Thursday, 14 March 2013

Secure your home network for £10

This wireless broadband router cost
less than a tenner
If you want to share your internet connection safely, separating guests' computers from your own, here's a very simple and cheap way to do it.

Essentially it involves adding a second router to your existing network and using that to create two networks - a guest zone and a private zone. Both provide wired and wireless internet connections, but guests are unable to connect to the private PCs, tablets or whatever.

I've found it increasingly common for friends and visiting family to ask to use my wireless broadband - as if it's an essential resource such as running water or access to a toilet.

While wanting to accommodate their needs, I don't want to expose my home network to the security issues that come when allowing connections from other people's systems.

These computers could be infected with malware, which in turn could capture network traffic, attempt to spread malware to other systems on the network and so on.

One answer is to create a second, secure network that only you will use. Everyone else will be restricted to a 'guest' network that is locked away from your own systems but that provides wired and wireless internet access.

Here's how you can do this for around £10.

Essentially what we're going to do is create a classic DMZ using two firewalls. Each firewall will also have its own wireless network. Those systems connecting to the 'outer' firewall can only see each other and the internet. Those connecting to the 'inner' firewall are invisible to those on the outer one.

Thus we have a guest network running on the outer firewall and an extra-secure network running on the inner one. For a basic diagram that 'explains' this idea, see far below.

In addition to your existing network you will need:

1. A wireless broadband router.
2. An Ethernet cable.

I recently picked up a new Dynamode broadband cable router for less than £9 from Amazon.co.uk.

Ensure that your new router is *not* an ADSL model. You want the internet (WAN) port to be an RJ45 Ethernet socket and not the RJ11 type that you find on ADSL modems and routers.

Before you start, check the following details from your existing systems and router:

1. What is the router's (gateway) IP address? (e.g. 192.168.1.1)
2. What is the netmask? (e.g. 255.255.255.0)
3. What are the DNS settings? (e.g. 8.8.8.8 and 8.8.4.4)
4. If you use DHCP, what is the range of addresses in the pool? (e.g. 192.168.1.2 - 254)

Decide what IP address you want to allocate to your second, private network. Let's say we'll use 192.168.1.200. You should remove this address from the DHCP pool or face potential (but unlikely) problems later.

Allow your existing broadband router (cable or ADSL) to run as usual, leaving the wireless network active. However, unplug all computers, switches and other devices from the router. We'll call this router the 'original' router.

Turn on the 'new' router and connect its WAN port to any one of the available Ethernet ports on the original router. Plug a computer into the new router using an Ethernet cable and configure it, turning on and securing the wireless network. You'll want to check the following, at least:

1. Check the router's LAN IP address. It should be in a different range to that of your original router.

(e.g. if your original router's IP address is 192.168.1.1 you could set your new router to use 192.168.0.1. Then your secure network will use the 192.168.0.x range, while your guest network will use the 192.168.1.x range. It's important that they use different ranges to each other.)

2. Change the default password. Use a strong password.

3. Disable remote management, if enabled by default. This is optional but recommended.

4. Set the WAN IP address to be 'static' and use the value you excluded from the DHCP pool earlier (e.g. 192.168.1.200).

5. Set the ISP address to match your original router's IP address (e.g. 192.168.1.1).

6. Set the DNS settings either to the IP address of the original router (e.g. 192.168.1.1) or just re-use the ones you discovered above (e.g. 8.8.8.8 and 8.8.4.4).

7. Enable the wireless network and use a strong password. Ensure that the SSID is different to the one you are using on the guest network.

8. Check that the firewall is enabled.

Additionally you'll probably want to enable DHCP on your new router.

You should now have something that, conceptually at least, looks like this (yes, the internet looks like a small cloud with an 'i' on it):

The guest network is above the red line. Its systems cannot
connect to anything in the 'private' zone beneath the red line.
What that basic diagram is trying to show is that the guest systems can access the internet freely but cannot connect to the systems in the private network, which is below the red line. Systems on the private network can connect to anything that they like.

If you really want to treat your guests you could provide a networked printer. This would have to go onto the guest network. Your private systems would still be able to use it, though.

In this example we've protected an internet-connected Personal Video Recorder (PVR) on the private network. It's only a matter of time before these types of devices are targeted by attackers. And I for one could not tolerate my telly viewing being interrupted.