Wireless and wired on separate subnets for incr. security?

[hellerbrewing]

I am trying to add wireless connectivity to my network. My current setup is Toshiba Cable Modem -> Wired Router (Linksys BEFSX41) -> Gigabit switch (SMC something) -> PC, XBOX, NAS (soon). I bought a netgear MP101 to play my mp3’s while working in the garage and I came across a d-link wireless router DI-524 that was free after rebate. My thinking was that I would add another level of security to my network by putting the wireless on a different subnet than my wired devices and controlling access to the wired network through the firewall in the Dlink. So basically I would be connecting the D-link router to the output from the Linksys router. The problem is that the PC that will be serving the mp3s will be on a different subnet from the wireless device. After hours of trying to get the setup configured yesterday, I am still unable to access the configuration page of the D-link while my PC is connected to the Linksys.

I read through the FAQ’s on wireless networking on this site and I read in one of them that windows cannot share files across subnets. So is this whole attempt at adding a layer of security a futile one? Am I better off making my life easier and using an access point? Does anyone have suggestions on how to configure my setup? Does anyone have any experience setting up this router to be used as an access point?

 

[blue68f100]

My AP gives me the option of running wireless in a different range if I want to. I don't, I let my router control the IP assignment.

Most of the time when you start tying router to router you have problems. Going up the chain works but trying to go down is were the problems accours. Here is a few suggestion that may help.

Disable the firewall in the second router.
Assign static IP address. Allows you to search by IP address, instead of finder.
Try setting the wireless IP in a different range.

 

[cmccane]

It's certainly true to say that a security issue exists in any situation where you take the risk of running wireless and wired networks in the same subnet with no firewall in between. In that type of unsecure network, anyone who gets access to your wireless access point would immediately gain access to your home PC's where financial and other sensitive info is likely to exist.

In my situation, I have not only financial info on home PC's, but also proprietary company information for my job. There is absolutely no way that I would risk all of that in the same subnet as wireless access point(s).

There's also an obvious risk with using cheap consumer firewalls, such as Actiontec, Netgear, Linksys, Dlink, etc. which I would never trust. I have Verizon FiOS 50M FTTH service using a Cisco ASA5505 with the outside firewall port connected directly to Verizon FiOS. No "Actiontec" (whatever that is) or Dlink will ever be in-line in my network. The ASA5505 must be on the outside in order for me to VPN into the network from elsewhere.

As far as access points go, I have to have more than one to get full premises coverage. Right now I'm using all Cisco Aironet AP's on a separate subnet which is routed by a Cisco 3560 layer 3 switch. My i7 / Windows 7 PC has regularly exceeded 90 megabits per second with Internet downloads. Not sure exactly how that happens since I'm supposed to be on FiOS 50Mbit service but FTP doesn't lie about transfer rates. I often see similar speeds from virtual machines running under VMWare ESXi (the free version).

I agree with blue that "trying router to router" has many issues. I'd suggest only one non-consumer router/firewall. Everything Verizon offers including FiOS TV works flawlessly on my network - no issues with online TV services such as On Demand or Guide.

Most recently Verizon has started to implement services on the Set Top Box that will not work in a multi-subnet environment. I've been working on getting Mobile Remote and Mobile DVR control going on my iPad. The issue lies within the STB. Apparently Verizon decided that all consumers are idiots who couldn't possibly comprehend "subnets", much less the inherent security risk of running one subnet for both wireless and wired networks. The STB is completely stupid when it comes to routing. It demands that everything on the premises including wireless devices must be in the same subnet with the STB.

Verizon shows a very short-sighted view about IP networks by forcing it's customers to take unnecessary security risks.

C. McCane CCIE#5163

 

[eibgrad]

I assume the following represents your current configuration.

[linksys](lan)<-- wire -->(wan)[d-link]<-- wireless -->[mp101]

Let’s assume the Linksys is using the 192.168.1.x subnet, and the D-Link is using the 192.168.2.x subnet. From a security point of view, this configuration is basically worthless. It’s not subnetting that provides protection, it’s the firewall. The subnets are different only out of necessity, since you have two adjoining networks across a WAN port (it prevents ambiguity). In this case, the D-Link firewall is protecting the wireless subnet from the wired subnet, when in fact you probably want just the opposite. Anyone on the wireless subnet has access to ANYTHING upstream, both the 192.168.1.x subnet and the Internet. However, anyone on the wired subnet is prevented access to the wireless subnet, which doesn’t amount to much since it’s only protecting a little ol’ network radio.

Despite what I just said, you report the MP101 can NOT access shares on the Linksys subnet (not sure about that, it wasn't clear from your description, but let's assume that's the case). The only way that could be true is if you did NOT use the WAN port of the D-Link, but used a LAN port.

[linksys](lan)<-- wire -->(lan)[d-link]<-- wireless -->[mp101]

In this case, the firewall is not even relevant since the firewall only applies to the WAN port of the D-Link. The reason the MP101 would NOT find the shares on the Linksys subnet in this case is because there’s no routing by the D-Link. When using the WAN port of the D-Link, the router knows where the 192.168.1.x subnet is located, and takes responsibility for routing users of its own subnet over the WAN port and to the promised land (the 192.168.1.x subnet). But when you connect them LAN to LAN, that doesn’t happen and the two subnets can’t see each other, at least not without some help.

If the Linksys and D-Link are connected LAN to LAN, it only requires someone on either subnet to manually reconfigure their computer for the other subnet to gain access (child’s play). So the fact you’re using two subnets provides no security at all. Even worse, if both DHCP servers are active (Linksys and D-Link), it’s pure luck which DHCP server responds first. And if the wrong one does, your clients will be misconfigured.

That’s a rather lengthy and tedious way of saying, it doesn’t really matter how the Linksys is connected to the D-Link. The real problem here is the weak security of the MP101 (WEP).

In general, as long as you use a modern wireless router w/ strong protocols and encryption (e.g., WPA/WPA2), and long, random passwords from a large character set ( e.g., http://grc.com/pass ), you’re not going to have problems w/ wireless security. NOBODY is going to crack into your wireless system when you use the right equipment, configure it properly, and use some common sense.

The D-Link only supports WPA (at least according to the manual). The OP should check w/ the manufacturer and see if there’s a firmware update that *might* have added WPA2 support. But no real harm if they didn’t. While I’d prefer WPA2, it’s not the end of the world, WPA is just fine too. So the D-Link is up to the task. However, the MP101 is another story. It only supports WEP (as far as I can tell from its manual), which is easily cracked. NOW you have a right to be concerned. It’s the weakest link in the chain. Here too, the OP should check w/ the manufacturer to see if WPA or WPA2 was added in a later firmware update. In all likelihood, it wasn’t given how old this device is, but it’s still worth checking.

So let’s assume things remain as they are, WPA for the D-Link, WEP for the MP101. What are the alternatives? Since the MP101 has an ethernet port, it’s possible to use a wireless ethernet bridge that supports WPA (all modern bridges do) and completely bypass the wireless of the MP101.

[linksys](lan)<-- wire -->(lan)[d-link]<-- wireless -->[wireless ethernet bridge]<-- wire -->[mp101]

Of course, this adds some expense. The bridge could run $20-30 depending on whether you can find a good deal. But it solves the problem. You’d connect the D-Link to your switch LAN to LAN (not the WAN), disable its DHCP server, and give it a static IP in the same subnet as your primary router (e.g., if the primary router is 192.168.1.1, perhaps make the D-Link 192.168.1.2). Now everything is on the same subnet, no additional firewalls, etc. The D-Link is just a simple WAP (wireless access point). And your wireless ethernet bridge connects to it over WPA in support of the MP101.

Another option is to run powerline adapters between the MP101 and the Linksys, eliminating the D-Link completely.

[linksys]<-- wire -->[powerline adapter #1]<-- power lines -->[powerline adapter #2]<-- wire -->[mp101]

In this case, your power lines become your bridging mechanism, not wireless. The only issue w/ powerline is that it doesn’t work in all situations due to variances in home wiring. And bandwidth isn’t always that great (might be as little as 2-3mbps in the worst case, more likely 10-12mbps for the average home, occasionally a little better for a lucky few). But since you’re only streaming audio, even 2-3mbps is plenty. And it’s simple to install and configure (no configuration at all if you don’t enable security). It’s possible (if improbable) your powerline signals might travel beyond your home, perhaps to a neighbor. So they usually come w/ an encryption option. Secured or not, it’s a lot safer than either open or WEP secured wireless.

Note that you’ll need a PAIR of powerline adapters.

Here again, you have to consider the cost. A pair of 85mbps powerline adapters is probably going to run $40-50, although you might find some refurbished ones from Newegg or Amazon for say, $30-35. But it’s still going to be an expense. That raises the question, is it worth pursing these bridging solutions, or just putting the money towards a better radio than the MP101?

That’s the problem w/ old technologies like the MP101; they end up costing too much to maintain as the years pass than if you simply updated to a radio w/ newer technologies. You not only simplify your network, but you get a better radio as well.

So it’s up to you. Using the D-Link with a different subnet doesn’t solve anything, no matter how you hook it up. As long as someone can get on your wireless network over WEP, they have access to your network. The only solution is to either use a bridge, or live w/ the insecure WEP protocol.