Helping people with computers... one answer at a time.
It's common to have computers that are used for sensitive things sharing a network with less trustworthy users. Understanding protection is important.
We're a family where the adults use the Internet for serious reasons but we can't take a chance on having our children screw things up - intentionally or by accident. How should we set up our home network?
•
Normally, we think of threats as being "out there" on the internet. The problem is that not all of them are. As much as we might know and do to protect ourselves, sometimes the threat is nearby, right in our own home.
In the children's bedroom.
The good news is that you can protect yourself from the kids. You just have to look at your network a tad differently.
•
First we need to group the computers in your home into two distinct buckets:
-
Computers you trust. These are the computers you control and can safely assume are being used by individuals who understand the basics of keeping a computer safe on the internet.
-
Computers you don't trust. These are the computers that are being used by people who are less computer savvy, don't understand safety, and are likely to do things that they shouldn't, resulting in frequent infections of malware.
In a nutshell, each of these groups needs their own network.
I've talked a lot about routers and how they protect you from the internet; the threats "out there". A more simplistic way to think of it is simply this: one side of a router is trusted - the local LAN side where you plug in your computers - and the other side, the WAN or internet side, is not. Normally, we plug that other side into the internet, but it doesn't have to be that way. You can use this concept to protect yourself from that other network in your own home as well.
Now since we're going to assume that there's a group of computers we can actually trust (I'll call it the "parents" side), and a group we cannot (the "kids") the risk we're looking at is one sided. We need to protect the parents from the kids, but not the other way around.
That actually makes life a tiny bit easier.
I'm also going to assume that your ISP is only going to give you one IP address, as is typical.
You'll need two routers. Here's the configuration:
"Router A" protects everyone from the internet. The local side of router A, or the local network or LAN, connects to the kids' computers, and gives them internet connectivity, and if appropriate, connectivity to each other.
But from the parents' computer, Router A's LAN is not trust worthy. It may not have direct internet threats on it, but it does have threats - namely the kids. So we treat that as unsafe and use a second router to protect ourselves from that.
"Router B" protects the parents' computers from Router A's LAN. The kids' computers on router A have no way to independently connect to the computers hidden behind router B. That is the protection of a NAT router, and that's what's protecting the parents from the kids.
About the only recommended configuration change to the routers would be to have them assign IP addresses from different ranges. Perhaps one might assign from 192.168.0.X and the other 192.168.1.X.
In this scenario, the kids are not necessarily protected from the parents. In fact, with proper configuration, the parents' computers might well be able to connect to the kids' computers. (This can get complicated and can be fragile, so I'm not going to get into details here.). The important point to realize is that ultimately the protection is one-way in this configuration. Parents are protected from kids, kids are not protected from parents.
For absolute bi-directional safety, protecting both parents and kids from each other, you'll need three routers. You can see that scenario play out in How do I protect users on my network from each other?.
Also note that computers that share a network are not necessarily protected from each other. The parents' computers, for example, are within a trusted network, and are not protected from each other.
Finally, a comment I expect is that this is overkill, and why not just use a good software firewall on the parents' computers?
In my opinion, the protection of a NAT router is absolute. By definition, it prevents network based threats from traveling from the untrusted side to the trusted side, simply by virtue of the fact that no computer on the untrusted side can connect to a computer on the trusted side. (Unless you explicitly configure the router to allow it, of course.) Software firewalls offer no significant additional protection for incoming connections, take up resources, and can themselves be compromised by malware.
A NAT router based solution is inexpensive, and effective.
Article C3505 - September 18, 2008 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
September 27, 2008 1:05 AM
Might be worth doing an article on the benefits of using Linux for Internet/email/Office doc useage, Leo. IMHO, Ubuntu (and probably other flavors) are ready for prime-time, and by adding ClamAV, you won't pass on infected email attachments to hapless Windows users.
October 11, 2008 9:13 PM
Couldn't you accomplish the same thing by assigning static local IP addresses and using two different subnets?
October 24, 2008 6:20 AM
What if the kids computer get infected with spyware? Wouldn't malware that is Sophisticated enough might be able to use ARP poisoning to route all your traffic (from both routers) through the infected machine and harvest sensitive information. Probably won't compromise stuff like banking which is encrypted, but certainly it could steal stuff like email passwords that are sent in the clear.
September 27, 2011 11:08 AM
Use the software that public libraries use. i.e.
DeepFreeze. Kids can do anything on the one and only computer. After the computer is rebooted the computer returns to the original configuration. Nothing is save from the previous session. There are several versions of DeepFreeze by Faronics.com.
Choose the one that is best for your needs.
September 27, 2011 5:59 PM
I use this same configuration for my business clients to allow visitors (IE customers or sales reps) access to the Internet, while preventing access to their internal network. Also, some wireless routers now offer a "Guest Wireless" feature that allows access to the Internet, but isolates guests from the "private" network; an option if your kids', or guests', computers have WiFi.