Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Aglar]

At work they want to install a wireless router in one of the conference rooms. For security reasons, I do not want those who are connected to the router to be able to access network shares on the LAN that the router will be connected to. I'm thinking that because of NAT they won't be able to and nothing special will need to be done, but wanted to make sure before I put in the order for the hardware.

Thanks.

[blafrisch]

If you just use a wireless router they won't be able to unless they are really smart.  I doubt that is the case.

[damaged]

You can play with the routing tables and stuff, you should be able to make it where the wifi router has net access, but the comps connected to it (different set of IPs) can't connect to the ones beyond that firewall. I can't give any specific details, because I really don't know WTF I'm talking about. I get paid to be cute, thats all.

[Aglar]

You can play with the routing tables and stuff, you should be able to make it where the wifi router has net access, but the comps connected to it (different set of IPs) can't connect to the ones beyond that firewall.

Yeah, that's exactly what I want.

As long as it isn't pathetically easy to get access, I don't really care. The company hadn't even thought of security issues, I'm just making sure I cover my ass by at least doing something.

Thanks.

[damaged]

You could always try to block all access to port 445, which is the SMB port.

[Aglar]

That's good to know, thanks.

[ClearCaseMan]

Might I recommend a high end firewall to separate the networks, anyone who knows how to use the trace route command can go back wards on the network. of if your network firewall that is already in place has a DMZ port you can connect e router to it that has wireless built in and that would effectively separate the two.

[Aglar]

Is there an official name for "seperating networks" so I can google it?

I'll check into the possibility of connecting the router to DMZ on Monday when I go back in. If I were going to go the "high end firewall" route, what exactly would I be looking for, and how much would the company be paying roughly?

[bliq]

Is there an official name for "seperating networks" so I can google it?

I'll check into the possibility of connecting the router to DMZ on Monday when I go back in. If I were going to go the "high end firewall" route, what exactly would I be looking for, and how much would the company be paying roughly?

Technically I guess you could call it "bridged networks" but that's such an esoteric term nowadays.  You'd probably be better off looking for DMZ set up or something like that.

My company provides a public hotspot in the immediate vicinity of our building.  I believe they do this via attaching the wireless network (we have about 30 access points throughout the building) logically upstream of the corporate firewall so users can reach the internet but cannot access anything within our corporate network without VPN access.

Alternatively, if it's just one conference room, which I assume has a CAT5 run to a telecom room, you could go the cheap route and have the phone company put in a $40/month DSL line in there and connect the router to that- which basically guarantees wireless users will be unable to reach your corporate network but definitely have net access.  But if you have the proper setup, I think what my company does is more cost effective.