Wife being sent home to work. Requires Cisco router first in chain.

[TechBoyJK]

Wife has a healthcare job that must be HIPPA compliant, and is being sent home to work, which we want. However, we're running into some network access requirements that are making things difficult.

1) Uses a Cisco VPN device/router. We haven't been given model # yet. And they said it has to be the first device connected to our internet modem as it requires a public IP address.

2) Must be installed 'right next to' the modem, both of which must be contained in her office. Her office is in 2nd floor and there's no lines ran up there. She's been using wifi. Currently, our cable modem (and my router, san, server, and gig switch) are all downstairs mounted on the wall.

3) Her employer is saying we'd have to move the cable modem from the basement (which is 3ft from the conduit that leads outside to the pole) up to her office. There's not enough slack in the cable line (coax) for that, so we'd have to get more coax, couple them together, and somehow fish the coax from the basement up to the 2nd floor. Using the existing coax, even if it was long enough as is, would equate to about a 100ft of line once it goes from the basement to her office.

4) Even if we get the modem up to her office, plug the Cisco vpn device into that, we still then either have to move all of my networking equipment/server, switch, etc. up there or I'm going to again have to fish a cat5 cable back down to the basement to all of my stuff.

5) I login to my home machine remotely all of the time. I have my own vpn setup. I have NAT setup and I also have dynamic DNS. Her employer doesn't allow us to access the CISCO device to configure anything for pass-thru, and they said 'it's fine, it will give your subsequent devices a 'useable' IP via DHCP.

This would be a huge hassle, not to mention we would then have a 3rd party device controlling our network that if it fails or has problems I can't troubleshoot and their tech support is M-F 8-5.

Thoughts? My only real thought here is that we need a 2nd line that we can run up to her office that doesn't touch our existing network. Her own cable modem, etc.

 

[razel]

Keep work separate from home. It sounds like work wants her to do the same thing with her connection which is great for you. In these cases she/you will want work to pay for a separate Internet line which is for her work only.

 

[AnonymouseUser]

Use a second ISP, possibly DSL for easier modem placement (using existing phone outlet in office). This keeps the Cisco device out of your network, and prevents having to move the modem.

 

[dave_the_nerd]

Thirding the "Get DSL for the Cisco dooboxdadthing" sentiment. Nobody's taking over my home network.

 

[nitsuj3580]

Are you sure "first device connected to the router" has to mean all of your devices then connect into the Cisco router?

I have the same situation where I have a Cisco 891FW SOHO router that was given to me by my employer since I work from home. I have it plugged directly into one of the ports in my FIOS Quantum Gateway router and then my work computer plugs into the Cisco router.

However, I still have 3 other ports on the FIOS router that I use to branch off to my home network devices. Is that not allowed by your wife's employer?

 

[Mark R]

It depends a lot on the precise type of VPN router, and the configuration of the VPN concentrator at the employer's end.

While 10 years ago, many VPN devices had to have a public IP address to work, these days many VPN devices can traverse NAT, so should work fine if just plugged into a regular home router as a client side device.

I do this just fine for access to hospital and healthcare provider networks from home.

 

[TechBoyJK]

Are you sure "first device connected to the router" has to mean all of your devices then connect into the Cisco router?

I have the same situation where I have a Cisco 891FW SOHO router that was given to me by my employer since I work from home. I have it plugged directly into one of the ports in my FIOS Quantum Gateway router and then my work computer plugs into the Cisco router.

However, I still have 3 other ports on the FIOS router that I use to branch off to my home network devices. Is that not allowed by your wife's employer?

That's a great question.

The way she has explained it is that there can't be any 3rd party devices between the ISP and the Cisco device.

We currently use Charter, which simply provides a modem that the homeowner is required to get a router for if they want wifi or multi-users.

When I had AT&T uVerse, they provided a modem/router hybrid, which included a 4 port switch and had built in wifi. I haven't posed to them how they would handle it. All I know is that we were told that we couldn't plug the device into a 3rd party router because it needs a public IP. I'm assuming the AT&T uverse hybrid modem would pose a problem.

 

[TechBoyJK]

It depends a lot on the precise type of VPN router, and the configuration of the VPN concentrator at the employer's end.

While 10 years ago, many VPN devices had to have a public IP address to work, these days many VPN devices can traverse NAT, so should work fine if just plugged into a regular home router as a client side device.

I do this just fine for access to hospital and healthcare provider networks from home.

She was told no 3rd party routers in front of the Cisco; and that the modem had to be in the same room as her Cisco client device which still presents problem of having to move the modem AND then run lines from it down to the basement.

 

[mxnerd]

If the employer insists that no other device between ISP & Cisco, then like others have said, you get DSL for your wife, put DSL modem in her room, which can use existing phone line wiring, if you already have one in place.

Your wife still can use Wi-Fi to access your home network. You don't have to touch any of your equipments.

 

[JackMDS]

Wife has a healthcare job that must be HIPPA compliant, and is being sent home to work, which we want. However, we're running into some network access requirements that are making things difficult.

This matter is far more complicated than Entusiasts "Mambo Jumbo".

It is not a matter of "right or wrong" technology it is a matter of doing things according to legal issues and protection from malpractice and law suits.

If you doing it your way and something goes wrong the Job can be lost and One can be exposed to legal actions against him/her.

 

[TechBoyJK]

This matter is far more complicated than Entusiasts "Mambo Jumbo".

It is not a matter of "right or wrong" technology it is a matter of doing things according to legal issues and protection from malpractice and law suits.

If you doing it your way and something goes wrong the Job can be lost and One can be exposed to legal actions against him/her.

I get that. I work in a datacenter and most of our clients are there for HIPPA compliance.

My concern is that the requirements seem aimed at 50yo non-tech savvy nurses that can only be trusted to 'plug this into that'. I don't want to do anything unneccesary that can more easily be dealt with using our existing infrastructure.

 

[sdifox]

Shouldn't her work send someone out to set it up?

 

[JackMDS]

My concern is that the requirements seem aimed at 50yo non-tech savvy nurses that can only be trusted to 'plug this into that'. I don't want to do anything unneccesary that can more easily be dealt with using our existing infrastructure.

It probably so, and I am sure that you know better than them.

That said, your wife is going to work with/for them and she is Under the umbrella of their legal arrangements.

At least talk to them to coordinate the situation.

Making One technically ridgt does not make them automatically legally right.

 

[bigboxes]

If her work is demanding all of that shouldn't they be paying for a dedicated line instead of telling you what to do with yours? I get why they want their devices configured that way. They just need to send someone out to install a dedicated line.

 

[Mike64]

My concern is that the requirements seem aimed at 50yo non-tech savvy nurses that can only be trusted to 'plug this into that'. I don't want to do anything unneccesary that can more easily be dealt with using our existing infrastructure.

You're most likely right, but from their perspective, what conceivable incentive do they have to trust you to meet their requirements with some other set-up (let alone to spend the time and money to vet whatever alternative you might propose?) Answer: none.

(On a tangential note: if you go with a dedicated line, don't forget to look into, or ask your tax accountant to look into, deducting its cost as a work-related expense. I don't know how that works for something like this when it's not for one's personally-owned business, but it might be deductible, whereas it's virtually certain that no part of your home/recreational service would be deductible even if partially used for work-related activity.)

If her work is demanding all of that shouldn't they be paying for a dedicated line instead of telling you what to do with yours? I get why they want their devices configured that way. They just need to send someone out to install a dedicated line.

It sounds very much like they're "allowing" the OP's wife to work from home, not "requiring" her to do so, so I can't imagine them paying for her ISP services even if they do have specific security-related requirements for accessing their network via the Internet "if she chooses" to work from home...

 

[Elixer]

The problem with doing it "their way" is the actual auditing.
That means that whatever you do, or anyone else connected to the network would be subject to being audited.
That is NOT a good thing to have if you care about your privacy, and in fact can get her into trouble if you visit something that you shouldn't be visiting.
Look up Accounting Rule 164.528 for HIPPA. http://www.hipaasurvivalguide.com/hipaa-regulations/164-528.php For home users, it sucks.

Best thing to do is just get another ISP since they won't let you separate her stuff and everything else via a VLAN.

 

[bigboxes]

It sounds very much like they're "allowing" the OP's wife to work from home, not "requiring" her to do so, so I can't imagine them paying for her ISP services even if they do have specific security-related requirements for accessing their network via the Internet "if she chooses" to work from home...

If that's the case then the OP should just set up a second line himself. I just can't see the sharing of such a line.

 

[squirrel dog]

that or move her office to the basement .

 

[Ketchup]

... It sounds very much like they're "allowing" the OP's wife to work from home, not "requiring" her to do so, so I can't imagine them paying for her ISP services even if they do have specific security-related requirements for accessing their network via the Internet "if she chooses" to work from home...

I have seen this go both ways. One job of mine paid about half my internet bill for my work from home on weekends once a month (this was for everyone on my team). We were allowed to work in the office or home on these weekends, but of course, most of us worked from the house (we got the reimbursement either way). A couple years down the road, another company bought out that company and the reimbursements came to an end. It wasn't huge money, but we were all sad to see it go.

 

[Mike64]

If that's the case then the OP should just set up a second line himself. I just can't see the sharing of such a line.

For the several reasons mentioned in the thread, I think that's really the best idea all around. Even though it would mean some amount of out-of-pocket expense, it seems to me worth it to avoid the various potential hassles involved in using their personal ISP connection. And it's not like she'll need more than basic-plan speed (I assume), so the cost shouldn't be too high. Presumably quite a bit less than commuting expenses, for example, and possibly reduced somewhat if it can indeed be deducted as a work-related expense at tax time...

 

[Carson Dyle]

The physical requirements seem a bit bizarre. The modem must be located in her home office and the VPN router must also be in the same room. Do they also prohibit using the VPN wirelessy? Otherwise, what difference does it make where in the house the modem and router are located? Is she not permitted to do work outside of that room?

If that's the case, it doesn't sound like they want you using the connection for your home internet browsing. And if all outside traffic is routed over the VPN, you may find that a lot of site are blocked by the company's firewall. You need to get some clarification on what exactly they're proposing before worrying about how it could be hooked up to the rest of the house.

It sounds like you're going to need a second ISP connection. If the modem has to be placed in a particular room, then the easiest way to do that may be to bring the cable to the office on the outside of the house and through an outside wall of the room.

 

[Aarondeep]

Have you considered asking your ISP for static IPs? Try to get 2 IPs (i think you will have to buy a block of 3) and then just setup the cisco on a separate public IP from your personal network. Might be cost prohibitive but its a solution to your problem

 

[dave_the_nerd]

The physical requirements seem a bit bizarre. The modem must be located in her home office and the VPN router must also be in the same room. Do they also prohibit using the VPN wirelessy? Otherwise, what difference does it make where in the house the modem and router are located? Is she not permitted to do work outside of that room?

"B-b-b-but security!" probably.

These are the kinds of guys who stay up at night worrying about this stuff, when 99%+ of security breaches are social engineering attacks.

Don't even mention the wifi. "But if you're not wired in directly, somebody might be MITMing your wifi connection!" is true, theoretically. They'd prohibit it if they think of it and thought they could get away with it. (Doctors seem to like iPads.)

 

[RadiclDreamer]

The physical requirements seem a bit bizarre. The modem must be located in her home office and the VPN router must also be in the same room. Do they also prohibit using the VPN wirelessy? Otherwise, what difference does it make where in the house the modem and router are located? Is she not permitted to do work outside of that room?

If that's the case, it doesn't sound like they want you using the connection for your home internet browsing. And if all outside traffic is routed over the VPN, you may find that a lot of site are blocked by the company's firewall. You need to get some clarification on what exactly they're proposing before worrying about how it could be hooked up to the rest of the house.

It sounds like you're going to need a second ISP connection. If the modem has to be placed in a particular room, then the easiest way to do that may be to bring the cable to the office on the outside of the house and through an outside wall of the room.

Healthcare IT guy here, its most likely because we have a common problem with home users having their stuff all over their house and it makes helping them take far longer than it should. We finally just made a rule that if it doesn't work you come in, period. There is nothing more frustrating that having to troubleshoot someones home internet connection that's put together with duct tape and chicken wire.

 

[JimmiG]

"B-b-b-but security!" probably.

These are the kinds of guys who stay up at night worrying about this stuff, when 99%+ of security breaches are social engineering attacks.

Don't even mention the wifi. "But if you're not wired in directly, somebody might be MITMing your wifi connection!" is true, theoretically. They'd prohibit it if they think of it and thought they could get away with it. (Doctors seem to like iPads.)

It seems they're just throwing every security measure they can think of into the mix and hoping *something* will prevent an attack. I understand the need for security in the healthcare industry. but most of those measures are just massively inconvenient and don't really do anything to improve security.

That said, they get to make up the rules, so you just have to make sure it causes as few headaches as possible for you. A separate connection seems like the best idea, as mentioned previously.