isolating a hardwired computer from wireless network

[jj90]

Gents and ladies,
I am making the switch to wireless and would like to know how to properly isolate a hardwired computer (the trading one) plugged into the ethernet port on a wireless router from every other device I am using which will be wireless. I have done some research and generally they are as follows:

1)daisychain 2 routers, router 1 for wireless, router 2 wired
2)MAC filtering and assorted tasks (ssid hiding etc)
3)router that is able to seperate network segments that can't be bridged from wireless to wired
4)some or all of the above
5)none of the above, stay wired

Thoughts/Comments/Criticisms?

 

[JohnathanIII]

None of those will make your computer safe from hacks. You need a advanced firewall that will detect incoming networks that 99% of other firewalls won't detect.

I am talking about a network specifically designed not to be detected. You might think you are safe if you have dedicated machine accepting only your broker IP connection. But you are not safe.
If you want more PM me.

 

[WinstonTJ]

daisychain two routers together and put your trading subnet on the FIRST wired-only router with your wireless subnet second.

I just set up something similar for a venture I'm working on - I have a cheap Linksys wrt54g as a second router (with wifi turned off) and use that as my dedicated subnet for the venture/project purposes.

I have a main wired router (I run PfSense but consider it similar to a Linksys RV082 or RV016). Plugged into my main router I have a gigabit switch (for my trading network), a Linksys WRT310N_v2 (running dd-wrt) for my home wired/wireless networks, a WRT54GS_v1 also running dd-wrt and a NAS for work/tick data shared by both the 192.168.1.1 and 192.168.3.1

I use a Class A (10.xxx.xxx.xxx) but am using 192.168.xxx.xxx for easy examples.

Primary/Main Router: 192.168.1.1
WRT310N_v2 (home network computers + wireless): 192.168.2.1
WRT54GS_v1 (work-related wired-only project subnet): 192.168.3.1
FreeNAS Network Storage (12TB for Tick Database): 192.168.4.1

You can write rules to port forward or file share across subnets or keep them 100% isolated.

When I want to remote into a 192.168.3.xxx computer I simply write a rule in my main 192.168.1.1 router to forward port 1234 to port 1234 at the 192.168.3.1 router then a second rule at 192.168.3.1 router to forward port 1234 through to remote desktop port 3389 at IP address 192.168.3.10 (IP of computer you want to access). Same applies for FTP/Remote Desktop/VNC/file sharing, etc.

Just remember that your wireless router will exchange packets with any device within range which will slow down the CPU in the router. It isn't so much of a security risk as it just clutters up the router - think of 50 people trying to talk to your router but the router only has permission to talk with 3 or 4 people - the router still needs to process all 50 and filter out the others. This is why you should put your wireless subnet as a second/third/fourth subnet and not your primary.

 

[Steven.Davis]

Quote from WinstonTJ:

daisychain two routers together and put your trading subnet on the FIRST wired-only router with your wireless subnet second.

I used WinstonTJ's setup for a while, but I always considered it a bit security compromised. (I had the family router on the outside. Higher latency on the trading network, but better security.)

The RV082/RV016 is a reasonable choice for non-paranoid people. I have had good reliability from them. The WRT is crap, but it is only for the home network.

From WinstonTJ's setup, my assumption of highest risk are children's computers on the home network. Second highest risk is your web server. You may not have one yet, but you will.

The children's computers have access to the WRT. The WRT has access to the trading physical network. Once hacked the WRT has several attack vectors to the trading network. By obfuscation, the WRT may be isolated from the trading network. Hackers are looking for lowest hanging fruit too so they may not find your trading subnet on the same physical network. (Since WRT has single outbound IP, the hacker would risk locking himself out, but the WRT can be flashed with an open-source OS. From there, he just has to listen.) He might even be able to skip that step by turning-on NETBIOS forwarding.

If the WRT is not compromised, then the children's computer still has access to the RV082. From there, a hacker can open everything up.

The problem with the subnet solution is that it is in software/configuration, and configurations can be changed. The approach that I followed the second time was to have two external IPs, isolate the network hardware down to the two computers that needed dual access. On these two computers, add an extra NIC card and subnetting. No Windows routing enabled. Keep Windows locked down. Use those two computer for work. Use a wireless laptop on the family network for play.

The separate external IP solution won't satisfy the paranoid. The external side of each router can still see each other at 100 Mbps speed. Hacking one could certainly allow a DOS attach on the other. A hacker entering a childs computer is going to go looking for an adult's computer if he wants financial information. If I were really concerned, I would take the two work physically off the home network, but it comes in handy.

The second highest threat is your web server within the trading environment. Maybe you don't have one yet (IIS is a standard Windows feature/role), and you may not have port 80 forwarded.

Once you do, however, modern web servers are too sophisticated in their responsiveness to be sure that it is locked down. For example, I wrote the code behind the web page CorrSearch.aspx with appropriate care for SQL Injection, resource hogging, buffer overflows, ... , but the ASP.NET framework added call backs for

WebResource.axd?d=ESUgtw21gu19XRI39iU6GTmI5bPD2meO8BfUTS_Akbj6BCvbOuHQ7yGOeohPAV2vnVxRBU8WqNekIQN5riHJUnTGau6VSesczEAVxGSSv2s1&t=634268709827848763

I didn't right it. I can't easily verify the version. I can't know if a hacker editing the return URL can do something harmful. I know what it is about, how do I know that everything is really patched-up tight?

That is why one usually uses a N-tier solution where the web servers face the outside router. The Web Services machines which support the Web Servers are separated by a firewall. compromising a Web Server, thus only gets you access to the outside router and one port which only accepts structure requests from an internal subnet. The Web Service infrastructure is designed to handle the normal means attack. The only thing that it can't protect is properly structured bad requests, but that is in your control. Don't include a function "ExecuteThisStringAsAnSQLCommand". (I surprisingly often missed step when going from prototype to production.)

The outside router is then configured to treat the Web Server network just as suspiciously as the outside.

Anyways, network security is a big subject with many people intelligent people working full-time on it. Some kinds of unconventional attacks require solutions beyond the scope of a forum. At some point, however, its just a calculated, business risk.

 

[Scataphagos]

If using a wireless router as a hub rather than having all networked, would the wired computers be isolated from the wireless ones?

 

[Steven.Davis]

Quote from Scataphagos:

If using a wireless router as a hub rather than having all networked, would the wired computers be isolated from the wireless ones?

Unless you isolate by subnet or something, your wired and wireless computers should see each other. Depending upon your Windows security, this may not be obvious, but the basic wired/wireless distinction doesn't add security.

 

[WinstonTJ]

Quote from Steven.Davis:

I used WinstonTJ's setup for a while, but I always considered it a bit security compromised. (I had the family router on the outside. Higher latency on the trading network, but better security.)

I'm assuming that few people have experience with PfSense or any free BSD routing software and therefore using the Linksys RV082/016 was an easier visual. PfSense allows me to configure each interface and subnet as I wish. PfSense in combination with a decent managed switch allows me to experience any level of security I choose to impliment - all rules based.

I distribute and share bandwidth across my two non-trading connections via PfSense and use multiple interfaces on each trading machine that executes and needs internet.

Getting back to OP's wireless vs. wired issues - Look at flashing something like dd-wrt onto your wireless router. Check out the dd-wrt website and seek out a gigabit/wireless-N router that allows for the latest dd-wrt full build version so that you can configure just about anything into the router. My comments aobut putting the wired first and wireless second was simply from a performance standpoint vs. security - I don't have kids, etc. so I don't worry about children's computers or other devices that I could consider to be not-secure. That said, I live in an apartment building within wireless/wifi range of a NYU dorm building as well as hundreds of others - my SSID list is usually well over 50 long. For me, having that many iPhones, Blackberrys, laptops, netbooks, wireless printers, computers, etc. all within range bogs down my wireless router as it needs to negotiate between all the packets flying around and what devices it is supposed to be talking to or not.

Depending on where OP lives this may or may not be an issue. For me, there are simple solutions but they are not acceptable with my wife (such as turning on/off wireless as needed or using MAC address blocking (only allowing MAC addresses listed) as well as turning off SSID broadcast). The wife wants guests to be able to just come over and use the wifi even though we have pretty decent (free) building wifi.

 

[Steven.Davis]

Wives !?!

Carefully configuring and maintaining a managed switch makes a big difference to security, but also a significant complexity level.

Good point about wireless speed being degraded due to wireless dense location.

 

[panzerman]

If your router supports it, what you want to do is create a separate VLAN for your wired connection ports, and then firewall off the two subnets with appropriate rules. As mentioned, if you can flash your router with the DD-WRT firmware, they have excellent documentation on how to do this.

 

[LeeD]

Quote from panzerman:

If your router supports it, what you want to do is create a separate VLAN for your wired connection ports, and then firewall off the two subnets with appropriate rules. As mentioned, if you can flash your router with the DD-WRT firmware, they have excellent documentation on how to do this.

DD-WRT is not an option for people whose broadband provider uses an (older) PPPoA connection type. DD-WRT doesn't support PPPoA as it is supposed to be handled by a modem. Now, how many of you people have a separate modem and a separate router?

I came to a large shop that sells computer hardware. They had 5 (five) wireless routers which are not ADSL modems but they didn't have a single ADSL modem which is not a router. WTF?