How do I protect users on my network from each other?

Home » Networking » Small Business and Home Networking

Summary: Be it tenants or children, it's common to have machines on your network that you can't trust. A secure solution involves setting up another network.

There are a few issues here, some of which are common and have standard solutions, which it sounds like you've already implemented.

However protecting you from your tenant, your tenant from you, and for that matter all your tenants from each other gets ... well, things get interesting.

•

Let's start with what you're already doing correctly: password protecting the wireless connection. As long as that router is configured to use WPA encryption and not WEP, that should prevent random people from connecting to your network when they are in range.

Make sure also that you change the administrative password on the router itself. The defaults are well known, and if you don't change it any of your tenants could gain administrative access to the router and do all sorts of nasty things with it.

Finally, as to those other 8 wireless networks that appear in range: just don't connect to them.

Now, let's look at protecting you and your tenants.

•

First, let's diagram what you've described:

In fact, I'll expand that a little to a more general case:

As you can see, the internet comes into the router, where it's then shared with both your computer via a hardwired connection, and with one or more tenant computers over wireless.

This is a perfectly acceptable solution to sharing an internet connection, and is an extremely common configuration in homes and offices.

The problem is simply this: it assumes that everything on the local network is trustworthy.

To put it simply, a router used in this fashion protects one side, the local network, from the other side, the internet. It does not provide any protection between equipment on the same side. By that I mean that the router does not protect machines on the local network from each other. It assumes that they can all be completely trusted.

In your case, that's a bad assumption. Tenant A's computer could, for example, become infected with a virus that could then migrate to Tenant B's computer or to yours. Or, even more worrisome, they could actually purposely attempt to perform a malicious act.

Any time you have a collection of computers that share an internet connection but can still not be trusted, you need to take extra steps. And by "not trusted" I mean things like being operated by tenants whose activities or expertise you have no knowledge of, or even your own children whose inexperience you're all too well aware of. You need to protect yourself in either case.

In a case like this the assumption you need to make is very simple: assume your computer is connected directly to the internet, and take appropriate steps. Even though you're connected behind a router, assume the worst and pretend you're not.

That means either making sure that everyone has appropriate firewall and other security software installed on all machines, or devising a hardware based solution.

And what's my first reaction when I hear that someone is connected directly to the internet?

Install a router.

Or, in this case, install another router.

There are two approaches, depending on what kind of internet connectivity you've been given by your ISP.

•

Approach One: Your ISP will give you more than one IP address.

In this case we use a hub (or a switch) to "split" the internet in two before attaching a router.

In this configuration you have completely isolated yourself from your tenants. Their machines can't see your machines, and vice versa. You're totally protected from anything that they might try to do.

But note that by putting all the tenants behind a single router, they are once again unprotected from each other. A more complete solution might be something like this:

Here we've installed a router for each tenant. What this does is create a private and protected network for each tenant, completely isolated from each other. Each wireless network would have its own unique ID and password, shared only with the tenant that is supposed to be using it.

Personally, that's a little over the top (though you'd be considered a great landlord for providing this level of connectivity). A much more common approach is to provide a "naked" wired connection to each tenant, and let them install their own router as needed. The diagram is identical to the previous one, the only difference is in where the router might be physically located, and who actually provides it.

All of the preceding assumes that your ISP will hand out more than one IP address. The result is that each router is granted it's own, unique IP address on the internet.

The following scenario is actually slightly more common.

Approach Two: Your ISP will give you only one IP address.

In a nutshell, the approach here is to replace the hub that's been "splitting" the internet with another router.

The function of what I've labeled the "Internet Sharing Router" is simply that: to share the internet connection and the single IP address that your location has been given. Each of the next level routers get a unique local IP address on the tiny local network that exists only between the routers. Each of those second level routers then creates a unique, and once again private and protected, local area network for the machines connected to it.

It's tempting to think that all these routers are not needed - that it's overkill - but that's simply not true, from either a functional, or a security perspective:

• Remove the "Internet Sharing Router", and all but one of the other routers will likely stop working, or connectivity will become intermittent and unpredictable. Because your ISP is handing out only one IP address, only one device can be connected directly to the internet. This router is required to share that single IP between multiple devices.

• Remove any one of the second level routers, and the machines that were behind it could be exposed to malware originating on any of the other network segments.

• Remove two or more of the second level routers, and the machines that were behind them are now completely exposed to each other.

All this security comes at a price. What we've created results in something called "double NATting" where the path from any one computer to the internet traverses two NAT routers. That can interfere with some communications protocols, mostly peer-to-peer services. "Port forwarding" becomes, if not a nightmare at least a very bad dream, as ports would now have to be forwarded at two routers: first at the sharing router, and then again at the local second level router.

But for basic operations like the web and email, this scenario works, and works quite well.

•

Other Solutions

There are other solutions, but I focus on the two presented here as perhaps the most inexpensive and conceptually simple of the lot.

There are higher-end routers that can actually do everything the collection of hubs and routers above do, in a single device. They can be extensively configured to share a single IP address (without double NATting), and protect sub-networks connected to the router from each other. In fact, this is what you'll usually see in larger installations and corporations. The downside to this approach is simply cost and complexity. Purchasing, connecting and configuring consumer-grade hubs, switches and routers is well within the means of most average computer users. The same is decidedly not true for the higher-end solutions, where you really do want a professional to install and maintain the networking equipment.

Related:

• Ask Leo! - How should I set up my home network?

• Ask Leo! - What's the difference between a Hub, a Switch and a Router?

• Ask Leo! - How should I protect myself from other computers sharing my internet connection?