Advertise on Bikeforums.net



User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Banned.
    Join Date
    Sep 2003
    Location
    Home alone
    My Bikes
    Trek 4300 X 2. Trek 1000, Trek 6000
    Posts
    6,021
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Adding wireless to "part" of a network...

    I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.

    We are a small office which is a satellite office of our larger office. Our network is a small LAN that is not connected in any way to the main office. We have no highly sensitive info on our network other than maybe a client list.

    We really don't need file sharing on the wireless laptops it would mainly just be for internet connection. If they did need file transfers than we could plug them into the ethernet cable. So my question is...how can i hook the wireless router up so it will provide wireless to the laptops but not allow access to the rest of the LAN?

  2. #2
    Just a student norsehabanero's Avatar
    Join Date
    Aug 2005
    Location
    Selah, wa
    My Bikes
    gt i drive, schiwin old road bike fuji a unicycle
    Posts
    274
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    through the settings it can be done so that you only share what you want
    http://www.thebicyclingguitarist.net.../bios/bike.gif about to start winter quarter , enjoying school so far

  3. #3
    Banned.
    Join Date
    Sep 2003
    Location
    Home alone
    My Bikes
    Trek 4300 X 2. Trek 1000, Trek 6000
    Posts
    6,021
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by norsehabanero View Post
    through the settings it can be done so that you only share what you want
    Settings on what? Are you just talking about file sharing permissons?

  4. #4
    Senior Member
    Join Date
    Jun 2007
    Posts
    365
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    MAC addressing and disable Broadcasting SSID.

  5. #5
    Just a student norsehabanero's Avatar
    Join Date
    Aug 2005
    Location
    Selah, wa
    My Bikes
    gt i drive, schiwin old road bike fuji a unicycle
    Posts
    274
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i am not an expert but i think that is where. you should be able to choose what files and what you want to share wheither it be files or just internet, either through network options or firewal options,
    double check with somone who is more familar with that
    http://www.thebicyclingguitarist.net.../bios/bike.gif about to start winter quarter , enjoying school so far

  6. #6
    Banned.
    Join Date
    Sep 2003
    Location
    Home alone
    My Bikes
    Trek 4300 X 2. Trek 1000, Trek 6000
    Posts
    6,021
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RadioFlyer View Post
    MAC addressing and disable Broadcasting SSID.
    Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.

  7. #7
    Senior Member
    Join Date
    Jun 2007
    Posts
    365
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.
    So you know what I said? But you don't know how to limit privileges and set up groups?

    If your bosses/owners are that paranoid, outsource it. Even if it's simple, they'll feel more comfortable having some so-called "expert" come in and do it.

  8. #8
    Wood Licker Maelstrom's Avatar
    Join Date
    Apr 2002
    Location
    Whistler,BC
    My Bikes
    Transition Dirtbag, Kona Roast 2002 and specialized BMX
    Posts
    16,888
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.
    Does your AP support Vlans? That would be the easiest route.

  9. #9
    Direct Hit Not Required BlastRadius's Avatar
    Join Date
    Nov 2003
    Location
    San Bruno, CA
    My Bikes
    Pinarello Galileo, Bianchi Alloro, Guerciotti Cross Force, Iron Horse Hollowpoint MKIII
    Posts
    6,190
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use WPA-PSK with AES (or TKIP) and make sure the passphrase is at least (more is better) 20 random characters long.
    You might want to use an obscure SSID as well, e.g. "BLUE", not "COMPANY XYZ".

    Disable SSID broadcasting but MAC address filtering is nearly useless as MAC addresses are easily forged.

    Do that and you can use the Wi-Fi router as your main Internet router without worry (as long as the "firewall" part of it is enabled).

    Anything else will require LAN segmentation and more complexity and maintenance overhead.

    Also, if the Windows built-in firewall isn't enabled on all your laptops, you should enabled them too. Just make sure you enable permissions to your servers.

  10. #10
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,507
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    Quote Originally Posted by RadioFlyer
    MAC addressing and disable Broadcasting SSID.
    Maybe i wasn't clear enough....I know how to secure a wireless network. I want to be able to set it up so the wireless part is exclusive of the rest of the LAN. The reason is that i know this is the ONLY way the owners will trust that it is secure.
    Well, you really do want multiple layers of security. First step is physical layer-1 security with access only allowed to pre-programmed list of laptops. Add WPA+PSK encryption for security. Then you can have layer-2 security on the router by having the wireless network be on a different subnet. So if your existing network is on 192.168.0.x, put the wireless on 192.168.1.x. Then set up routing rules in the router on how you want traffic to flow between the two subnets.

    Question is... why have a wireless network be part of your existing network if it's completely isolated???
    Last edited by DannoXYZ; 11-07-07 at 03:34 PM.

  11. #11
    Crankenstein bmclaughlin807's Avatar
    Join Date
    May 2006
    Location
    Spokane
    My Bikes
    Novara Randonee (TankerBelle)
    Posts
    4,038
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RadioFlyer View Post
    MAC addressing and disable Broadcasting SSID.


    Yeah. That'll secure it.















    Hint: Neither of those provides any security AT ALL.
    "There is no greater wonder than the way the face and character of a woman fit so perfectly in a man's mind, and stay there, and he could never tell you why. It just seems it was the thing he most wanted." Robert Louis Stevenson

  12. #12
    Crankenstein bmclaughlin807's Avatar
    Join Date
    May 2006
    Location
    Spokane
    My Bikes
    Novara Randonee (TankerBelle)
    Posts
    4,038
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.

    We are a small office which is a satellite office of our larger office. Our network is a small LAN that is not connected in any way to the main office. We have no highly sensitive info on our network other than maybe a client list.

    We really don't need file sharing on the wireless laptops it would mainly just be for internet connection. If they did need file transfers than we could plug them into the ethernet cable. So my question is...how can i hook the wireless router up so it will provide wireless to the laptops but not allow access to the rest of the LAN?
    Portis:
    There are some routers out there that allow you to do this... some that require third party firmware. My Linksys routers will allow me to do this exact thing, but I had to install custom firmware on them to do it.

    It's a pretty advanced feature that you're NOT going to find in a low-end off the shelf router. You need a router that has VLAN capabilities to isolate sections... with the proper router, you can do it in a single router/Wireless access point.

    I'm not sure if there are any home or small office routers out there that have the ability to set up VLANs in the default firmware.
    Last edited by bmclaughlin807; 11-07-07 at 02:25 AM.
    "There is no greater wonder than the way the face and character of a woman fit so perfectly in a man's mind, and stay there, and he could never tell you why. It just seems it was the thing he most wanted." Robert Louis Stevenson

  13. #13
    Wood Licker Maelstrom's Avatar
    Join Date
    Apr 2002
    Location
    Whistler,BC
    My Bikes
    Transition Dirtbag, Kona Roast 2002 and specialized BMX
    Posts
    16,888
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bmclaughlin807 View Post


    Yeah. That'll secure it.




    Hint: Neither of those provides any security AT ALL.
    I was waiting for someone to point that out. Those "security" features will simply stop the most rudimentary hacks. You should use these alongside a good encryption. As pointed out by bmz and danno (I hinted at it) you also want to create a distinct network (using vlan or router etc) and the most important part, use encryption. Those 4 parts will create a super secret secure network Considering most home routers do not support vlan, it might have the ability to route. That might be the only option to keep it "seperate"

  14. #14
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,589
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    I am considering adding a wireless router to our small network at work. It would be nice to have some portablility with the laptops. My concern is that owners are old and paranoid and they will likely throw a fit thinking that somebody will "breech" our network.
    Just to to make sure I understand, what is the idea -- you want laptops on the wireless network to have access to the internet, but not to your LAN, correct?

    If this is the case, the wireless router needs to be located outside your firewall and subject to the same rules as the rest of the internet. If there is no firewall, the owners shouldn't sweat this since they are already open to the internet.

    There are special wireless routers designed for the exact application you're asking about. There are multiple manufacturers, but my former employer used stuff from Sonicwall http://www.sonicwall.com/us/products/TZ_Series.html The units worked fine and are specifically designed to give people on a wireless network access to the internet, but not the local LAN.

    This encryption stuff people are referring to only prevents packet sniffers from intercepting radio signals. This threat tends to be overexaggerated threat in most environments as packet sniffers can't see what's inside communications that are already encrypted. In any case, if the laptop itself is regarded to be the threat, encrypting communications between it and the router has nothing to do with protecting your LAN.

  15. #15
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,589
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Maelstrom View Post
    I was waiting for someone to point that out. Those "security" features will simply stop the most rudimentary hacks. You should use these alongside a good encryption. As pointed out by bmz and danno (I hinted at it) you also want to create a distinct network (using vlan or router etc) and the most important part, use encryption. Those 4 parts will create a super secret secure network Considering most home routers do not support vlan, it might have the ability to route. That might be the only option to keep it "seperate"
    'Course locks and windows and doors don't even keep out the most rudimentary attempts to keep burglars out. Very few homes or businesses couldn't easily be entered by total morons using simple tools such as crowbars, sawzalls, and sledge hammers in minutes if not seconds.

    The emphasis on robust encryption is misplaced -- it only prevents eavesdropping on insecure communications. Most applications that deal with sensitive information already use encryption, and you don't get any real benefit from encrypting an already encrypted channel. Has anyone here actually tried to reverse engineer proprietary bitstreams or read anything other than pretty straightforward protocols? It's actually somewhere between a PITA and impossible as a practical matter.

    Yes, you can spoof MAC addresses and do a bunch of other things. However, it's important not to get needlessly scared by the black helicopter types. The reality is that CIA spooks can eavesdrop on your conversations almost wherever you are and that mining data out of a communications stream takes more time, effort, knowledge, and systems resources than most people will admit.

  16. #16
    Banned.
    Join Date
    Sep 2003
    Location
    Home alone
    My Bikes
    Trek 4300 X 2. Trek 1000, Trek 6000
    Posts
    6,021
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by banerjek View Post
    Just to to make sure I understand, what is the idea -- you want laptops on the wireless network to have access to the internet, but not to your LAN, correct?


    I guess the basic idea was to be able to say, "well there is no way that anyone could access any files on our network because the wireless side isn't even connected to it." With that said, we went ahead and just put in a wireless router and enabled WAP encryption. I also put a password on the router itself.

    Probably not the most secure, but like i still think it would be easier to gain access to our computers by smashing the front door glass. Even if someone could gain access to our network via radio, they aren't going to get much.

  17. #17
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,507
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by banerjek View Post
    If this is the case, the wireless router needs to be located outside your firewall and subject to the same rules as the rest of the internet. If there is no firewall, the owners shouldn't sweat this since they are already open to the internet.

    There are special wireless routers designed for the exact application you're asking about. There are multiple manufacturers, but my former employer used stuff from Sonicwall http://www.sonicwall.com/us/products/TZ_Series.html The units worked fine and are specifically designed to give people on a wireless network access to the internet, but not the local LAN.
    Most wireless routers nowadays have a DMZ-demilitarized zone, where you can place machines outside of the firewall to access the internet, yet they can't see into the LAN ports of the other computers. You can set up routing rules on how the two network segments can or can't access each other.

    As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.

  18. #18
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,589
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.
    This is the main reason I run encryption on my own wireless network. That and I don't want to be helping anyone distribute warez, music, etc. Damn punks.

  19. #19
    RacingBear UmneyDurak's Avatar
    Join Date
    Dec 2004
    Location
    NorCal
    Posts
    8,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just don't use WEP.
    I think linksys router with custom firmware will allow you to do it. Just place wireless connections on a separate subnet. Haven't played too much with it. I have Linksys WRT54GL, came highly recommended. Will be installing dd-wrt on to it. Improves capabilities 10 fold!
    Link to all the features it has: http://en.wikipedia.org/wiki/DD-WRT#Features
    I see hills.... Bring them on!!!
    Stay calm and bring a towel.

  20. #20
    RacingBear UmneyDurak's Avatar
    Join Date
    Dec 2004
    Location
    NorCal
    Posts
    8,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    Most wireless routers nowadays have a DMZ-demilitarized zone, where you can place machines outside of the firewall to access the internet, yet they can't see into the LAN ports of the other computers. You can set up routing rules on how the two network segments can or can't access each other.

    As for encryption, yeah, the real people you have to worry about can already get at you no matter what you do. The ones you're really locking out are just neighborhood teenage punks trying to steal bandwidth for their p0rn downloads.
    Wait you mean you can do other stuff on this Internet thing other then downloading Porn? Thats just crazy talk!
    I see hills.... Bring them on!!!
    Stay calm and bring a towel.

  21. #21
    Direct Hit Not Required BlastRadius's Avatar
    Join Date
    Nov 2003
    Location
    San Bruno, CA
    My Bikes
    Pinarello Galileo, Bianchi Alloro, Guerciotti Cross Force, Iron Horse Hollowpoint MKIII
    Posts
    6,190
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Portis View Post
    I guess the basic idea was to be able to say, "well there is no way that anyone could access any files on our network because the wireless side isn't even connected to it." With that said, we went ahead and just put in a wireless router and enabled WAP encryption. I also put a password on the router itself.

    Probably not the most secure, but like i still think it would be easier to gain access to our computers by smashing the front door glass. Even if someone could gain access to our network via radio, they aren't going to get much.
    What's WAP encryption? Use WPA-PSK (WPA-Radius would be ideal but I'm guessing you don't have a RADIUS server) and use a very long random character passphrase and you're good to go.

  22. #22
    Direct Hit Not Required BlastRadius's Avatar
    Join Date
    Nov 2003
    Location
    San Bruno, CA
    My Bikes
    Pinarello Galileo, Bianchi Alloro, Guerciotti Cross Force, Iron Horse Hollowpoint MKIII
    Posts
    6,190
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by UmneyDurak View Post
    Wait you mean you can do other stuff on this Internet thing other then downloading Porn? Thats just crazy talk!

  23. #23
    Banned.
    Join Date
    Sep 2003
    Location
    Home alone
    My Bikes
    Trek 4300 X 2. Trek 1000, Trek 6000
    Posts
    6,021
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by BlastRadius View Post
    What's WAP encryption? Use WPA-PSK (WPA-Radius would be ideal but I'm guessing you don't have a RADIUS server) and use a very long random character passphrase and you're good to go.
    That's what i meant.

  24. #24
    Senior Member
    Join Date
    Jun 2007
    Posts
    365
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bmclaughlin807 View Post


    Yeah. That'll secure it.

    hint: Neither of those provides any security AT ALL.
    If someone needs more 'security' than the basics for their COMPANY, they shouldn't screw around and they should hire someone that knows what they're doing.

  25. #25
    Crankenstein bmclaughlin807's Avatar
    Join Date
    May 2006
    Location
    Spokane
    My Bikes
    Novara Randonee (TankerBelle)
    Posts
    4,038
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It takes 30 seconds to download and install an app to monitor wireless access points... this app will show ALL access points, even those that have SSID broadcast disabled. There are many apps out there that will also show MAC addresses of client computers.

    Once you have a MAC address that works and the SSID, it takes 30 seconds to connect to that AP.

    My router has all the tools onboard to be able to connect to any access point that is 'protected' in such a way... would take 5 minutes, max (And that's only because I have to wait for the client computer to broadcast to see it's MAC address)

    WEP encryption is weak... takes 30 minutes max for someone who wants in to figure out the keys and have access.

    WPA is more secure... IF you have a good key... it's vulnerable to dictionary attacks. With a long, complex key you can be sure that it will remain secure against intruders.

    Quote Originally Posted by banerjek View Post
    'Course locks and windows and doors don't even keep out the most rudimentary attempts to keep burglars out. Very few homes or businesses couldn't easily be entered by total morons using simple tools such as crowbars, sawzalls, and sledge hammers in minutes if not seconds.

    The emphasis on robust encryption is misplaced -- it only prevents eavesdropping on insecure communications. Most applications that deal with sensitive information already use encryption, and you don't get any real benefit from encrypting an already encrypted channel. Has anyone here actually tried to reverse engineer proprietary bitstreams or read anything other than pretty straightforward protocols? It's actually somewhere between a PITA and impossible as a practical matter.

    Yes, you can spoof MAC addresses and do a bunch of other things. However, it's important not to get needlessly scared by the black helicopter types. The reality is that CIA spooks can eavesdrop on your conversations almost wherever you are and that mining data out of a communications stream takes more time, effort, knowledge, and systems resources than most people will admit.
    I particularly like the bolded portion... Sure... don't worry, someone ELSE will protect your data. Just leave your wireless connection wide open.

    Oh, the FBI is looking for someone that downloaded kiddy porn off of YOUR internet connection? That's no problem... it will only take them a year or so to go through all your computer hardware with a fine tooth comb... and I'm sure they'll return everything to you in one piece when they're done with it.

    Oh... the RIAA is knocking your door wanting how many thousands of dollars because SOMEONE was using your connection to illegally share music? That's no problem... $50,000 for lawyers and I'm SURE you can prove your innocence and not have to pay them.
    "There is no greater wonder than the way the face and character of a woman fit so perfectly in a man's mind, and stay there, and he could never tell you why. It just seems it was the thing he most wanted." Robert Louis Stevenson

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •