Question on Guest SSIDs & confidentiality

April 17, 2012 at 09:29:44
Specs: Windows 7 SP1
This might be a bit basic but:

Our lodgers have asked for access to broadband. Dongles don't work well in our area so I'm considering getting a router (eg D-Link DIR-645) which has the facility to set up encrypted guest SSIDs.

However, I have to keep confidential work files on my network. If I set them up with such a SSID would they be able to access files from my home network PCs?

Thanks.


See More: Question on Guest SSIDs & confidentiality

Report •


#1
April 17, 2012 at 09:44:45
Potentially they could yes.

You could prevent it by having separate subnets. You would probably want to set the wireless router as the one directly attached to the internet and the other downstream from it. Once correctly configured, the downstream router's network would be separated from the upstream (guest wireless) and it would still have internet access.

For a guide to setting this up just click on my name above in this response and read my “how-to” guide titled, “Add a second Router to your LAN

You would want to use the scenario where you interconnect the two routers LAN port to WAN port and have separate subnets.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
April 17, 2012 at 09:48:33
So many ways.... Well lets assume everyone including your lodgers shares the router with no security, but default Windows. First a lodger would have to been in your workgroup (which may/will happen with defaults) in Win 7 the default workgroup is "Workgroup", same on Vista and XP Professional, but XP Home is "MSHOME". So assuming some lodgers end up in your workgroup by default, this would still only give them access to your shared files/folders. This also assume everyone has network discovery and sharing turned on etc. Win XP PRO and up have security. So one of the easiest ways to protect your network would be to use your own workgroup name, not the default, it does not matter what you change "workgroup" to as long as all the computers in your office network all use the same one. This would automatically keep the other users from gaining access, but maybe not a hacker. You could password protect sharing of folders that are sensitive for added security. You could use 2 routers and put the lodgers on a different network. Lots of ways, but to start I suggest putting your office in it's on workgroup. Others will have ideas too.

Report •

#3
April 17, 2012 at 10:39:52
The ssid guest zone is in essence putting the lodgers on a separate wireless network. I would even change their frequency to be different than yours. It appears to be a neat system, but I would still incorporate some other security measures so you don't have a single point of security failure (the router). Making a few simple changes as mentioned will enhance the security provided by the router.

Report •

Related Solutions

#4
April 17, 2012 at 10:59:46
but to start I suggest putting your office in it's on workgroup.

It takes nothing to change a computer from one workgroup to another.

While I applaud your enthusiasm, your posts weren't worth adding here as my solution is the securest way to segregate the "guest" network from the private network. Your "solution" wouldn't provide any real segregation or security I'm sorry to say.

As for two separate WLAN's, if that's what you want and both SOHO Router's are wireless capable, again, my solution is the simplest and the most secure. You would simply create two separate WLAN's. The "guest" would be unsecured and unecrypted (at least, that's how we setup our 'guest' WLAN here at work). The private one would be encrypted (WPA2) with a strong password. You could even make that SSID hidden.

All in all, the point I'm trying to make is simply this, to keep the two networks segregated, the best way, bar none, is to have them on different (separate) subnets and arrange it so the guest network cannot access the private network. It doesn't matter (in this particular case) if the private can access the guest network.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
April 17, 2012 at 11:26:01
Thanks for the help, it's much appreciated. I'll go away, have a good read of it and see what I can do.

Steve


Report •

#6
April 17, 2012 at 11:52:34
...but one final(ish) question: the separate subnet option seems to fit the bill neatly but I was wondering if the downstream router might suffer any performance degradation with respect to download and upload speeds???

Thanks again.


Report •

#7
April 17, 2012 at 11:57:40
I suggested 2 routers and I figure he is keeping lodgers out and not the pentagon, but appreciate your critique;)

Report •

#8
April 17, 2012 at 12:06:02
"Out-of-the-box Guest Interface features allow you to configure the D-Link for controlled guest access to an isolated network. You can configure the same access point to broadcast and function as two different wireless networks: a secure "Internal" LAN and a public "Guest" network". That is what d-link says, which makes adding a second router somewhat redundant, but admit, always better security with 2 separate routers.

Report •

#9
April 17, 2012 at 12:11:59
octafish

If all clients connected to your upstream router are hogging bandwidth then yes, there will likely be some degradation to people connected to the downstream router. You could invest in a router capable of limiting bandwidth and set restrictions in place and use it as R1 to avoid this potential issue.

HopperRox

Yes. you did eventually suggest 2 routers. One little sentence at the end of that lengthy, run-on paragraph. My point was that the rest of that run-on paragraph was a waste of time and energy as it is not secure in any way shape or form.

The wireless aspect is self explanatory once you understand that changing channels does nothing to secure a WLAN. One can have the same WLAN on multiple different channels as easily as different WLAN's all on the same channel. It's just that when you have many wireless devices all sharing the same channel you get significant interferance and a performance degradation for all devices sharing that channel. If you want segregation between WLAN's you do that by giving them different SSID's and putting them on separate subnets.

From what you wrote, I have the feeling that your knowledge of networking in general, and with regard to wireless specifically, is somewhat lacking so I was trying to be informative for you as well as the OP while correcting your errors.

You're most welcome. ;)

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#10
April 17, 2012 at 13:39:20
Thanks to everyone, even disagreements are informative!

Steve


Report •


Ask Question