atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Unsecured wireless

I should also add, if this is a business setup people should get the appropriate hardware. Risking your reputation and potential customers because you have $$$$$$$ worth of business info pass through a $60 router just doesn't make sense.

Oooops.

SPH, I don’t see how you figure that the renter can be held responsible? By renting internet access the customer is acting as an ISP of sorts. So you think that it is the ISPs responsibility to protect the renter's network from attack? This logic would make Cox, ATT, Verizon, and every other ISP in the world responsible for keeping viruses and other malicious sorts out of the customer's computers. With most public internet access there is some sort of disclaimer making the user aware that this is an unsecure public network and the owner is not responsible for any damages. Technically, the routers are using dynamic routes and not static routes. If he were to add a route entry in the route tables then that would be a static route. Lastly you criticize this setup for security reasons but then you add that he should open the wired router up for administration from the WAN side? This is definitely a bad idea here. Because this is a business they require an expensive router? Im not following the logic here. Not every business needs a full featured expensive router to conduct their business. There a tons of different ways to configure this and tons of money that can be spent doing it. The two router solution is quick, simple, and easy. The customer would have a standard Terms of Usage disclaimer and away we go.

sph, your logic is unsound.

When I walk into a WiFi zone like Starbucks, I have no idea who else is on the subnet. It is up to me to secure my connection not the other way around. A disclaimer posted on the wall would suffice since the WiFi in the board room is not restricted to the room and could be accessed by anyone near enough to the tranceiver. I doubt your logic would not hold water in a court of law. It would be like saying if I accessed my neighbor's wireless connection because he was too stupid to secure it, I could sue him if downloaded a virus.

Also the need for an expensive sophisticated router for a 4 person office is bull-hockey. Many businesses run on "consumer grade" routers and switches without any issue of reliability. The weakest link I have ever seen is the public connection.

The el-cheapo router couldn't do what you wanted it to do. Wonder why?

By the way, a used Cisco is hardly expensive, but it is sophisticated. Worse yet, it has no web interface.

A dual-router is a kludge, by the way. It works, but it's a kludge, and every CG that sees it will know that a TG set it up.

I just think that the hardware should suit the task.
Low end home routers were not designed to provide public access, period. It's not the right tool for the job.
Secondly, the size of the business is secondary. The quality of the hardware should be proportional to the value you attach to the information handled by the device. Are you accepting/making payments to customers electronically? Do you do online banking for your business? Do you send/receive sensitive or important emails? Is public access a sales tool for your product? Imo, in these and other cases a "home" setup won't do. Just because you have law enforcement in your town doesn't mean it's wise to leave the front door unlocked.
We're not talking of spending $1000+ on a Cisco router. For $200-$300 you CAN get a router that can do these 2 things:

1. Keep the wired and wireless segments separate. Usually by having a pre-configured firewall between the two. Wireless devices with the proper credentials can bypass the firewall through a VPN connection to the wired segment.
2. Disallow station-to-station access. That is, different wireless devices on the same WLAN cannot talk to each other unless you expressly allow it.

In all public access setups I was involved with, the above 2 rules are no-brainers. I would be very surprized if ANY public access scheme (including your favorite Starbucks) does things differently. In addition, you have the usual disclaimers that warn about the inherent increased relative insecurity of any wireless access.
But it is important to know what can stand up to these disclaimers and what the customer expects.

This is the proposed setup:

1. Wireless router is connected to the outside world. It gets an WAN (external) IP from the ISP. This connection is by definition insecure, and the usual disclaimers apply.

2. Wireless router has a LAN (internal) IP of say, 192.168.1.1. With DHCP on, it hands out 192.168.1.x addresses to all connected devices. This connection is considered secure relative to the WAN. For this reason communications inside the LAN are not scrutinized the way WAN (especially INCOMING WAN) communications are - nor are they normally expected to. For the wireless part, the usual disclaimers relating to the inherent general shortcomings of WIRELESS COMMUNICATIONS apply. Keep this in mind.

3. There is also a wired router that gets its WAN (external) IP address from the wireless router. Let's say it ends up with WAN IP 192.168.1.100. The wired router may or may not consider the connection insecure depending on the setup. For low end devices the usual default is: consider all INCOMING WAN communications insecure, but place no retrictions to all OUTGOING WAN communications. This router is NOT part of the wireless segment, but it IS part of the overall internal LAN of the wireless router (192.168.1.x, which includes the wireless segment). Disclaimers relating to internet access or wireless communications DO NOT APPLY to this device. Or maybe you want to go to court and find out the hard way.

4. The wired router has a LAN (internal) IP of say, 192.168.2.1. The devices connected to it, have addresses in that range. Don't forget there's no restrictions to outgoing communications originating from this LAN. For these devices the internet IS the wired router's WAN IP address: 192.168.1.100. That's where the world starts for them, smack in the middle of the wireless router's LAN. What a nice back door to that LAN, which normally does not expect attacks from the inside.

tito, I think you mix up dynamic ADDRESSES with dynamic ROUTES. The route between these 2 routers is not dynamic. There's no discovery, no changes in the MAC address table, and the wireless just hands out a known (to it) IP address to the port. Actually, being a port-to-port route with zero hops it is as static as a static route can get.

this should work
https://www.guestgate.com/us/en/

add a access point off of this in meeting area
can be configed to allow those connected to see each others computers but not the host net
or by default dhcp give each computer its own separate ip
also page of terms of use & password access

for about 250.00

Cisco 871W should do what is needed here. Not terribly expensive either--about $350.

Netgear DIR655 has exactly what you are looking for; a wireless guest zone which is completely segmented from the host zone, both wired and wireless.

About time we got them back!!