Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Do I Protect Myself from Other Computers on My Local Network?

//
We’re a family where the adults use the Internet for serious reasons but we can’t take a chance on having our children screw things up – intentionally or by accident. How should we set up our home network?

Normally, we think of threats as being “out there” on the internet. The problem is that sometimes the threat is nearby, right in our own home.

This article was originally titled “How Do I Protect Myself from My Children?” On reflection, though, it’s not just the kids you need to worry about; it’s just about any device you connect to your network: the computer your friends bring over, the “internet of things” enabled device you purchase, the smart TV … and yes, sometimes the computer belonging to a precocious child.

The good news is, you can protect yourself. You just have to look at your network a tad differently.

Become a Patron of Ask Leo! and go ad-free!

Who do you trust?

First, we need to group the computers in your home into distinct buckets:

  • Computers you trust. These are the computers you control, and can safely assume are being used by individuals who understand the basics
    of keeping a computer safe on the internet.
  • Computers you don’t trust. These are the computers used by people who are less computer savvy, don’t understand safety, and are likely to do things that they shouldn’t, resulting in frequent infections of malware.
  • Devices you’re unsure of. In recent years, more and more devices are getting connected to our internet to create the so-called “internet of things“. We’re coming to realize these devices are built with security as an afterthought, if at all.

To protect one bucket from the others, we somehow need to split the network, which might be easy if your router supports it, or slightly more difficult if not. On top of that we also need to talk about how the “Internet of Things” and software firewalls affect what we do.

Split the network using guest access

One approach is to carve your local network into two: a trusted and an untrusted network.

Routers protect you from the internet; the threats that are “out there”. A more simplistic way to think of it is simply this: one side of a router is trusted — the LAN (Local Area Network) into which you plug in your computers — and the other side, the WAN (Wide Area Network), or internet side, is not.

Trusted and Untrusted Sides of the Router

The router protects the trusted side from the untrusted side by preventing incoming connections: only connections that originate from the trusted side can be made across the router.1 In other words, only information your computer asks for comes across the connection. Malicious attempts to get into your computer from out in the wilds of the internet are blocked.

Some modern consumer routers include what is called “guest access”. This creates two local networks isolated from one another.

Guest Network

Guest access protects the trusted side from the less-trusted, as no connections can be made between the two, while protecting them both from the internet.

Unfortunately, guest access is usually restricted to wireless connections. That means if you have a wired connection, like that of your kid’s computer in their bedroom, you may not have this option.

Split the network by getting a second IP

In our last example, we’ve set up two local networks isolated from one another by virtue of the split that happens at the router. This works well, as the router not only splits the network but allows you to share the single IP address assigned to you by your ISP.

Of course, with your ISP’s help, you can set up two, actual, distinct networks.

Using two IP addresses

All you need from your ISP is two IP addresses on your single connection. This allows you to use a switch to physically split the connection, and permits each router to get its own distinct IP address. This sets up two completely separate networks, isolated from one another.

Unfortunately, being able to get multiple IP addresses on a consumer-grade internet connection is rare, and also likely to confuse your ISP salesperson.

You can accomplish the same thing without a switch (or the confusion) by purchasing two completely separate internet connections from your ISP, or two separate internet connections from two separate ISPs.

But that seems like overkill.

Split the network by using a second router

If your router doesn’t support guest networks, and your ISP doesn’t support multiple IP addresses, and you don’t want to pay for a second separate internet connection, here is a way to jury rig a solution using two routers.

Normally, we plug the WAN side of a router into the internet, but it actually doesn’t have to be that way. You can plug your router into another router.

Two Router network isolation

In this case, the internet feeds to router #1, which feeds the less-trusted guest or kids network. The WAN (or “internet”) side of router #2 is connected to the LAN side of router #1. Trusted computers are connected to router #2.

In this diagram, connections can only be established upwards, towards the internet. All the PCs in this diagram connect to the internet. Connections cannot be established downward, meaning that everyone is protected from connections attempting to come in from the internet. More importantly, the less-trusted network cannot establish connections into the trusted. (In theory, trusted PCs devices would be able to connect to less-trusted devices, but that’s generally impractical for a variety of reasons.)

Internet of things

You wouldn’t expect your fridge or television set to be a security or privacy risk, but now it’s quite possible. Internet-connected appliances are becoming more and more popular, and unfortunately, security seems to be only an afterthought.

The good news is that we’ve yet to hear about IoT devices being used to attack other devices on local networks; to date, attacks have used them to cause trouble on the public internet. However, it’s easy to imagine future scenarios in which the threat may strike closer to home.

When it comes to internet connected devices:

  • Disconnect them from the internet if the functionality provided isn’t being used, or isn’t worth it. Most “smart TVs”, for example, continue to work just fine without being connected.
  • If they are going to be connected, consider treating them as the “less trusted” devices we’ve discussed above. Connect them to your guest network, for example.
  • If you must connect them to your trusted network, make sure the other devices sharing the network are appropriately protected.

In most cases, that “appropriate protection” takes the form of a firewall.

Firewalls

The computers and devices that share a network are not protected from each other. If your computers are all safely connected to a “trusted” network, they’re still vulnerable to each other. That network relies on trust, and if that trust is violated by accidentally installing malware, or doing something else risky, other computers on that network could be exposed.

That’s why almost all PCs now come with a built-in firewall, enabled by default. This provides important protection of each machine from everything else.

Firewall

Software firewalls, such as Windows’ own firewall, are good — and, indeed, they’ve become progressively better with each release of Windows — but they’re still not the same caliber as the natural firewall provided by a router; you need both.

Software firewalls are perfect for protecting your machines from one another, however.

Podcast audio

Play

Footnotes & references

1: Even connections that look like they’ve been initiated by an external source (say a software update) are actually created by software on the PC reaching out to the remote server on the internet.

12 comments on “How Do I Protect Myself from Other Computers on My Local Network?”

  1. Protection against your children is more than just having routers to stop them (or malicious software they accidentally download) from accessing your computer. There are also other legal issues. My ex’s oldest liked surfing for porn and he couldn’t understand that if he went to the wrong site (e.g. child porn) that he could get me into legal trouble using my computer to surf. Most people don’t think of this. Even with what I did to lock down his account, he was still able to surf for porn at times…

  2. The suggestion given if u hav more than one PC.But the better solution for guys like me who have only one PC will be to recommend some parental control softwares.I am bit disappointed with leo’s reply

    Parental control software, which I’ve discussed in earlier articles, is intended to solve a different problem. This article specifically addresses the situation where you have multiple computers in the house, someo of which you trust, others which you do not.

    – Leo
    23-Sep-2008
    • An issue with those parental control software have recently surfaced : They inspect traffic by «terminate, examine and forward».
      The problem is that the last part is almost always done incorrectly, negatively impacting the HTTPS protocol, using deficient encryption and certificate validation, as well of some other failings. This can prevent your browser from detecting that a certificate have been revoked or is invalid.
      Most anti-virus also suffer from that problem. Microsoft, Apple, Mozilla, Google and others have reported the issue about 1 year ago to the various anti-virus and monitoring companies, but, there is still no corrective action done.

  3. If you go back to origin of the question it was all about network protection NOT website and surfing protection Hence the LAN & WAN explanations…….WELL Illustrated Leo

  4. What do you do if you need to access shared files across the Parent – Children network? All my Installation files for drivers/software are stored on my Windows Share on my computer (Parents) but it needs to access by all other computer for installing. Same goes for my media (music + anime) that is stored on Parent computer windows share.

    Is there simple way to allow access to windows share only under router B (Parents router)? My network internal isn’t really setup for LAN safety, though I already do have 2 routers. I just have LAN connect to one of switch port (LAN) of 2nd router instead of using WAN port. Would nice to do so if I knew easy solution for file sharing.

    Not really. In a sense, either you’re protected or your not. Opening up for file sharing is breaks a hole in that protection. There are (somewhat complex) solutions but by the time you put them in place you’re actually better off not having the additional router and using software firewalls everywhere instead. It’s not as bulletpoof, and thus there is additional risk, but it’s also not as complex to share files.

    If you feel you need protection from your kids computer(s), I wouldn’t set up file sharing, but rather look at other alternatives like moving USB drives around (which has risk, as infections can travel) or burning stuff to DVDs.

    – Leo
    25-Sep-2008
  5. Might be worth doing an article on the benefits of using Linux for Internet/email/Office doc useage, Leo. IMHO, Ubuntu (and probably other flavors) are ready for prime-time, and by adding ClamAV, you won’t pass on infected email attachments to hapless Windows users.

  6. What if the kids computer get infected with spyware? Wouldn’t malware that is Sophisticated enough might be able to use ARP poisoning to route all your traffic (from both routers) through the infected machine and harvest sensitive information. Probably won’t compromise stuff like banking which is encrypted, but certainly it could steal stuff like email passwords that are sent in the clear.

  7. I use this same configuration for my business clients to allow visitors (IE customers or sales reps) access to the Internet, while preventing access to their internal network. Also, some wireless routers now offer a “Guest Wireless” feature that allows access to the Internet, but isolates guests from the “private” network; an option if your kids’, or guests’, computers have WiFi.

  8. I am as naive as you get with tech, and have a BIG problem. I need to make sure everything I use is protected from others that may access the router, etc. My concern is I live with Advanced techies. I’ve see an apple webkit (I have android)on my device. Im the only android user in my home. My photos, notes etc have shown up on my husbands phone- as well as tracking me(I had ALL GPS OFF except 911)
    1. Can they pick up my phone signal& get into my phone? I know Google has been used to do that as well- and constantly get alerts from Google& Samsung that my account was breached! Please help! I counsel abuse survivors and their security is of the utmost to me!
    2. Ive thought of device w/a hotspot so I can use a printer& computer. Many women are in this situation- any SIMPLE advice would be appreciated.
    3. I don’t want router hook up as they can reprogram.
    4. Any software you recommend? Does a VPN help with 4G?

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.