Create a second network for my teenager

Discussion in 'other security issues & news' started by vincenzo, Mar 27, 2012.

Thread Status:
Not open for further replies.
  1. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    I want to create a second network for a teenager whose surfing habits seems to get him lots of viruses, to provide some isolation and protection for others in the house. I intend to plug a second router into one of the LAN ports on the existing router (taking care to be sure they are not overlapping in the IP addresses they give out).

    Would I get better protection if the careless surfer is on the outer router (the one closest to the modem)? Or does it not really matter significantly?

    Thanks
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hello :)

    Well, wouldn't it be better to secure the teenagers PC a little more instead?
    I mean he would continue to get lots of malware even if you improve the security for the rest.

    I assume that your teenager is like every other teenager that checks emails, playing games, and keeps logging on to member accounts here and there. And having malware on a PC while doing that is not so good. So I would improve the protection on the teenagers PC more, or change it out to something that works better with his habits.
     
  3. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    You could get him a cheapo computer and let him learn the hard way ;)
    And then if he gets in real trouble recommend him Wilders Security :D :rolleyes:
     
  4. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    The teenager isn't the only issue. I also bring in virus laden computers from friends that I clean up.
     
  5. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    It does not matter significantly whether the careless user/laden computers network is on the outer or inner network.
    However, for topology reasons, the main home network should be positioned as the outer network, the network closest
    to the modem.

    The goal here is to isolate both networks from each other entirely, and allowing Internet access for both networks.
    Simply connecting the two routers together, LAN port to LAN port, will not work, that only expands avaliable ports,
    and the two networks can still see eachother, even though both routers are on seperate subnets. Also, if File and
    Printer Sharing is preferred only between computers behind the subnet of the router they are serviced by, then the
    Workgroup Name for all the computers behind the Home Router must be the same, but different from the Workgroup Name
    of all the computers behind the Laden Router, and, the Workgroup Name for all the computers behind the Laden Router
    must be the same, but different from the Workgroup Name of all the computers behind the Home Router.

    To isolate the two networks entirely, provide Internet access for both networks, and restrict File and Printer
    Sharing to the subnet of the router, follow the topology below.


    HOME NETWORK TOPOLOGY:

    Modem/Home Router/Laden Router

    01] Modem
    The modem currently in use

    02] Home Router = Home Network
    Plug the modem into the WAN port of the home router
    IP address (subnet) of home router = 192.168.1.1
    DHCP server of home router starting IP address = 192.168.1.111
    Number of DHCP clients for home router = 5
    DHCP address range for home router = 192.168.1.111 to 192.168.1.115
    WAN settings for home router = Obtain an IP Address Automatically (from internet provider)
    Workgroup name for computers behind home router = HOME ROUTER

    03] Laden Router = Laden Network
    Plug from out of the WAN port of the laden router into the LAN port of the home router
    IP address (subnet) of laden router = 192.168.2.1
    DHCP server of laden router starting IP address = 192.168.2.111
    Number of DHCP clients for laden router = 5
    DHCP address range for laden router = 192.168.2.111 to 192.168.2.115
    WAN settings for laden router = Obtain an IP Address Automatically (from internet provider)
    Workgroup name for computers behind laden router = LADEN ROUTER


    To alleviate some of the laden you might consider using Norton DNS ConnectSafe.
    Norton DNS ConnectSafe is an free cloud-based Web filtering service by Symantec.
    There are three content filtering policies to choose from:
    https://dns.norton.com/dnsweb/faq.do#13330138920481&action=contentLoaded&formId=loginForm&height=0


    HKEY1952
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easy addition to earlier suggestions, check whether your router has wireless lan partition option, useually under advanced wireless options (sometimes under wireless intelligent stream handling options).

    see pic
     

    Attached Files:

  7. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    Thanks for the responses.

    I've created the 2nd network it seems to be working well. Kees, my router has does not have lan partition option.

    The reason I was asking about which router to make the outer router was because it seemed to me that since most threats to a network come in through the WAN side, that therefore a router might have better security protections on the WAN side. Which would then suggest putting the virus-laden computers on the outer router, so they are on the WAN side of the computers I want to protect.

    If I do it the other way, and put the virus laden computers on the inner router, then all the traffic from the virus laden computers travel through the router of the network that I am trying to protect, on the same set of LAN ports as the computers I want to protect, which seems like it could be asking for trouble.

    Thanks
     
  8. BrandiCandi

    BrandiCandi Guest

    I would suggest looking at alternatives for the virus-laden computers you're bringing in from friends. IMO you shouldn't join them on your LAN at all. Instead you would run them inside a sandbox & fix them that way. Or you could run repair CDs on the infected computers & mount the hard drive into the live CD- that way the infected OS isn't actually unleashed on your LAN.

    As for the teenager, I would second sweX's suggestion of securing his computer more. Perhaps he needs a more restricted account. If he doesn't have any admin capabilities, then mom or dad would have to approve any installations of legit programs as well as malware. I sound like a sandbox fanboy, but again it's something to look at for him. Run his browser in a sandbox & you'll reduce the infections even if his behavior doesn't change much. If you run a tight firewall that would significantly cripple malicious programs from calling home. it would also make sense to implement some mandatory access controls on the teenager's computer. You may still get the infections but they wouldn't be able to do much.
     
  9. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    So, if we go by your theory, placing the laden router on the outside, and the home router on the inside, now all of
    the traffic from the home router is travelling through the laden router through the vary same ports as the laden
    infected computers.....right.....wrong.

    The only way your theory would hold true is if the inner router was connected to the outer router via
    LAN port to LAN port. Connecting both routers LAN port to LAN port only expands avaliable ports and the networks
    are not segragated.

    Connectong the inner router out of the WAN port into the LAN port of the outer router totally segragates the two
    networks from each other including network connectons. It is irrelevent which of the two networks are positioned
    at the networks edge, however, for topology reasons, the main network should be positioned at the networks edge.

    I gave you the answer/solution to your question/problem


    HKEY1952
     
  10. BrandiCandi

    BrandiCandi Guest

    Interesting- I have learned something here. So the two networks would be completely independent, right?
     
  11. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    BrandiCandi,
    I guess it depends on how you define "independent". I've tried both configurations, and while I cannot see the other computers with normal methods, I can see the other router.
    Which seems to leave open the possibility of some creative hacking.

    Steve Gibson has a page with lots of good info on this topic here:
    http://www.grc.com/nat/nat.htm


    If you scroll down to the bottom, he suggests the machines you want to protect should be on the inner router.

    I have also considered that perhaps the best way might be to connect a switch to the modem then the routers to the switch. But I'd rather avoid another piece of hardware if I could feel safe with just the routers.
     

    Attached Files:

  12. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    The switch can not be the edge device connected to the modem. The switch can not act as an DHCP server and allocate
    IP addresses. The switch can not enforce Network Address Translation (NAT). The modem expects to see one computer
    and would see past the switch trying to communicate with all the devices connected yet not know which device that
    it can support. Modems are designed to communicate with one device at an time, and only support an network adapter,
    an game console, or an router.


    Switches work at Layer2 of the Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model,
    the Data Link Layer, using Media Access Control Addresses (MAC Addresses). The Data Link Layer is responsible for
    transmitting data from one place to another. The Data Link Layer is also responsible for putting together and
    formatting the header information into correct fields and placing the data in the right place, called the Ethernet
    Frame. Switches examine the MAC Addresses of packets using that information to decide whether to forward an packet
    to another port. Switches are intellegent devices and remember the MAC Addresses and which ports the MAC Addresses
    used during communications. Some switches also amplify the inbound and outbound signals independently per port to
    retain the full bandwith in all the communications passing through the switch.

    Routers work at Layer3 of the Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model,
    the Network Layer, using the Internet Protocol (IP). The Network Layer manages how packets are delivered on the
    network or routed to another network using IP Addressing. IP addresses are comprised of two components:
    an Network ID, and an Host ID. Packets can be delivered on the Local Area Network (LAN) using the Host ID or routed
    to another network using the Network ID. The Network Layer is also responsible for breaking large messages into
    smaller messages that fit into the Ethernet Frames created at the Data Link Layer. This size of the Ethernet Frames
    created by the Data Link Layer is called the Maximum Transmission Unit (MTU). At the receiving end the Network Layer
    reassembles the smaller messages back into the original large message before passing the data up to Layer4 of the
    Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model, the Transport Layer. Routers use the
    protocols network address to determine on which port an packet is to be forwarded, by using the Logical Address
    Space provided by Layer3. Switches use MAC Addresses to determine on which port an packet is to be forwarded, by
    using the Flat Address Space provided by Level2 for lower-level devices that use Media Access Control Addresses.

    The Modem sees the Wide Area Network (WAN) side of the router and communicates with it, allocating the WAN port of
    the router the Internet Providers IP Address. The modem does not need to know that there are other computers or devices
    connected on the Local Area Network (LAN) side of the router. As far as the modem is concerned there is only one
    device connected to it, the router, as the modem does not communicate past the router or to the Local Area Network.
    It is the job of the router to make the connections to the computers, printers, and devices. Routers are capable of
    speaking to multiple computers or devices, and can allocate each of them their own Local IP Address by using the
    routers built-in Dynamic Host Configuration Protocol (DHCP) Server, for example: (192.168.xxx.xxx).
    When the router receives an signal from an computer or device, the router exists the capability to decide whether
    that signal either goes to the Internet, presenting the computer(s) or device(s) to the modem as if it were just the
    one device (the router) by using the routers IP Address, for example: (192.168.XXX.XXX), and performing Network
    Address Translation (NAT) as required for the modem communications, or if the signal goes to another computer or
    device on the Local Area Network.

    Although I can appreciate Steve Gibsons topology in regards to the 'Seperate LAN Protecting One High-Value Machine'
    by positioning it on the inner router, being that there is only one computer making up the network segment.
    All of the networks behind their respective router are 'private' and all of the networks behind their respective
    router are not 'uncontrollable', and both networks 'face the Internet'. Daisy Chaining routers does not increase
    router security. If my goal was to protect 'One High-Value Machine', I would place it within an inner network behind
    an Proxy Server. In your case, you want to isolate the teenagers computer from the rest of the home network,
    therefore, that computer is best positioned by its self behind its own router within an seperate subnet, as depicted
    by Steve Gibsons topology in Post #11.

    There are two interfaces within an router, the WAN interface and the LAN interface. By connecting out of the
    WAN port on the inner router to the LAN port of the outer router, the inner router is passing through the WAN interface
    of the outer router and the two networks are segragated. It is irrelevent which network is positioned at the networks edge.
    Both networks are behind their respective router and both routers exist an WAN interface and an LAN interface and
    the two interfaces within each router do not communicate with eachother within the router. For topology reasons, the
    main network should be positioned at the networks edge. The inner routers must make two or more hops before they can
    access the Internet through the edge device, the Modem at the networks edge.


    EDIT: clarity


    HKEY1952
     
    Last edited: Apr 1, 2012
  13. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    OK thanks for info. I see what you mean about the switch idea not being workable.

    I am running it now with the computers I want to protect on the outer router. I prefer it that way since it makes it easier to disconnect the inner router when it is not needed.
     
  14. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    There ya go, great idea, and good job vincenzo.

    Also an good working example of one advantage to positioning the Main Network behind the Outer Router referred to as:
    The Networks Edge. The Modem is the Networks Edge Device.


    HKEY1952
     
Loading...
Thread Status:
Not open for further replies.