Two wifi APs off one ADSL modem?

With a typical wifi AP (with an integral hub/switch), the wifi is on
the same network as the four ethernet ports so it is a security
hazard: if someone cracked the wifi they would access the internal
network.

How about doing this (need non-prop font):


|----- wifi nat router (a) (wifi ON)
ADSL MODEM -------X
|----- wifi nat router (b) (wifi OFF) ----- LAN

If router (a) is compromised, the risk is no more than somebody
hacking from the internet, which with a NAT router (assuming no holes
in it) is very small.

Am I right?

Can one simply stick an ethernet switch/hub in position X? The modem
is the popular D-Link DSL-300T which requires all devices talking to
it to have the same MAC address!

I also have a related question: how does one arrange for multiple
wifi-connected devices (e.g. multiple laptops working off (a)) to

1. see each other for browsing?

2. NOT see each other at all?

In an internet cafe, they obviously want 2. but within one's house one
is likely to want 1.

I know generally about Windows networking; i.e. on the same WORKGROUP
if one has a common login/pwd, and has set up extra an share on drive
C: etc then the machines are visible to each other. Or one can set up
accounts for everybody on everybody's machine, which is tacky.

But I have not been able to get multiple wifi devices to see each
other. Those ethernet-connected to the same router's hub/switch see
each other fine.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

Peter wrote:
> With a typical wifi AP (with an integral hub/switch), the wifi is on
> the same network as the four ethernet ports so it is a security
> hazard: if someone cracked the wifi they would access the internal
> network.
>
> How about doing this (need non-prop font):
>
>
> |----- wifi nat router (a) (wifi ON)
> ADSL MODEM -------X
> |----- wifi nat router (b) (wifi OFF) ----- LAN

the way I would do it is to use a proper firewall.

Come to think of it, in any business use I'd use a proper firewall. How
would you explain to the local press "well we had a data leak, but
didn't think we needed a firewall to protect our clients' data"

Martin wrote:
> Peter wrote:
>> With a typical wifi AP (with an integral hub/switch), the wifi is
>> on the same network as the four ethernet ports so it is a security
>> hazard: if someone cracked the wifi they would access the internal
>> network.
>>
>> How about doing this (need non-prop font):
>>
>>
>> |----- wifi nat router (a) (wifi ON)
>> ADSL MODEM -------X
>> |----- wifi nat router (b) (wifi OFF) ----- LAN
>
> the way I would do it is to use a proper firewall.
>
> Come to think of it, in any business use I'd use a proper firewall.
> How would you explain to the local press "well we had a data leak,
> but didn't think we needed a firewall to protect our clients' data"

Why can't he also use encryption & MAC filtering as well that way there'd be
more security. Let's put it this way, if I can set it up it can't be that
difficult....

Martin <(E-Mail Removed)> wrote

>Peter wrote:
>> With a typical wifi AP (with an integral hub/switch), the wifi is on
>> the same network as the four ethernet ports so it is a security
>> hazard: if someone cracked the wifi they would access the internal
>> network.
>>
>> How about doing this (need non-prop font):
>>
>>
>> |----- wifi nat router (a) (wifi ON)
>> ADSL MODEM -------X
>> |----- wifi nat router (b) (wifi OFF) ----- LAN
>
>the way I would do it is to use a proper firewall.
>
>Come to think of it, in any business use I'd use a proper firewall. How
>would you explain to the local press "well we had a data leak, but
>didn't think we needed a firewall to protect our clients' data"

A "proper firewall" (a box from Cisco costing, would you say, £1000+
?) connected where?

But my original question still stands.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

On Mon, 04 Oct 2004 19:10:20 +0100, Peter wrote:

>
> Martin <(E-Mail Removed)> wrote
>
>>Peter wrote:
>>> With a typical wifi AP (with an integral hub/switch), the wifi is on
>>> the same network as the four ethernet ports so it is a security
>>> hazard: if someone cracked the wifi they would access the internal
>>> network.
>>>
>>> How about doing this (need non-prop font):
>>>
>>>
>>> |----- wifi nat router (a) (wifi ON)
>>> ADSL MODEM -------X
>>> |----- wifi nat router (b) (wifi OFF) ----- LAN
>>
>>the way I would do it is to use a proper firewall.
>>
>>Come to think of it, in any business use I'd use a proper firewall. How
>>would you explain to the local press "well we had a data leak, but
>>didn't think we needed a firewall to protect our clients' data"
>
> A "proper firewall" (a box from Cisco costing, would you say, £1000+
> ?) connected where?

a "proper firewall" could just as easily be a 486 running linux with
an iptables firewall. costing, um..... nothing?

> But my original question still stands.

your question isn't really very clear. what exactly do you want to achieve
by doing this?

one thing that occurred to me reading your question was that you're
concerned about securing the internal network from a possible crack on the
wifi network. a firewall is the only way you can do that.

the best way to do this is connect the modem and all the internal networks
to the firewall and make all traffic between the internet and the internal
nets, and between one internal net and another, pass through the firewall.

will

On Mon, 04 Oct 2004 15:53:48 +0100, Peter wrote:

>
> With a typical wifi AP (with an integral hub/switch), the wifi is on the
> same network as the four ethernet ports so it is a security hazard: if
> someone cracked the wifi they would access the internal network.
>
> How about doing this (need non-prop font):
>
>
> |----- wifi nat router (a) (wifi ON)
> ADSL MODEM -------X
> |----- wifi nat router (b) (wifi OFF) ----- LAN
>
> If router (a) is compromised, the risk is no more than somebody hacking
> from the internet, which with a NAT router (assuming no holes in it) is
> very small.
>
> Am I right?

Not really. Couple of problems with that setup. First, how do you
propose to hang two routers, with a different network on each, off the one
modem? Do you have a twin-tailed ADSL modem? I'm not aware such things
exist.

Second, how would devices on network (a) communicate with those on network
(b)? I assume you want your wifi devices to be able to communicate with
your wired devices. Don't see how that would work. In fact I don't see
where you imagine the security is going to come from in your setup.

The usual approach to this would be to use an ADSL wireless router with a
builtin stateful firewall, such as for example the Netgear DG834G, the
Linksys WAG54G, or any of several others - typically they are under £100
these days. And you should use 128-bit WEP encryption on the wireless, to
deter any "cracking" of the network.

Mark Scott <(E-Mail Removed)> wrote

>Not really. Couple of problems with that setup. First, how do you
>propose to hang two routers, with a different network on each, off the one
>modem? Do you have a twin-tailed ADSL modem? I'm not aware such things
>exist.

That's what I thought...

>Second, how would devices on network (a) communicate with those on network
>(b)? I assume you want your wifi devices to be able to communicate with
>your wired devices. Don't see how that would work. In fact I don't see
>where you imagine the security is going to come from in your setup.

True. This would not be required. All I am looking for is to provide
occassional internet access for some wifi laptops.

>The usual approach to this would be to use an ADSL wireless router with a
>builtin stateful firewall, such as for example the Netgear DG834G, the
>Linksys WAG54G, or any of several others - typically they are under £100
>these days. And you should use 128-bit WEP encryption on the wireless, to
>deter any "cracking" of the network.

I don't think the firewall in these routers works between the wifi AP
and the internal LAN. It works only on traffic to/from the internet
(WAN) port. So a compromise of the AP immediately opens up the LAN.

As regards using WEP, MAC filtering etc - good point. The problem is
that I have a collection of ancient (meaning more than a few months
old) wifi devices which support only 64bit WEP, no WPA, and the access
point has to be set to the lowest common denominator.

I realise a firewall is the proper way; I was looking for a simple
solution which would be good enough. It is supposed to be very
difficult to hack *in* through a NAT router, after all. Just about
impossible, short of discovering some exploit like the buffer overruns
that Micro$oft products are full of....

It is far easier to get someone inside the firm to receive a dodgy
attachment... but we don't use any Microsoft email software.


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.

Peter wrote:
>
> I realise a firewall is the proper way; I was looking for a simple
> solution which would be good enough. It is supposed to be very
> difficult to hack *in* through a NAT router, after all. Just about
> impossible, short of discovering some exploit like the buffer overruns
> that Micro$oft products are full of....
>

Actually the "proper way" is to get yourself a router with built-in VPN
support so that your wireless clients can only access your internal
network through a VPN connection.

Routers with built-in VPN support are getting relatively cheap these
days, e.g. the Zyxel ZyWall 10.

Paul

Peter wrote:

> Martin <(E-Mail Removed)> wrote
>
>
>>Peter wrote:
>>
>>>With a typical wifi AP (with an integral hub/switch), the wifi is on
>>>the same network as the four ethernet ports so it is a security
>>>hazard: if someone cracked the wifi they would access the internal
>>>network.
>>>
>>>How about doing this (need non-prop font):
>>>
>>>
>>> |----- wifi nat router (a) (wifi ON)
>>>ADSL MODEM -------X
>>> |----- wifi nat router (b) (wifi OFF) ----- LAN
>>
>>the way I would do it is to use a proper firewall.
>>
>>Come to think of it, in any business use I'd use a proper firewall. How
>>would you explain to the local press "well we had a data leak, but
>>didn't think we needed a firewall to protect our clients' data"
>
>
> A "proper firewall" (a box from Cisco costing, would you say, £1000+
> ?) connected where?

I'd probably go for a multi-homed watchguard, or small checkpoint
appliance. I don't like cisco firewalls

> But my original question still stands.

I don't see how, and don't know of any devices that would work like you
want, doesn't mean they do not exist though.

I've just done exactly what you want for one of my clients, and used a
Watchguard, YMMV of course.

On Mon, 04 Oct 2004 19:10:20 +0100, (E-Mail Removed) (Peter) wrote:

>>Come to think of it, in any business use I'd use a proper firewall. How
>>would you explain to the local press "well we had a data leak, but
>>didn't think we needed a firewall to protect our clients' data"
>
>A "proper firewall" (a box from Cisco costing, would you say, £1000+
>?) connected where?
>
>But my original question still stands.

I bought a watchguard firebox III 700 on ebay for around £300, was in
as new condition.