Summary: It's common to have computers that are used for sensitive things sharing a network with less trustworthy users. Understanding protection is important.
We're a family where the adults use the Internet for serious reasons but we can't take a chance on having our children screw things up - intentionally or by accident. How should we set up our home network?
•
Normally, we think of threats as being "out there" on the internet. The problem is that not all of them are. As much as we might know and do to protect ourselves, sometimes the threat is nearby, right in our own home.
In the children's bedroom.
The good news is that you can protect yourself from the kids. You just have to look at your network a tad differently.
•
First we need to group the computers in your home into two distinct buckets:
-
Computers you trust. These are the computers you control and can safely assume are being used by individuals who understand the basics of keeping a computer safe on the internet.
-
Computers you don't trust. These are the computers that are being used by people who are less computer savvy, don't understand safety, and are likely to do things that they shouldn't, resulting in frequent infections of malware.
In a nutshell, each of these groups needs their own network.
I've talked a lot about routers and how they protect you from the internet; the threats "out there". A more simplistic way to think of it is simply this: one side of a router is trusted - the local LAN side where you plug in your computers - and the other side, the WAN or internet side, is not. Normally, we plug that other side into the internet, but it doesn't have to be that way. You can use this concept to protect yourself from that other network in your own home as well.
Now since we're going to assume that there's a group of computers we can actually trust (I'll call it the "parents" side), and a group we cannot (the "kids") the risk we're looking at is one sided. We need to protect the parents from the kids, but not the other way around.
That actually makes life a tiny bit easier.
I'm also going to assume that your ISP is only going to give you one IP address, as is typical.
You'll need two routers. Here's the configuration:
"Router A" protects everyone from the internet. The local side of router A, or the local network or LAN, connects to the kids' computers, and gives them internet connectivity, and if appropriate, connectivity to each other.
But from the parents' computer, Router A's LAN is not trust worthy. It may not have direct internet threats on it, but it does have threats - namely the kids. So we treat that as unsafe and use a second router to protect ourselves from that.
"Router B" protects the parents' computers from Router A's LAN. The kids' computers on router A have no way to independently connect to the computers hidden behind router B. That is the protection of a NAT router, and that's what's protecting the parents from the kids.
About the only recommended configuration change to the routers would be to have them assign IP addresses from different ranges. Perhaps one might assign from 192.168.0.X and the other 192.168.1.X.
In this scenario, the kids are not necessarily protected from the parents. In fact, with proper configuration, the parents' computers might well be able to connect to the kids' computers. (This can get complicated and can be fragile, so I'm not going to get into details here.). The important point to realize is that ultimately the protection is one-way in this configuration. Parents are protected from kids, kids are not protected from parents.
For absolute bi-directional safety, protecting both parents and kids from each other, you'll need three routers. You can see that scenario play out in How do I protect users on my network from each other?.
Also note that computers that share a network are not necessarily protected from each other. The parents' computers, for example, are within a trusted network, and are not protected from each other.
Finally, a comment I expect is that this is overkill, and why not just use a good software firewall on the parents' computers?
In my opinion, the protection of a NAT router is absolute. By definition, it prevents network based threats from traveling from the untrusted side to the trusted side, simply by virtue of the fact that no computer on the untrusted side can connect to a computer on the trusted side. (Unless you explicitly configure the router to allow it, of course.) Software firewalls offer no significant additional protection for incoming connections, take up resources, and can themselves be compromised by malware.
A NAT router based solution is inexpensive, and effective.
Related:
-
How do I protect users on my network from each other? Be it tenants or children, it's common to have machines on your network that you can't trust. A secure solution involves setting up another network.
-
Is the WiFi connection provided by my landlord safe, and if not, how should I protect myself? Connectivity is becoming an added "perk" in some housing situations. Make sure you know the risks when someone else provides your internet connection.
-
Is an outbound firewall needed? Is an outbound firewall needed?
Article C3505 - September 18, 2008
Protection against your children is more than just having routers to stop them (or malicious software they accidentally download) from accessing your computer. There are also other legal issues. My ex's oldest liked surfing for porn and he couldn't understand that if he went to the wrong site (e.g. child porn) that he could get me into legal trouble using my computer to surf. Most people don't think of this. Even with what I did to lock down his account, he was still able to surf for porn at times...
Posted by: Pierre at September 23, 2008 8:23 AMThe suggestion given if u hav more than one PC.But the better solution for guys like me who have only one PC will be to recommend some parental control softwares.I am bit disappointed with leo's reply
23-Sep-2008
If you go back to origin of the question it was all about network protection NOT website and surfing protection Hence the LAN & WAN explanations.......WELL Illustrated Leo
Posted by: Painless at September 24, 2008 5:12 AMI agree with Leo that this is a good thing to do and expanded on it a bit on my blog
Posted by: Michael Horowitz at September 24, 2008 9:23 AMA second router protects adults from kids
http://news.cnet.com/8301-13554_3-10049768-33.html
What do you do if you need to access shared files across the Parent - Children network? All my Installation files for drivers/software are stored on my Windows Share on my computer (Parents) but it needs to access by all other computer for installing. Same goes for my media (music + anime) that is stored on Parent computer windows share.
Is there simple way to allow access to windows share only under router B (Parents router)? My network internal isn't really setup for LAN safety, though I already do have 2 routers. I just have LAN connect to one of switch port (LAN) of 2nd router instead of using WAN port. Would nice to do so if I knew easy solution for file sharing.
If you feel you need protection from your kids computer(s), I wouldn't set up file sharing, but rather look at other alternatives like moving USB drives around (which has risk, as infections can travel) or burning stuff to DVDs.
25-Sep-2008
Might be worth doing an article on the benefits of using Linux for Internet/email/Office doc useage, Leo. IMHO, Ubuntu (and probably other flavors) are ready for prime-time, and by adding ClamAV, you won't pass on infected email attachments to hapless Windows users.
Posted by: beecee at September 27, 2008 1:05 AMCouldn't you accomplish the same thing by assigning static local IP addresses and using two different subnets?
Posted by: Norm at October 11, 2008 9:13 PMWhat if the kids computer get infected with spyware? Wouldn't malware that is Sophisticated enough might be able to use ARP poisoning to route all your traffic (from both routers) through the infected machine and harvest sensitive information. Probably won't compromise stuff like banking which is encrypted, but certainly it could steal stuff like email passwords that are sent in the clear.
Posted by: jgoto at October 24, 2008 6:20 AMSoftware is only part of the solution, education and involvment by the parent are the best parental controls
Posted by: Gord at July 7, 2009 3:20 PMI really benefited from very clear direction and tips at the new Save Your Daughters Program.
Posted by: David Schroeder at November 3, 2009 10:58 PMI found it here: