Re: Public/Private network split.

From: BLH (blh_9_at_hotmail.com)
Date: 01/29/04 

Date: 29 Jan 2004 01:33:09 -0800

freaknightproductions@yahoo.com (J. M. L.) wrote in message news:<1624fd18.0401281629.4e2d6450@posting.google.com>...
> I have a question concerning trying to set up a public/private
> network... I have a retail establishment with DSL service. I
> currently use a DSL router to share that connection amongst my various
> staff computers. I want to add a wireless access point to the network
> so that my customers can use my DSL connection to get to the net...
> however... I don't want them to be able to see/touch/talk to any of
> the computers on the private part of my network.
>
> I'm looking for the simplest way to implement a separation of this
> network -- minimal software set up -- just a dedicated black box that
> I can stick between the networks. Here's what I thought would work.
>
> Plug in a new wireless broadband router's uplink port to one of the
> network ports on my private network. Lock down this router so ONLY
> TCP/IP traffic goes through, and lock down which ports are open.
> Theoretically, this would create a private network inside my private
> network... No one connected to my wireless router would be able to
> sniff packets on the private part of my network, because Ethernet
> packets won't be routed past the wireless broadband router, and no one
> on this wireless network would be able to do anything that I didn't
> want them to do -- I could close up specific ports by configuring the
> wireless router.
>
> My questions are -- Is this possible? Can broadband routers be chained
> together like this to create segmented networks? Does the address
> forwarding that goes on between the ISP's network, and the first
> router get properly forward to the second router, and the equipment
> hanging off the second router?

It's possible except that you can't daisy chain broadband (ADSL)
routers but there are a number of wireless routers available which
would work. If your existing router is NAT-ing the staff computers it
should NAT the other network as well. You would need to ensure that
not only do you lock down ports carefully but also set up filters so
that there is no way that one network can talk to the other. But see
further on.....
>
> Second, Does this actually provide me with the security that I believe
> it does?

Absolutely not. It's not just a question of what goes on between the
networks. What controls will you have in place for the customers. For
example what if someone browses child porn sites or uses the WLAN to
send loads of spam - it's all traceable back to your IP address/ISP
account. Also how will you control what bandwidth is being used -
suppose you get some P2P users hogging it all. Are you going to put in
any access control - WLAN users dont necessarily have to be in your
shop - it's possible they could access from the car park or street
depending on your location. Are you going to charge for access or is
it some kind of free public service?

>
> If the answer to my first question is no, is there some kind of black
> box firewall that I can put between my private network, and a wireless
> access point that will provide me the kind of network
> segmentation/security that I want? Since I do not own a wireless
> access point, I figured my first solution would be cheaper then two
> dedicated pieces of equipment, but I wanted to verify if this would
> work or not.

I wouldn't even consider this without some sort of firewall between
the WLAN and the rest of the network or internet. Also investigate
web/mail sweeping software.

Just my 2pence worth

>
> Any suggestions appreciated.
>
> -JL

Relevant Pages

  • Re: Networking Question - VLANs on SBS 2003 Premium SP1
    ... Finally was able to get some network downtime to make the change in routers ... wireless router, but - once connected to the SBS box and I've run CEICW, the ... I ran the ISA and SBS BPA's and didn't see anything. ... I put the old router back in service so I could work on this some more. ...
    (microsoft.public.windows.server.sbs)
  • Re: share my printer between 2 computers and surf with 2 computers at same time
    ... The main piece of hardware you need to buy is a router. ... Because wireless routers for home use are ... you can use that to have a wired network. ... -2 short UTP cables ...
    (microsoft.public.windowsxp.network_web)
  • Re: share my printer between 2 computers and surf with 2 computers at same time
    ... The main choice you have to make is whether to have the router include wireless capability or not. ... Because wireless routers for home use are relatively inexpensive these days, I'd suggest buying a wireless router even if you don't initially intend to use that capability. ... If you already have a UTP cable going between upstairs and downstairs, you can use that to have a wired network. ... caused by 1) a misconfigured firewall; ...
    (microsoft.public.windowsxp.network_web)
  • Re: share my printer between 2 computers and surf with 2 computers at same time
    ... The main piece of hardware you need to buy is a router. ... Because wireless routers for home use are ... you can use that to have a wired network. ... caused by 1) a misconfigured firewall; ...
    (microsoft.public.windowsxp.network_web)
  • Re: Using Remote Desktop From an SBS Domain
    ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)