Help with Cascading Two Routers for Security

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

I have a very simple setup like this below using a WiFi/4-port Speedstream 2624 DSL/Cable
Router w/built-in PrintServer:

************************************************************************
Internet
|
Cable Modem
|
WiFi Router/Print Server - - - - WiFi - - - My Laptop
| | | (used rarely on WiFi, mostly
connected by cabling)
My Laptop Desktop Printer

*************************************************************************
So far so good, and everything works as it should .... but, I can't turn off the wireless
transmitter function of my SpeedStream 2624 router during the 99% of the time I don't need
WiFi capability (so I remove it's antenna to help reduce the signal range when not using
WiFi). I just don't want a hacker to be able to get to my wired network through the WiFi
connection (even though I've enabled WEP 128bit encryption). I don't do any secure
transactions from the laptop and don't keep any sensitive data on the laptop. The desktop
is where all my secure transactions and sensitive info is located. And when I need to file
share between my laptop and desktop, I always connect the Laptop to the router via cable.

Would I gain any security by cascading an inexpensive 4-Port Wired DSL/Cable Router (B) with
my current WiFi Router (A) as below?

**************************************************************************
Internet
|
Cable Modem
|
(A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
| | (used rarely as
wireless, mostly connected by wire)
(B) --> Wired Router Printer
| |
My Laptop Desktop

***************************************************************************

Would this keep my wired and wireless networks separate by putting the wireless network on
one router and the wired network on the other router? Although the WiFi router has some
security, but not a whole lot, the most that could happen is someone could hack some of my
ISP bandwidth occasionally (or maybe even hack my laptop past it's software firewall). But
wouldn't the new Wired Router now keep the Desktop more secure regardless if someone hacks
into my wireless signal?

Are there any special cable connection considerations that I need to deal with here when
cascading two routers? Do I simply run cat5 or 6 patch cables from the Desktop and Laptop
to the LAN Ports on the Wired Router and then run another patch cable from the WAN port of
the Wired Router to one of the WiFi Router's LAN Ports? I've read some stuff about using
cross-over vs. patch cables and uplink connections under certain circumstances, but I'm not
sure if I need to do that here.

I would be most grateful for any help here on the type of cabling needed and plus any
opinions of my proposed setup above.

Thanks, BC

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

Hi,

> Would I gain any security by cascading an inexpensive 4-Port Wired DSL/Cable Router (B) with
> my current WiFi Router (A) as below?
>
> **************************************************************************
> Internet
> |
> Cable Modem
> |
> (A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
> | | (used rarely as
> wireless, mostly connected by wire)
> (B) --> Wired Router Printer
> | |
> My Laptop Desktop
>
> ***************************************************************************

Ok, basically this setup should provide extra security as it is separting the
networks from each other.

If somebody would break into the wireless connection, it might be possiböe to
get to know the other machines, too. But to do so, the attacker must know about
the WiFi router and how to read out it's routing table.
So he would know, that there is are other boxes (and would have the IP range of
that net.....), because you some routing entries telling the router
about the fixed connections.
Ok, this also kind of applies to your current setup.
You could improve security by assigning different subnets
for the fixed and wireless ports (e.g. 192.168.1.0/24 and 192.168.8.0/24).
but again, if the attacker gets to know the routing table, he might connect
to the fixed boxes, too.
You could also set up your WiFi-Router not to route between the 2 subnets.
But it greatly depends on the capabilities of your device,
if you can do anything of this.....

This is all indiependend from a 2nd fixed router.
You said your WiFi-router does not have many security functions.
Ok, the 2nd router would onlöy really help, if it has some additional
firewall functionality, which enables you to block incomming
connections. This means that only data from your fixed computers
is routed to the internet, but connection attemps from the outside
(possibly from the WiFi net or internet) are refused.

In this case there would some extra security.
But i'm sure it'll be not really easy to set up. Cheap devices
sometimes lack advanced routing and firewalling functions.
So take care if the two router like each other;-)

But to summarize: i think the extra router is not really neccessary.
If possible, seperate the networks (wired and wireless) by means of subnets.
Installing an extra firewall on your desktop with the vulnerable data
and keeping it up to date would do it, too.

HTH

Ralf

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

With inexpensive home wireless routers, you aren't going to be able to set
up separate subnets for your wired and wireless clients. With a second
router you will. That said, you can accomplish better security without the
second router, if you run a personal firewall on each client, and configure
file sharing with care. Don't share your whole disk, use a strong, 14
character password, and make the shares read-only.

BTW, I wouldn't run the router with the antenna disconnected. It's not good
for transmitters to run without a load.

Ron Bandes, CCNP, CTTT+, etc.

"Ralf Herrmann" <Ralf.Herrmann@iin.stud.tu-ilmenau.de> wrote in message
news:c9fcgi$7h6$00$1@news.t-online.com...
> Hi,
>
> > Would I gain any security by cascading an inexpensive 4-Port Wired
DSL/Cable Router (B) with
> > my current WiFi Router (A) as below?
> >
> >
**************************************************************************
> > Internet
> > |
> > Cable Modem
> > |
> > (A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
> > | |
(used rarely as
> > wireless, mostly connected by wire)
> > (B) --> Wired Router Printer
> > | |
> > My Laptop Desktop
> >
> >
***************************************************************************
>
> Ok, basically this setup should provide extra security as it is separting
the
> networks from each other.
>
> If somebody would break into the wireless connection, it might be possiböe
to
> get to know the other machines, too. But to do so, the attacker must know
about
> the WiFi router and how to read out it's routing table.
> So he would know, that there is are other boxes (and would have the IP
range of
> that net.....), because you some routing entries telling the router
> about the fixed connections.
> Ok, this also kind of applies to your current setup.
> You could improve security by assigning different subnets
> for the fixed and wireless ports (e.g. 192.168.1.0/24 and 192.168.8.0/24).
> but again, if the attacker gets to know the routing table, he might
connect
> to the fixed boxes, too.
> You could also set up your WiFi-Router not to route between the 2 subnets.
> But it greatly depends on the capabilities of your device,
> if you can do anything of this.....
>
> This is all indiependend from a 2nd fixed router.
> You said your WiFi-router does not have many security functions.
> Ok, the 2nd router would onlöy really help, if it has some additional
> firewall functionality, which enables you to block incomming
> connections. This means that only data from your fixed computers
> is routed to the internet, but connection attemps from the outside
> (possibly from the WiFi net or internet) are refused.
>
> In this case there would some extra security.
> But i'm sure it'll be not really easy to set up. Cheap devices
> sometimes lack advanced routing and firewalling functions.
> So take care if the two router like each other;-)
>
> But to summarize: i think the extra router is not really neccessary.
> If possible, seperate the networks (wired and wireless) by means of
subnets.
> Installing an extra firewall on your desktop with the vulnerable data
> and keeping it up to date would do it, too.
>
> HTH
>
> Ralf

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

In article <%YHuc.32524$DC1.5703682@news4.srv.hcvlny.cv.net>, "Ron
Bandes" <RunderscoreBandes @yah00.com> says...
> With inexpensive home wireless routers, you aren't going to be able to set
> up separate subnets for your wired and wireless clients. With a second
> router you will. That said, you can accomplish better security without the
> second router, if you run a personal firewall on each client, and configure
> file sharing with care. Don't share your whole disk, use a strong, 14
> character password, and make the shares read-only.
>
> BTW, I wouldn't run the router with the antenna disconnected. It's not good
> for transmitters to run without a load.
>
> Ron Bandes, CCNP, CTTT+, etc.

Ron, the hardware idea is actually more secure than personal firewall
apps on the individual machines. Many people install personal firewalls
on computers and then make mistakes when granting permissions to apps.
It's hard to misconfigured a router when you don't have to make any
changes to get it running right out of the box (in most cases).

A good example of a multi-router network (NAT Units - Linksys) is a
small office complex with multiple clients and one T1. With a single
bank of 32 IP and a 48 port switch, you can connect 48 Linksys BEFSX41
routers and provide isolation to each office from the other offices.

Another example is a development group in a company - the development
group is isolated from the others by means of the DMZ and inside the DMZ
they have multiple routers/nat to protect them from the publicly
accessible DMZ systems.

I'm not saying that personal firewall apps are not good, I use them on
my laptops when I travel, but I don't use them on clients office
computers, not when we already have true firewalls in place.

For the home user, wanting wireless or a web server, a dual NAT router
with the public side being connected to the first router and the secure
systems being connected to the second router (wan port connected to the
first router LAN) is a great idea. Heck, the wireless people can even
VPN into the second routers to gain access to the secure lan router -
makes it even more secure. I would never trust my wireless network on my
LAN, not even with personal firewall software on it. I have my wireless
connected to my DMZ (I have a real firewall) and then VPN from the
wireless in the DMZ into the LAN to access the systems.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

> but, I can't turn off the wireless
>transmitter function of my SpeedStream 2624 router during the 99% of the time I don't need
>WiFi capability (so I remove it's antenna to help reduce the signal range when not using
>WiFi)......................................................

If you check the box "only allow 11Mb connections" when your not using
the WiFi, it's virtually the same as turning it off. Provided the
setup page has good options like that. This works since many people
can't even get an 11Mb connection one room away from their AP.

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b2521445c8e38c98a5aa@news-server.columbus.rr.com...

<snip>
> For the home user, wanting wireless or a web server, a dual NAT router
> with the public side being connected to the first router and the secure
> systems being connected to the second router (wan port connected to the
> first router LAN) is a great idea.

Okay, thanks to everyone for the help .... I'm going to try it with the two routers even
though I do use the latest Zone Alarm Pro on all the clients.

But one last important question from this rookie:

Is it okay to use a standard patch cable (rather than a cross-over cable) to connect from
the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??

Internet
|
Cable Modem
|
WiFi Router #1 w/Print Server - - - - WiFi - - - Laptop
| | (w/software
FW)
**std patch--> | Printer
**cable?? |
|
Wired Router #2
| |
| |
Desktop Other Client(s)
(w/Software Firewalls)


Thanks again everyone! BC

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
_nospam@yahoo.com says...
> Is it okay to use a standard patch cable (rather than a cross-over cable) to connect from
> the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??

We can't really tell you - the hardware MAY support auto-xover or it may
require a xover cable.

The cable only makes the connection, it doesn't have anything to do with
security.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

Okay ... The Wireless Router #1 is a Siemens SpeedStream 2624 and the Wired Router #2 is an
inexpensive Airlink+ ASOHO4P. I do have both kinds of cables so I'll try them both
starting with a standard straight through cable. Thanks, BC


"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b253d6dcd544bc298a5ab@news-server.columbus.rr.com...
> In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
> _nospam@yahoo.com says...
> > Is it okay to use a standard patch cable (rather than a cross-over cable) to connect
from
> > the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??
>
> We can't really tell you - the hardware MAY support auto-xover or it may
> require a xover cable.
>
> The cable only makes the connection, it doesn't have anything to do with
> security.
>
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

Hmmm .... interesting, thanks for the heads up.

I wonder why SpeedStream Tech Support has told me twice on separate occasions over the last
year that it's okay to remove the single antenna on their 2624 if I don't want any signal
broadcast beyond my home office?

"Ron Bandes" <RunderscoreBandes @yah00.com> wrote in message
news:%YHuc.32524$DC1.5703682@news4.srv.hcvlny.cv.net...

> BTW, I wouldn't run the router with the antenna disconnected. It's not good
> for transmitters to run without a load.
>
> Ron Bandes, CCNP, CTTT+, etc.
>

 

[Guest]

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

Actually, a straight-through cable is what's called for here. There are two
kinds of wiring in Ethernet jacks: MDI (Medium Dependent Interface) and
MDI-X (MDI Crossed). Remember that your 4-port router is really a router
and an Ethernet switch in one enclosure. The router has two interfaces:
the WAN port which is exposed with a jack, and a LAN port which is connected
internally to the Ethernet switch. The Ethernet switch has an additional 4
ports that are exposed with jacks, and if your router is wireless then the
switch has an additional port which is connected internally to the built-in
Access Point.

Routers are computer hosts. All hosts (routers, servers, desktops, laptops)
have MDI jacks. Switches and hubs have MDI-X ports (except for the uplink
port on stand-alone switches and hubs). You connect dissimilar jacks (i.e.,
MDI to MDI-X) with a straight-through cable. You connect similar jacks
(i.e., MDI to MDI, or MDI-X to MDI-X) with a crossover cable.

So when making a "normal" connection, like a host (MDI) to a switch (MDI-X)
you use a straight-through cable. When making less common connections like
laptop (MDI) to laptop (MDI) you use a crossover cable. Access Points are
usually intended to be connected to an Ethernet switch, so Access-Points
usually have an MDI jack.

Back to your question: connecting a router's WAN port (a true router
interface, MDI) to another router's LAN port (really an Ethernet switch
port, MDI-X) requires a straight-through cable as they are dissimilar types
of jacks.

Leythos's point is that some Ethernet switches, and perhaps some NICs, have
a feature called auto-crossover. This doesn't change the rules. It just
allows you to be sloppy in your choice of cables.

Ron Bandes, CCNP, CTT+, etc.

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b253d6dcd544bc298a5ab@news-server.columbus.rr.com...
> In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
> _nospam@yahoo.com says...
> > Is it okay to use a standard patch cable (rather than a cross-over
cable) to connect from
> > the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??
>
> We can't really tell you - the hardware MAY support auto-xover or it may
> require a xover cable.
>
> The cable only makes the connection, it doesn't have anything to do with
> security.
>
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)