Foo - Adding wireless to "part" of a network...

I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.

We are a small office which is a satellite office of our larger office. Our network is a small LAN that is not connected in any way to the main office. We have no highly sensitive info on our network other than maybe a client list.

We really don't need file sharing on the wireless laptops it would mainly just be for internet connection. If they did need file transfers than we could plug them into the ethernet cable. So my question is...how can i hook the wireless router up so it will provide wireless to the laptops but not allow access to the rest of the LAN?

through the settings it can be done so that you only share what you want

through the settings it can be done so that you only share what you want

Settings on what? Are you just talking about file sharing permissons?

MAC addressing and disable Broadcasting SSID.

i am not an expert but i think that is where. you should be able to choose what files and what you want to share wheither it be files or just internet, either through network options or firewal options,
double check with somone who is more familar with that

MAC addressing and disable Broadcasting SSID.

Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.

Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.

So you know what I said? But you don't know how to limit privileges and set up groups?

If your bosses/owners are that paranoid, outsource it. Even if it's simple, they'll feel more comfortable having some so-called "expert" come in and do it.

Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.

Does your AP support Vlans? That would be the easiest route.

Use WPA-PSK with AES (or TKIP) and make sure the passphrase is at least (more is better) 20 random characters long.
You might want to use an obscure SSID as well, e.g. "BLUE", not "COMPANY XYZ".

Disable SSID broadcasting but MAC address filtering is nearly useless as MAC addresses are easily forged.

Do that and you can use the Wi-Fi router as your main Internet router without worry (as long as the "firewall" part of it is enabled).

Anything else will require LAN segmentation and more complexity and maintenance overhead.

Also, if the Windows built-in firewall isn't enabled on all your laptops, you should enabled them too. Just make sure you enable permissions to your servers.

MAC addressing and disable Broadcasting SSID.Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.Well, you really do want multiple layers of security. First step is physical layer-1 security with access only allowed to pre-programmed list of laptops. Add WPA+PSK encryption for security. Then you can have layer-2 security on the router by having the wireless network be on a different subnet. So if your existing network is on 192.168.0.x, put the wireless on 192.168.1.x. Then set up routing rules in the router on how you want traffic to flow between the two subnets.

Question is... why have a wireless network be part of your existing network if it's completely isolated???

MAC addressing and disable Broadcasting SSID.

:roflmao:

Yeah. That'll secure it.















Hint: Neither of those provides any security AT ALL. ;)

I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.

We are a small office which is a satellite office of our larger office. Our network is a small LAN that is not connected in any way to the main office. We have no highly sensitive info on our network other than maybe a client list.

We really don't need file sharing on the wireless laptops it would mainly just be for internet connection. If they did need file transfers than we could plug them into the ethernet cable. So my question is...how can i hook the wireless router up so it will provide wireless to the laptops but not allow access to the rest of the LAN?

Portis:
There are some routers out there that allow you to do this... some that require third party firmware. My Linksys routers will allow me to do this exact thing, but I had to install custom firmware on them to do it.

It's a pretty advanced feature that you're NOT going to find in a low-end off the shelf router. You need a router that has VLAN capabilities to isolate sections... with the proper router, you can do it in a single router/Wireless access point.

I'm not sure if there are any home or small office routers out there that have the ability to set up VLANs in the default firmware.

:roflmao:

Yeah. That'll secure it.




Hint: Neither of those provides any security AT ALL. ;)

I was waiting for someone to point that out. Those "security" features will simply stop the most rudimentary hacks. You should use these alongside a good encryption. As pointed out by bmz and danno (I hinted at it) you also want to create a distinct network (using vlan or router etc) and the most important part, use encryption. Those 4 parts will create a super secret secure network :D Considering most home routers do not support vlan, it might have the ability to route. That might be the only option to keep it "seperate"

I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.

Just to to make sure I understand, what is the idea -- you want laptops on the wireless network to have access to the internet, but not to your LAN, correct?

If this is the case, the wireless router needs to be located outside your firewall and subject to the same rules as the rest of the internet. If there is no firewall, the owners shouldn't sweat this since they are already open to the internet.

There are special wireless routers designed for the exact application you're asking about. There are multiple manufacturers, but my former employer used stuff from Sonicwall http://www.sonicwall.com/us/products/TZ_Series.html The units worked fine and are specifically designed to give people on a wireless network access to the internet, but not the local LAN.

This encryption stuff people are referring to only prevents packet sniffers from intercepting radio signals. This threat tends to be overexaggerated threat in most environments as packet sniffers can't see what's inside communications that are already encrypted. In any case, if the laptop itself is regarded to be the threat, encrypting communications between it and the router has nothing to do with protecting your LAN.

I was waiting for someone to point that out. Those "security" features will simply stop the most rudimentary hacks. You should use these alongside a good encryption. As pointed out by bmz and danno (I hinted at it) you also want to create a distinct network (using vlan or router etc) and the most important part, use encryption. Those 4 parts will create a super secret secure network :D Considering most home routers do not support vlan, it might have the ability to route. That might be the only option to keep it "seperate"
'Course locks and windows and doors don't even keep out the most rudimentary attempts to keep burglars out. Very few homes or businesses couldn't easily be entered by total morons using simple tools such as crowbars, sawzalls, and sledge hammers in minutes if not seconds.

The emphasis on robust encryption is misplaced -- it only prevents eavesdropping on insecure communications. Most applications that deal with sensitive information already use encryption, and you don't get any real benefit from encrypting an already encrypted channel. Has anyone here actually tried to reverse engineer proprietary bitstreams or read anything other than pretty straightforward protocols? It's actually somewhere between a PITA and impossible as a practical matter.

Yes, you can spoof MAC addresses and do a bunch of other things. However, it's important not to get needlessly scared by the black helicopter types. The reality is that CIA spooks can eavesdrop on your conversations almost wherever you are and that mining data out of a communications stream takes more time, effort, knowledge, and systems resources than most people will admit.

Just to to make sure I understand, what is the idea -- you want laptops on the wireless network to have access to the internet, but not to your LAN, correct?





I guess the basic idea was to be able to say, "well there is no way that anyone could access any files on our network because the wireless side isn't even connected to it." With that said, we went ahead and just put in a wireless router and enabled WAP encryption. I also put a password on the router itself.

Probably not the most secure, but like i still think it would be easier to gain access to our computers by smashing the front door glass. Even if someone could gain access to our network via radio, they aren't going to get much.

If this is the case, the wireless router needs to be located outside your firewall and subject to the same rules as the rest of the internet. If there is no firewall, the owners shouldn't sweat this since they are already open to the internet.

There are special wireless routers designed for the exact application you're asking about. There are multiple manufacturers, but my former employer used stuff from Sonicwall http://www.sonicwall.com/us/products/TZ_Series.html The units worked fine and are specifically designed to give people on a wireless network access to the internet, but not the local LAN.Most wireless routers nowadays have a DMZ-demilitarized zone, where you can place machines outside of the firewall to access the internet, yet they can't see into the LAN ports of the other computers. You can set up routing rules on how the two network segments can or can't access each other.

As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.

As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.
This is the main reason I run encryption on my own wireless network. That and I don't want to be helping anyone distribute warez, music, etc. Damn punks.

Just don't use WEP. ;)
I think linksys router with custom firmware will allow you to do it. Just place wireless connections on a separate subnet. Haven't played too much with it. I have Linksys WRT54GL, came highly recommended. Will be installing dd-wrt on to it. Improves capabilities 10 fold!
Link to all the features it has: http://en.wikipedia.org/wiki/DD-WRT#Features

Most wireless routers nowadays have a DMZ-demilitarized zone, where you can place machines outside of the firewall to access the internet, yet they can't see into the LAN ports of the other computers. You can set up routing rules on how the two network segments can or can't access each other.

As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.

Wait you mean you can do other stuff on this Internet thing other then downloading Porn? Thats just crazy talk!

I guess the basic idea was to be able to say, "well there is no way that anyone could access any files on our network because the wireless side isn't even connected to it." With that said, we went ahead and just put in a wireless router and enabled WAP encryption. I also put a password on the router itself.

Probably not the most secure, but like i still think it would be easier to gain access to our computers by smashing the front door glass. Even if someone could gain access to our network via radio, they aren't going to get much.

What's WAP encryption? Use WPA-PSK (WPA-Radius would be ideal but I'm guessing you don't have a RADIUS server) and use a very long random character passphrase and you're good to go.

Wait you mean you can do other stuff on this Internet thing other then downloading Porn? Thats just crazy talk!

:lol::roflmao::lol:

What's WAP encryption? Use WPA-PSK (WPA-Radius would be ideal but I'm guessing you don't have a RADIUS server) and use a very long random character passphrase and you're good to go.

That's what i meant.

:roflmao:

Yeah. That'll secure it.

hint: Neither of those provides any security AT ALL. ;)
If someone needs more 'security' than the basics for their COMPANY, they shouldn't screw around and they should hire someone that knows what they're doing.

It takes 30 seconds to download and install an app to monitor wireless access points... this app will show ALL access points, even those that have SSID broadcast disabled. There are many apps out there that will also show MAC addresses of client computers.

Once you have a MAC address that works and the SSID, it takes 30 seconds to connect to that AP.

My router has all the tools onboard to be able to connect to any access point that is 'protected' in such a way... would take 5 minutes, max (And that's only because I have to wait for the client computer to broadcast to see it's MAC address)

WEP encryption is weak... takes 30 minutes max for someone who wants in to figure out the keys and have access.

WPA is more secure... IF you have a good key... it's vulnerable to dictionary attacks. With a long, complex key you can be sure that it will remain secure against intruders.


'Course locks and windows and doors don't even keep out the most rudimentary attempts to keep burglars out. Very few homes or businesses couldn't easily be entered by total morons using simple tools such as crowbars, sawzalls, and sledge hammers in minutes if not seconds.

The emphasis on robust encryption is misplaced -- it only prevents eavesdropping on insecure communications. Most applications that deal with sensitive information already use encryption, and you don't get any real benefit from encrypting an already encrypted channel. Has anyone here actually tried to reverse engineer proprietary bitstreams or read anything other than pretty straightforward protocols? It's actually somewhere between a PITA and impossible as a practical matter.

Yes, you can spoof MAC addresses and do a bunch of other things. However, it's important not to get needlessly scared by the black helicopter types. The reality is that CIA spooks can eavesdrop on your conversations almost wherever you are and that mining data out of a communications stream takes more time, effort, knowledge, and systems resources than most people will admit.

I particularly like the bolded portion... Sure... don't worry, someone ELSE will protect your data. Just leave your wireless connection wide open.

Oh, the FBI is looking for someone that downloaded kiddy porn off of YOUR internet connection? That's no problem... it will only take them a year or so to go through all your computer hardware with a fine tooth comb... and I'm sure they'll return everything to you in one piece when they're done with it. ;)

Oh... the RIAA is knocking your door wanting how many thousands of dollars because SOMEONE was using your connection to illegally share music? That's no problem... $50,000 for lawyers and I'm SURE you can prove your innocence and not have to pay them. ;)

There are several third party firmwares out there that can do what you want, Portis...

For linksys hardware there is: Openwrt, DD-wrt, and Sveasoft. It's been a while since I tried openwrt... it was NOT very friendly back then.

Sveasoft firmware is what I'm using on my routers... They have firmware for other companies routers, as well.. Buffalo, Linksys, and some dlink and netgear as well. Fairly easy to use and has the features you need.

Otherwise go with one of the more advanced (and expensive) versions out there... you're looking at around $500 for a router with the capabilities you're looking for.

I personally like a dual layer approach that DannoXYZ suggests.

First is WPA-PSK (or using a RADIUS server), then have the laptop VPN into a machine/router. Of course, have the wireless segment configured to not allow anything past the router except 1723 for the VPN.