Comments for How do I protect users on my network from each other?

Comment from John on 2008-06-04

2008-06-05T01:35:01Z

Thanks for everyone's comments about my previous post. After more thought, I realized that having all the computers connected to one router (without additional routers to protect each computer) is actually justified because that is no worse than everyone having their own DSL connection; whether their computers communicate across the intranet set up by the router, or whether they communicate across the internet via each having their own DSL connection, it is virtually the same thing. The only difference is when they are connected via the internet by DSL modems, they are not vulnerable to ARP poisoning intranet attacks that could happen on the router WLAN. So I don't think it is the landlord's responsibility to shield them from each other when it is the same thing if they have their own DSL connection. The tenents must be responsible for their own safety.

But I came across what may be a perfect solution for this scenario. I'm not sure which other routers have this option, but the Linksys WRT54G that I use has an advanced wireless setting called "AP isolation", that when turned on, prevents the computers on the WLAN from communicating with each other (while still allowing each of them to communicate with the router). That would isolate all the computers from each other and there would be no need to buy additional routers. What do you think, Leo? Seems like this is just the right solution for the scenario described in your article.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Leo on 2008-05-10

2008-05-10T17:49:41Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shreyas: please re-read my earlier response in comments to a
similar objection. This scenario is NOT your home. It's a
landlord or other situation where he has NO control over all
the computers involved. If everyone could be *guaranteed* to
install and use a software firewall, that would be a fine
approach. You simply *cannot* make that guarantee.

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJeAvCMEe9B/8oqERAqy1AJ9BRiS82LGjS7sWc2ZepQBAb4a9rgCggRm4
zgLL2Z2f37qh+3WU9DkJPbk=
=dWII
-----END PGP SIGNATURE-----

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Leo on 2008-05-10

2008-05-10T17:47:42Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amjad: Turning off File and Printer Sharing is NOT secure.
Without a firewall you would still be at risk of malicious
attacks and vulnerabilities.

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIJd+3CMEe9B/8oqERAj9FAJ0Rb0EsmiMsPMnrPtfUCzaBaFs+kwCeMzZs
V2QRknlcw3nk5e7xokzLpXE=
=uw3Y
-----END PGP SIGNATURE-----

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Shreyas on 2008-05-08

2008-05-08T14:23:20Z

Even I think this solution is an overkill, Leo. A good firewall software can keep you safe 99% of the time. Just for the rest 1%, why would you put so many more dollars in buying other routers?

And as you pointed out, this will interfere with p2p softwares, causing troubles. A good solution could be, know your tenants well!

Another thing we are forgetting here is that the second level routers need to have a 'wired' connection with the main router! In most cases, this won't be possible. I don't think any landlord should wire up his apartment just so that he can give a 100% internet security to his tenants.

The money equation just doesnt work here.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Amjad Yusuf on 2008-05-07

2008-05-08T06:20:52Z

I don’t know why you guys are making short story too long. Simple solution for this scenario is just remove the tick mark ‘File And Printer Sharing For Microsoft Network’ under Local Area Connection Properties.And see, nobody can access your machine.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Brent on 2008-05-07

2008-05-07T13:49:46Z

The fatal flaw in John's view is not taking into account the scope of things. As already pointed out, we are talking about a network with MANY users (ie tennant rooms) that we want to assume no level of trust among them.

The problem with software firewalls is that they can be disabled fairly easily, even accidentally by...shall we say "less than informed" computer users. So basically with a software firewall approach you can urge your tennants to use them but you can never be 100% sure they are using them and using them correctly.

So to sum up, Leo's multiple router approach is very good advice for the given situation.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Leo on 2008-05-06

2008-05-06T21:32:37Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As Jeffrey pointed out, I'm not suggesting this for a home
scenario, or for any scenario where you have control over
all the computers. This is specifically for distribution of
an internet connection to users/computers/whomever over
which you have little or no control.

In *some cases* it might be appropriate for the home:
particularly if you have children or house guests whose
usage you cannot trust.

But if you can trust all the computers behind your single
router, then absolutely a single router is the way to go.
It's how I run here.

But I'm no landlord :-).

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIIM5uCMEe9B/8oqERAlITAKCMN52F6XhQb4WlwOOqJRBJPMku8ACdGGPB
mY9nKthb1ba9ka7D06FxUHM=
=NVC0
-----END PGP SIGNATURE-----

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from jeffrey on 2008-05-06

2008-05-06T18:21:14Z

In regards to John's comment, that is correct if it were just 1 family and 1 person has control or access to all computers...but in a landlord tenant situation, where the landlord has tenants connecting and does not know, and may not be able to legally confirm if they have a firewall, the hardware solution appears to me to be the better one.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from John on 2008-05-06

2008-05-06T13:23:09Z

I really disagree with you on this one Leo. Buying an additional router for each connected computer is an extremely expensive solution when good firewall software will suffice and do exactly the same thing. Routers provide an incoming firewall by the intrinsic nature of using NAT (as you've pointed out in other articles), but you don't need to buy a router if all you need is a firewall--that can be accomplished with good firewall software, and some decent firewall programs are available even for free. Of course it could be argued that a hardware-based firewall could be considered more bullet-proof than software-based firewalls since they are virtually impervious to malware, but if you have good firewall software that hasn't been compromised by malware that all ready exists your computer, then a software-based fireall is JUST AS GOOD as being behind a router for all practical purposes.

How can you make your readers believe they need a router for every single computer on their LAN, in addition to their router that connects them to the internet? That is an extremely expensive solution that is unnecessary. Would you mind explaining why you think spending all that money on additional routers is justified over using good firewall software? I think protecting yourself with decent firewall software is adequate for 99.9% of the average computer users out there. I think you are way out-of-line on your advice this time, Leo.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Mary on 2008-05-06

2008-05-06T11:53:10Z

Thanks for providing the diagrams. Makes it so much easier to understand the concepts behind NATting, double NATting, etc.

]]>

A comment on: How do I protect users on my network from each other?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.