Helping people with computers... one answer at a time.

Whenever you connect a computer you don't control to your home network you could be putting your computers at risk. I'll describe how I deal with it.

I noted in a previous article you mentioned that you set up a private network for a machine suspected of infection. Then later I saw that you mentioned you had enabled a separate private network for your guests, and had enabled wireless security on your own network.

Can you explain what you did, and why you didn't have wireless security on the whole time? I thought it was important?

Wireless security is important. But if you know what you're doing, it's not always necessary. You can choose to run without it, if you're fortunate enough to have other means of security in it's place.

My "other means of security"? A really long driveway.

Let me show you what changes I made, and explain why.

My home network has, until recently, been a very typical setup that I often recommend to my readers: a high speed always-on internet connection connects first to a router, and then all my computers are connected to that router, via a mix of wired and wireless connections.

Basic single-router home network

The fundamental assumption of this type of configuration is that all the computers on the inside or LAN (as opposed to WAN or internet side) of the router all trust each other and do not need to be protected from each other.

Clearly, bringing an infected machine into my home violates that assumption. But then again, so does having guests, whose computing habits I may not have faith in. If a well meaning guest brings with them an infected computer, that infection could easily and quickly spread to my other computers the moment they connect to my network.

A "second network", protected from the first, is called for.

I've actually discussed this scenario in a previous article, How do I protect users on my network from each other? and in a nutshell it means that each network needs to be behind its own router.

Securing local networks from each other

Each of the networks created behind each of the routers is distinct, isolated from, and cannot "see" the other networks. This is exactly the security I was looking for. (If your ISP will give you more than one IP address, as mine does, then you may not need the "internet sharing router" shown in this diagram, but could use a simple hub or switch instead.)

So we've set up two networks that share my internet connection, and are protected from each other. Except for wireless networking, we're good.

Wireless, however, adds another small layer of complexity.

First, a word about the lack of encryption on my WiFi here at home.

My reasons are simple: WiFi has an effective or useful range of maybe 300 feet (around 100 meters). I live on a 4+ acre parcel of property, and thus anyone wanting to actually sniff my network would be immediately and obviously visible to me. They'd literally have to drive up my driveway and sit in their car.

I'd notice.

The reason that things get complicated, is that I wanted to provide WiFi access for my guests - the very guests I don't trust (no offense intended, guests Smile). On the surface that seems simple. I should just get another WiFi access point, connect it up to the "other" network I set up for my guests, give it another name and use a different WiFi channel, and they have access.

The problem is that as long as my "trusted" network has an open access point on it, there's nothing to prevent those guests, who are a lot closer than a car in the driveway, from access either network - mine or theirs.

The simple solution is to enable WPA encryption on the access point connected to the network I want to protect, and require a password.

Quickly, and easily done. I had to visit each of the two laptops that we have online right now and reconnect to the now encrypted wireless, and all was well.

The nuances of security are sometimes easy to overlook. Keeping yourself safe from internet threats is certainly one thing we're constantly being reminded of. But we also need to remember that sometimes the threats come from within.

Article C3628 - January 20, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
arvin meyer
January 27, 2009 10:20 AM

So you think you are OK because your property is 4 acres? Have I got news for you!

http://www.turnpoint.net/wireless/cantennahowto.html

Maybe with 400 acres, you'd have a chance. Bottom line? Use all the security that's within your financial capabilities and don't do anything risky online.

Rahul Mehta
January 27, 2009 6:53 PM

I am with Leo in two network approach.

My suggestion is: Add a router with no wifi security to your main network (with wifi security enabled) for your guests and keep it out of your main network (in DMZ). When the guests are not around, you can even switch off this second router to prevent someone else using your connection resources, consuming bandwidth etc.

Alternatively keep your main router at the front end without security and keep your main network behind a second security enabled router. guests get connected through this main router straight out to the Internet and the second router will protect your main network. You won't be able to switch this front end router off this this case.

T Johnson
January 28, 2009 12:48 PM

The explanation that seems to be missing here is that with WPA on my BELKIN router, you are allowed to specify two passwords: one that allows full access to the protected network and another that allows guests to access only the internet connection (and not the protected network).

That way, I make the main password very difficult but can keep it static. The guest password I made simple, but can change anytime I suspect an intrusion onto my internet connection.

some goil
June 30, 2009 7:41 AM

I got a strange call from my internet provider (the local phone company) accusing me of hooking up to a neighbor's wireless connection. I don't have a laptop and don't subscribe to WiFi. The phone company said that doesn't matter, a person could still get a wireless connnection. It made absolutely no sense to me; I was completely flabbergasted. Other neighors are on the wireless connection, but not me; I subscribe to high speed DSL through my phone's modem. Can someone piggy back off my computer on a wireless connection even though I don't subscribe to it? I am really paranoid now!

Wireless isn't something you "subscribe" to. It's the WiFi connection used by your laptop and typically provided by your own wireless router or access point. If you don't have any wireless adapters or laptops and no wireless access point or router, then I have no idea what your ISP is talking about either.
- Leo
01-Jul-2009

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.