Broadband Tech > Security > Wireless Security > Segregate WiFi from LAN

Segregate WiFi from LAN

First of all the only way for someone to access your wpa2 wifi with a strong password. is if a traitor (as you appear to be conspiratorial in nature), in your very own midsts gave away the password. No one hacked into it.

Solutions.
If you do not need wifi then simply disable wifi on the router and just use wired connetivity.

If someone in the house needs wifi, then a guest network with a password or no password should ensure that all connected traffic only reaches the WAN but not the LAN. This assumes that people using wifi at your location are not about sharing printers, hard drives, media servers or files etc....
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

reply to anonymous483
Depends on what you're after anonymous483.

Second Anav and want to know why if your wireless got "broken into" you're now after a guest network?
If you don't need it and people have broken into it already, disable it.

The concept of "guest network" varies with manufacturer -- some implementations is just a seperate SSID,
while others is locked down such that there is no physical way for traffic to move between the "secure"
and the "guest" LAN. YMMV.

If you're really paranoid, I'd go the two seperate routers, and ensure your own LAN is behind the router
with the guest wireless.

My 00000010bits.

Regards

reply to anonymous483

reply to anonymous483

Providing free wifi is foolhardy. If abused in certain ways, one could get visitors and it will not be pleasant.

reply to anonymous483
...I agree with you both, but let me tell you the real world works a little differently...

When you have a close proximity of people, lets say an apartment complex, full of low life's who continually attack, disrupt, or break into your wireless network, including doing everything from large downloads, to ping floods, to sending 100 page print jobs of random or threatening text to your printer, thereby also wasting paper - and you complain to local law enforcement but they are either not equipped, overworked, or simply not interested in doing anything about it - sometimes the alternative of giving the jerks what they want (free Internet) is enough to keep them from bothering you. Of course this could be solved by telling the customer (owner of the ISP connection and WiFi hardware) that they just shouldn't use wireless at all, and have everything hard-wired, but that doesn't go over so well.

Recommended, no. Works, yes.

reply to anonymous483
I don't think WPA2 is easy to break in to even with the geeks out there. Im using a network scanner so I can see whose connected on my network wired/wireless and even the bandwidth that they're eating.
--
Hala Madrid!

reply to supergeeky

Hmm, Im always open to facts. Can you provide a link please.

reply to supergeeky

Ahh bbchris 2nd, please provide facts your opinion is a waste of the threads time.

reply to anonymous483
I'm sure you won't like this, but there are articles since 2008...

»www.google.com/search?q=WPA2+cracked

the newest versions seems to revolve around using a GPU to assist with the cracking part

...although I myself don't count what some tech blogger or even conventional journalism writes as fact (it's just nice stories dumbed down for everyday people, in order to have something to put between the advertisements)

I however, am basing my statement on fact from real world results...

Example 1: Setup wireless with WPA2 63 character completely random ASCII key (key copy/pasted only into wireless AP config and the IP cam while plugged into LAN, nobody else ever got a hold of the key, I never left it on my laptop or saved it, my laptop is clean) left only this one wireless IP cam associated to the wireless AP, obviously camera is passing data continually which helps those sniffing it out. Never associated my laptop or anything else to this wireless. Fast forward about a month, customer says camera not working, plug in hard-wire to the same network, find new things associated to this wireless with recent DHCP leases. Camera stops working because hackers DoS it or it simply can't handle more than 10 simultaneous viewers of the stream :-( Proof enough for me, it can be hacked.

Example 2: Setup printer with WPA2 12 character random letter/number key (printer's requirement it can't be longer/more complex) I input same key to customers iPAD. After doing this for 3rd time this year I explicitly did not give customer the key, cause I didn't trust that she wasn't giving it to someone. Customer's main computer is hard-wired to router, but print jobs go wireless to the printer in another room. Takes 2 weeks before printer "magically decides" to print out 100's of pages of [lets just say what it printed was no accident] or, printer stops working (hackers change it's IP, flood it, turn off the wireless interface, or their new favorite is to change the routers IP and DHCP to something different, so end-user desktop can no longer communicate to the printer, which is still associated, but on a different subnet) Find they changed the router's management password, use reset button, get back into router, put back the same WPA2 key, wait awhile and find 2 more things associated (other than the printer's MAC and the iPAD's MAC). Ping those things and you can tell their a little further away (not within customers appt) :-( Proof enough for me, it can be hacked.

I am not a tin-foil hat kinda guy, nor do I want to encourage hysteria, but I firmly believe...

If someone is bored enough, or perhaps cheap enough, they can accomplish anything. Everything can eventually be hacked regardless of mfg. claim or how publicly it gets discussed. Some people are actually smart enough to exploit something, and then not go telling everyone how they did it. Security measures only keep out most people most of the time. If your setting this stuff up, you should do everything within your ability/budget and have the responsibility to make it as secure as possible - but you should never be so overly confident or ignorant to pretend that anything you do is impenetrable - there will always be someone else. Get over it.

reply to anonymous483
WPA2 Enterprise Radius Auth w/ Mac Addy filtering and static (or reserved) IP Addys. Problem solved!

reply to anonymous483
mac address filtering is not security as addresses are easily spoofed.

SGeeky, read through enough of those articles they speak to weak keys, a problem with any security system given the plethora of hash tables and tools out there.

I am talking about randomly generated strong key and WPA keys of 64 characters in length as per this site........

»www.grc.com/passwords.htm
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

A cool tool to compare your password methods........
»www.grc.com/haystack.htm

That was interesting.

reply to supergeeky