I have a small medical office and most of my patients have iphones or blackberries. It'd be nice to offer some free wifi for them while they wait. I have a secure network plus a WPA2 wireless router. I want to somehow add another router that uses my modem but I don't want it to be able to reah my network at all - completely separate. Is that possible?
how do I set up free wifi while keeping my network secure?
- Thread starter ThePiston
- Start date
- Oct 25, 1999
- 29,552
- 429
- 126
Put an Additional Wireless Router when configuring this Toplogy.
Network Segregation - http://www.ezlan.net/shield.html
Network Segregation - http://www.ezlan.net/shield.html
Well, when someone says free wifi and medical office in the same post you have to be worried! I am guessing you are most likely storing some form of medical records on that office network correct? Since most Blackberries and PDA/Phones already have data services I would just forget the free wifi idea. If you are set on doing the free wifi I would suggest getting a second internet connection from your ISP and make that free. That will keep your internal network protected. I just feel there are too many potential security holes to make this worth while.
John
John
bingo, and while im not clear on hippa rules, i wouldnt be surprised if setting up even a segregated network connected to your protected network was illegal anyways.
- Oct 25, 1999
- 29,552
- 429
- 126
Assuming that office Network is HIPPA compliant. What is the difference if the WAN Side of the Router is directly on the Internet or on another LAN?
In most hospitals, Department's HIPPA compliant Networks are Segregated Networks of the General Hospital Network.
In most hospitals, Department's HIPPA compliant Networks are Segregated Networks of the General Hospital Network.
If he had the appropriate enterprise-grade equipment that would allow him to segregate the networks properly, then he could do it with a single internet connection. However, said equipment is fairly expensive, and it would probably be simpler to just get a second internet connection and leave that one open.
Jeff7181
Lifer
- Aug 21, 2002
- 18,368
- 11
- 81
What if he had a single Internet connection and use a typical SOHO router for his own LAN, but plugged a second router into it as well, configured the port the second router is plugged into as the DMZ (so as to give open access to the Internet) and put that router in a different subnet where his free Wifi clients would sit?
Every router that is plugged in to a LAN side port has access to all devices in that LAN.
Internet
|
router A <---> router B <-> open
|
Doctor's stuff
in this case open -> has complete access to everything.
Engineer
Elite Member
- Oct 9, 1999
- 39,230
- 701
- 126
ISP------ (WAN) Router #1 (open for all) (LAN)-------(WAN) Router #2 (LAN)-------Office stuff.
Firewall WAN of router #2 to not allow incoming stuff (other than the routed internet traffic coming back). With that said, packets could still be sniffed from router #2 through router #1's LAN port.
To isolate wireless customers from each other, AP Isolation could be turned on in the router (doesn't help with blocking wireless from wired though).
Oh, and I'm not familiar with HIPPA (spell?) stuff so I have no idea how compliance works.
I know that there are dual VLAN routers and I would imagine that you could isolate one from the other but don't know the details.
Firewall WAN of router #2 to not allow incoming stuff (other than the routed internet traffic coming back). With that said, packets could still be sniffed from router #2 through router #1's LAN port.
To isolate wireless customers from each other, AP Isolation could be turned on in the router (doesn't help with blocking wireless from wired though).
Oh, and I'm not familiar with HIPPA (spell?) stuff so I have no idea how compliance works.
I know that there are dual VLAN routers and I would imagine that you could isolate one from the other but don't know the details.
RadiclDreamer
Diamond Member
- Aug 8, 2004
- 8,622
- 40
- 91
I work in a hospital and can tell you that no, most are not segregated.
HIPAA doesnt really spell out what you need to do to secure access, only that it needs to be secure. Hell, philips EKG carts support only WEP until the most recent model. So a separate AP vlan'd off or an AP that supports multiple ssid (cisco etc) with another vlan should work fine
If you did
DSL Modem
|
Switch -- Private Router/WiFi
|
Public Router/Wifi
Where you have a switch connected to the modem, splitting out out a public router, and a private router. The private router is protect through NAT (and SPI or some other firewall tech), just like you would be connected to the internet normally.
As stated before, this would work fine, and be no different than how the general internet would have access to the private network. If this doesn't qualify as a legit setup, then the problem is the 'private router' in question is not compliant, in which case, he's not compliant anyway.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,587
- 10,225
- 126
I do this with my internet connection, share it over unprotected wireless, as well as have a protected LAN/WiFi.
All it takes is two routers, and for your purposes, preferably one with AP client isolation. (Does DD-WRT have that?)
You put the "public" WiFi router attached to your internet WAN, and then connect the "private" router's WAN port to a LAN port on the public router. Configure both routers to have seperate subnets, and voila.
All it takes is two routers, and for your purposes, preferably one with AP client isolation. (Does DD-WRT have that?)
You put the "public" WiFi router attached to your internet WAN, and then connect the "private" router's WAN port to a LAN port on the public router. Configure both routers to have seperate subnets, and voila.
This setup would require a DSL modem/router combo configured as a bridge with multiple static IP addresses. AT&T DSL has this and they'll supply the correct DSL modem/router (a Netopia). If they do this, then, yes, your solution will work. If he doesn't have multiple public IP addresses, then this solution will not work.
Or, it'll introduce a double NAT, which is all kinds of bad for lots of applications (hosted PBX, etc).
comcast gave me a 4 port router/modem. it provides 5 ip's or dhcp on some ports. so you get both private lan port and dhcp nat port.
alot of commercial services do this so if you have no clue how to setup your network you can just plug in; with 5 ip's that works out quote well to have the pass-thru go to your router/firewall and your guest system to go through dhcp.
just keep in mind the abuse that will occur and the issues you may face when joe blow pulls up outside to download some illegal pr0n.
they will come get you first. have a seat over here.
alot of commercial services do this so if you have no clue how to setup your network you can just plug in; with 5 ip's that works out quote well to have the pass-thru go to your router/firewall and your guest system to go through dhcp.
just keep in mind the abuse that will occur and the issues you may face when joe blow pulls up outside to download some illegal pr0n.
they will come get you first. have a seat over here.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,587
- 10,225
- 126
Why? Unless you're running servers, it doesn't matter. You can still map ports, you just need to set up "Static NAT" (that's what my router calls it), and basically send all unsolicited inbound traffic from the public router to the private router and let it deal with it, then you can port-map for inbound services on that router.
There are many services that do not work inside of a double NAT, even though you've set your second router in the DMZ of the first. Anything that uses RTP, for instance. This includes VoIP, IPTV, and any number of other protocols.
Double NATs are bad practice and should be avoided. There is absolutely no reason you should ever need to set one up, either.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,587
- 10,225
- 126
I haven't seen any problems from my end. And yes, I do run VoIP, I have a MagicJack, which uses a variant of SIP as I understand it.
are you sure they can not compromise your primary router by double-nat'ing ? say by creating too many connections (torrent)?
Red Squirrel
No Lifer
Here's what you do:
Get a switch, or even a hub. No need for high quality and get a second router for the wifi. Hook the switch to your modem, then hook your existing router to the dsl modem and lock it down good, then plug the wifi modem to the switch too and configure it for free wifi. These will essentially be two networks that are isolated completely from each other.
Get a switch, or even a hub. No need for high quality and get a second router for the wifi. Hook the switch to your modem, then hook your existing router to the dsl modem and lock it down good, then plug the wifi modem to the switch too and configure it for free wifi. These will essentially be two networks that are isolated completely from each other.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter