How secure is this?

[Schoolies]

I have one internet connection, two routers.

I want only people on router A to access the internet and their LAN
I want only people on router B to access the internet and their LAN.

I know I can just assign router A and B different subnets like 192.168.1.x an 192.168.2.x and daisy chain them (Modem - Router A - Router B). However, how secure is that. Can someone who knows what they are doing be able to access both subnets? The subnet mask on both routers will be 255.255.255.0.

sorry for the lame question. The ultimate goal here is to make router B wireless and provide free wireless but not have the wireless clients be able to get into router A's subnet.

 

[MustISO]

lock down the routers and set access my mac addresses.

 

[Schoolies]

Thanks. The shop wants to provide free wireless access to its customers but they only have one internet connection which is connected to their office network. I wouldn't be able to get mac addresses from all of the wireless users unfortunately.

 

[JackMDS]

It is secured as a one LAN is secuerd from the Internet.

I.e. the first LAN is as the Interent to the second LAN.

No matter what I always use softyware Firewall on each computer as well.

Put the subnet of each LAN in the Firewall trusted zone of the computer according to their LAN memebership, and it be as secure as it can be by using regular means.

My current favor is the free PCtools, http://www.pctools.com/firewall/

Network Segregation - http://www.ezlan.net/shield.html

 

[Schoolies]

Thanks Jack. That's what I figured but I kept going over this in my head until I finally managed to convince myself that it was not secure.

Thanks!

 

[QuixoticOne]

It is as secure as anything else. Each router presumably has a firewall. Each PC presumably has its own firewall.

Any random person on the internet can send traffic to your existing router and try to compromise the firewall(s) and attack the machines.

So what difference does it make if that person is in china on the internet or 300 feet away coming in over wireless? If they penetrate the firewall(s) involved, you've had it. If they can't then it doesn't matter.

Either way your security against traffic passing from "outside the network" into the network is only as good as your firewall(s).

Granted local users MAY have a little higher available bandwidth to try to attack your firewall(s) but really that is even not so much so... 802.11b is only a few megabits a second maximum, and several people have Cable Modem or DSL service that is that fast.

I don't see the particular problem here. If you don't trust your PC security / firewalls, you shouldn't be connected to ANY network whether internal LAN, internet, wireless hotspot, or other.

 

[seepy83]

Originally posted by: Schoolies
The shop wants to provide free wireless access to its customers but they only have one internet connection which is connected to their office network.

Personally, I would set it up with a single router. Behind the router you will need a firewall that has 2 LAN interfaces (1 for LAN, and 1 for your DMZ). Place your office network on the LAN, and your WAPs on the DMZ, and configure the Firewall so there is no routing between the two.

 

[NickOlsen8390]

I would do VLAN's and break them back out on the router.
Thats what i do here.
You have to have a router that can do VLAN's though, and a switch also that can do VLAN's

 

[Jeff7181]

Nevermind... I'm assuming higher end stuff. Looks like you're working with business class DSL or cable so my solution wouldn't have worked well.

Why not go with the router on a stick method? Just need a switch that supports VLANs.

 

[Schoolies]

Doing the VLans would effectively do the same thing as connecting 2 routers, correct? They have regular SOHO routers and a switch right now. If he can get away with using what he has, then that's what he would prefer. Cheaper the better of course.

 

[skyking]

Cheapest, easiest.
Modem-----> wireless router with customers-----------> second router as client to the first router--------------> office.
Upside: as secure as any connection to the WAN is.
Downside: double NAT. Port forwarding, if neccesary, is a two part operation involving both routers. UPNP may not help you out.

 

[Tbirdkid]

It really depends on the application. If you are going to use it on a business that has some pretty heavy private info, use vlans with a switch. If it isnt really a big deal, like a coffee shop or something like that then I would run the one router method, and lock it down. That is a subjective question, and it has to be handled correctly...

One solution is with an asa, then into a switch. The asa will vlan it with a bit of configuration, then run the patch cables to the switch, and then out to the jacks. That is if its seriously confidential info.

If not, Like was said before, I would just use the router and set access my mac address.

 

[Schoolies]

thanks for the ideas!