wi fi - security

pathazel · Jan 26, 2009, 14:50:39

Hi
I have a LAN with a BT Voyager wi-fi. The problem is that guests who stay with us are given the wi-fi encryption key which means they can access our LAN. I've benn told that BT Hub 2700HGV has 2 encryption keys - does this mean that I can allow guests to use one key while I use the other without them "seeing" my LAN?
thanks for any suggestions
pat

Rik · Jan 26, 2009, 15:04:00

Hi Pat and welcome to the forum

Unfortunately, the feature you may have been told about is the dual SSID model of the 2700. The second SSID is used for BT Fusion, not for the general internet WAN access.

Lance · Jan 26, 2009, 16:12:34

Hi Pat and welcome!

As Rik has said, the second SSID is for BT Fusion - BT's VOIP solution. You might want to consider a different router or maybe this will help?

kinmel · Jan 26, 2009, 16:23:57

You can give them access only to the internet(WAN), if you do not allow them to join your domain, or workgroup, they will not have access to your LAN.

pathazel · Jan 26, 2009, 17:46:17

Hi all
Thanks for your prompt replies.

BT claim in their router info page that it (BT Business Hub 2700HGV) can be used for a hotspot http://www.btbroadbandoffice.com/broadband-and-internet/internet-access/broadband/more-about-routers
or have I missed the point

Can I simply stop someone from seeing my workgroup? as that would be a fix, as I don't use the wi fi?

pat

kinmel · Jan 26, 2009, 17:49:55

Yes

Quote from: pathazel on Jan 26, 2009, 17:46:17

Can I simply stop someone from seeing my workgroup? as that would be a fix, as I don't use the wi fi?

pat

Yes, many of us spend happy hours trying to let PCs have full LAN access, so it is easy to lock people out.

My neighbour and I have an agreement allowing encrypted wireless access to each others internet connection, but neither of us can get into the other's LAN.

pathazel · Jan 26, 2009, 18:19:53

Can you point me to a site which where that info (locking a LAN or Workgroup)can be found?
pat

kinmel · Jan 26, 2009, 20:02:31

Quote from: pathazel on Jan 26, 2009, 18:19:53
Can you point me to a site which where that info (locking a LAN or Workgroup)can be found?
pat

Pat, you are coming at this from the wrong direction, by default Windows networking options are turned off.

To enable a LAN to exist you must first create a common workgroup, or else domain and then specifically enrol any PCs that want to be part of that LAN. Once that has been done, then you must enable file-sharing for each drive, or even folder, on each PC that you want to permit other PCs to be able to see. The final security layer is permissions, if you do not allow Simple File Sharing, then being able to see that a shared drive exists elsewhere on a LAN does not mean you can access it, you need to be known to that PC by a username and password.

A trusted ad-hoc visitor to whom you grant router access for broadband use, will not readily be able to gain access to your PCs without knowing the workgroup name and also being given permissions.

Windows built-in Help system tells you what it all entails; open Start > Help and Support > Networking and the Web and read through the help topics and you will be able to confirm that all this security is set up correctly on your LAN.

Also have a look at Microsoft's Website about networking

Sebby · Jan 26, 2009, 21:14:42

Most router's have MAC filtering, whereby you have to allow a particular MAC address. When the person leaves who you don't want to have access anymore, just delete their MAC.

somanyholes · Jan 27, 2009, 07:41:54

Hi All

Sorry to say this but I think this should be done in a different fashion from reading what I have seen.

Pat has advised that she doesn't use the wireless herself. It's only for guests. Pat can you please confim this?

So the wireless interface on the router has no need to access anything on the wired lan infrastucture. So it would be easier and safer all round if the following was possible. Can a two wire bod advise if on the 2wire you can block access via acls from the wireless interface to the wired one.This would not only stop file and printer sharing *(smb) working, it would also mean that the majority of viruses that may exist on the guests machine would not be able to infect the machines on her lan. It would also have the security benifit of the fact that wireless as we know is insecure and if it was compromised they would only be able to gain wan access and not see the rest of her lan.

So any 2wire users able to advise if you can block internet interface to lan interface traffic?

Another possible way would be for Pat to statically address her lan machines. Create a dhcp pool on the 2wire that would serve the wireless clients and then create a rule blocking the dhcp ip pool access to the lan.....

Thought's please.

kinmel · Jan 27, 2009, 08:15:10

Quote from: somanyholes on Jan 27, 2009, 07:41:54

So any 2wire users able to advise if you can block internet interface to lan interface traffic?

The feature is not documented in the 2700 manual and I have not seen any setup option for it.

QuoteAnother possible way would be for Pat to statically address her lan machines. Create a dhcp pool on the 2wire that would serve the wireless clients and then create a rule blocking the dhcp ip pool access to the lan.....

The static/DHCP solution is easy enough and is used by some with the 2700.

I imagine you are thinking of using the IP Security Policy Management Snap-in on each of Pat's machines, or is there an easier way to create the rule?.

Now you have suggested this as an option, I will probably change my network to IP blocking, it will be more secure. Thanks.

somanyholes · Jan 27, 2009, 08:17:05

instead of this

QuoteSo any 2wire users able to advise if you can block internet interface to lan interface traffic?

I meant this

So any 2wire users able to advise if you can block wireless interface to lan interface traffic?

kinmel · Jan 27, 2009, 09:08:34

Quote from: somanyholes on Jan 27, 2009, 08:17:05
instead of this
I meant this

So any 2wire users able to advise if you can block wireless interface to lan interface traffic?

I answered the question you didn't ask, but the answer is the same to both !

The 2700 firmwares we have seen don't seem to allow you to differentiate between the two.

Steve · Jan 27, 2009, 09:40:11

No idea but If you get more static IP address from your ISP would then a 2wire not be able to isolate both networks?

pathazel · Jan 27, 2009, 10:26:54

Hi
Thanks for your replies - which I'm afraid seem far too technical for my understanding.
Kinmel - When I set up the LAN using WORKGROUP I set the C drive on each machine to share, so that the 3 computers can "see" files on each others computers. Things were fine as we had broadband without wi fi. We then had a wi-fi router (so our guests could connect to the internet) and thats when I was told our LAN is now insecure.

Somanyholes - The wi fi is just for guests, as I have internet access by the LAN ie theres a network cable from the router (BT voyager 2091) to a switch box.

pat

Rik · Jan 27, 2009, 10:33:25

Hi Pat

So are the guests on a different IP address range, ie one supplied by the router while your LAN has a second range supplied by the switch?

Glenn · Jan 27, 2009, 10:38:08

Add permissions for the workgroup to each of the 3 computers and deny guest access http://technet.microsoft.com/en-us/library/cc875837.aspx

pathazel · Jan 27, 2009, 13:40:50

Hi Rik
"So are the guests on a different IP address range, ie one supplied by the router while your LAN has a second range supplied by the switch?"

I'm not sure about this - How could I tell?

Hi Glenn - thanks for the link

pat

Rik · Jan 27, 2009, 14:36:57

Hi Pat

On one of your machines, hit Start > Run and then type ipconfig /all

You'll get something like this:

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : BEANMAIN
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Marvell Yukon 88E8052 PCI-E ASF Giga bit Ethernet Controller
Physical Address. . . . . . . . . : 00-0E-A6-F1-D8-95
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.64
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
Lease Obtained. . . . . . . . . . : 27 January 2009 13:54:15
Lease Expires . . . . . . . . . . : 28 January 2009 13:54:15

Note the IP address I've highlighted. Now connect wirelessly, either with one of your own machines or borrow a guest's. Repeat the process. If the IP address is in a different range, then the two parts of the network are separate.