that your guest is using your internet connection. If they happen to do something, say, illegal … it can be traced by law enforcement, and that trace would lead to you as the owner of that connection. I’m guessing at that point you’d have some explaining to do.
Choose your friends, and your guests, wisely.