Help with Cascading Two Routers for Security

Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

I have a very simple setup like this below using a WiFi/4-port Speedstream 2624 DSL/Cable
Router w/built-in PrintServer:

************************************************************************
Internet
|
Cable Modem
|
WiFi Router/Print Server - - - - WiFi - - - My Laptop
| | | (used rarely on WiFi, mostly
connected by cabling)
My Laptop Desktop Printer

*************************************************************************
So far so good, and everything works as it should .... but, I can't turn off the wireless
transmitter function of my SpeedStream 2624 router during the 99% of the time I don't need
WiFi capability (so I remove it's antenna to help reduce the signal range when not using
WiFi). I just don't want a hacker to be able to get to my wired network through the WiFi
connection (even though I've enabled WEP 128bit encryption). I don't do any secure
transactions from the laptop and don't keep any sensitive data on the laptop. The desktop
is where all my secure transactions and sensitive info is located. And when I need to file
share between my laptop and desktop, I always connect the Laptop to the router via cable.

Would I gain any security by cascading an inexpensive 4-Port Wired DSL/Cable Router (B) with
my current WiFi Router (A) as below?

**************************************************************************
Internet
|
Cable Modem
|
(A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
| | (used rarely as
wireless, mostly connected by wire)
(B) --> Wired Router Printer
| |
My Laptop Desktop

***************************************************************************

Would this keep my wired and wireless networks separate by putting the wireless network on
one router and the wired network on the other router? Although the WiFi router has some
security, but not a whole lot, the most that could happen is someone could hack some of my
ISP bandwidth occasionally (or maybe even hack my laptop past it's software firewall). But
wouldn't the new Wired Router now keep the Desktop more secure regardless if someone hacks
into my wireless signal?

Are there any special cable connection considerations that I need to deal with here when
cascading two routers? Do I simply run cat5 or 6 patch cables from the Desktop and Laptop
to the LAN Ports on the Wired Router and then run another patch cable from the WAN port of
the Wired Router to one of the WiFi Router's LAN Ports? I've read some stuff about using
cross-over vs. patch cables and uplink connections under certain circumstances, but I'm not
sure if I need to do that here.

I would be most grateful for any help here on the type of cabling needed and plus any
opinions of my proposed setup above.

Thanks, BC
9 answers Last reply
More about help cascading routers security
  1. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    Hi,

    > Would I gain any security by cascading an inexpensive 4-Port Wired DSL/Cable Router (B) with
    > my current WiFi Router (A) as below?
    >
    > **************************************************************************
    > Internet
    > |
    > Cable Modem
    > |
    > (A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
    > | | (used rarely as
    > wireless, mostly connected by wire)
    > (B) --> Wired Router Printer
    > | |
    > My Laptop Desktop
    >
    > ***************************************************************************

    Ok, basically this setup should provide extra security as it is separting the
    networks from each other.

    If somebody would break into the wireless connection, it might be possiböe to
    get to know the other machines, too. But to do so, the attacker must know about
    the WiFi router and how to read out it's routing table.
    So he would know, that there is are other boxes (and would have the IP range of
    that net.....), because you some routing entries telling the router
    about the fixed connections.
    Ok, this also kind of applies to your current setup.
    You could improve security by assigning different subnets
    for the fixed and wireless ports (e.g. 192.168.1.0/24 and 192.168.8.0/24).
    but again, if the attacker gets to know the routing table, he might connect
    to the fixed boxes, too.
    You could also set up your WiFi-Router not to route between the 2 subnets.
    But it greatly depends on the capabilities of your device,
    if you can do anything of this.....

    This is all indiependend from a 2nd fixed router.
    You said your WiFi-router does not have many security functions.
    Ok, the 2nd router would onlöy really help, if it has some additional
    firewall functionality, which enables you to block incomming
    connections. This means that only data from your fixed computers
    is routed to the internet, but connection attemps from the outside
    (possibly from the WiFi net or internet) are refused.

    In this case there would some extra security.
    But i'm sure it'll be not really easy to set up. Cheap devices
    sometimes lack advanced routing and firewalling functions.
    So take care if the two router like each other;-)

    But to summarize: i think the extra router is not really neccessary.
    If possible, seperate the networks (wired and wireless) by means of subnets.
    Installing an extra firewall on your desktop with the vulnerable data
    and keeping it up to date would do it, too.

    HTH

    Ralf
  2. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    With inexpensive home wireless routers, you aren't going to be able to set
    up separate subnets for your wired and wireless clients. With a second
    router you will. That said, you can accomplish better security without the
    second router, if you run a personal firewall on each client, and configure
    file sharing with care. Don't share your whole disk, use a strong, 14
    character password, and make the shares read-only.

    BTW, I wouldn't run the router with the antenna disconnected. It's not good
    for transmitters to run without a load.

    Ron Bandes, CCNP, CTTT+, etc.

    "Ralf Herrmann" <Ralf.Herrmann@iin.stud.tu-ilmenau.de> wrote in message
    news:c9fcgi$7h6$00$1@news.t-online.com...
    > Hi,
    >
    > > Would I gain any security by cascading an inexpensive 4-Port Wired
    DSL/Cable Router (B) with
    > > my current WiFi Router (A) as below?
    > >
    > >
    **************************************************************************
    > > Internet
    > > |
    > > Cable Modem
    > > |
    > > (A) --> WiFi Router/Print Server - - - - WiFi - - - My Laptop
    > > | |
    (used rarely as
    > > wireless, mostly connected by wire)
    > > (B) --> Wired Router Printer
    > > | |
    > > My Laptop Desktop
    > >
    > >
    ***************************************************************************
    >
    > Ok, basically this setup should provide extra security as it is separting
    the
    > networks from each other.
    >
    > If somebody would break into the wireless connection, it might be possiböe
    to
    > get to know the other machines, too. But to do so, the attacker must know
    about
    > the WiFi router and how to read out it's routing table.
    > So he would know, that there is are other boxes (and would have the IP
    range of
    > that net.....), because you some routing entries telling the router
    > about the fixed connections.
    > Ok, this also kind of applies to your current setup.
    > You could improve security by assigning different subnets
    > for the fixed and wireless ports (e.g. 192.168.1.0/24 and 192.168.8.0/24).
    > but again, if the attacker gets to know the routing table, he might
    connect
    > to the fixed boxes, too.
    > You could also set up your WiFi-Router not to route between the 2 subnets.
    > But it greatly depends on the capabilities of your device,
    > if you can do anything of this.....
    >
    > This is all indiependend from a 2nd fixed router.
    > You said your WiFi-router does not have many security functions.
    > Ok, the 2nd router would onlöy really help, if it has some additional
    > firewall functionality, which enables you to block incomming
    > connections. This means that only data from your fixed computers
    > is routed to the internet, but connection attemps from the outside
    > (possibly from the WiFi net or internet) are refused.
    >
    > In this case there would some extra security.
    > But i'm sure it'll be not really easy to set up. Cheap devices
    > sometimes lack advanced routing and firewalling functions.
    > So take care if the two router like each other;-)
    >
    > But to summarize: i think the extra router is not really neccessary.
    > If possible, seperate the networks (wired and wireless) by means of
    subnets.
    > Installing an extra firewall on your desktop with the vulnerable data
    > and keeping it up to date would do it, too.
    >
    > HTH
    >
    > Ralf
  3. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    In article <%YHuc.32524$DC1.5703682@news4.srv.hcvlny.cv.net>, "Ron
    Bandes" <RunderscoreBandes @yah00.com> says...
    > With inexpensive home wireless routers, you aren't going to be able to set
    > up separate subnets for your wired and wireless clients. With a second
    > router you will. That said, you can accomplish better security without the
    > second router, if you run a personal firewall on each client, and configure
    > file sharing with care. Don't share your whole disk, use a strong, 14
    > character password, and make the shares read-only.
    >
    > BTW, I wouldn't run the router with the antenna disconnected. It's not good
    > for transmitters to run without a load.
    >
    > Ron Bandes, CCNP, CTTT+, etc.

    Ron, the hardware idea is actually more secure than personal firewall
    apps on the individual machines. Many people install personal firewalls
    on computers and then make mistakes when granting permissions to apps.
    It's hard to misconfigured a router when you don't have to make any
    changes to get it running right out of the box (in most cases).

    A good example of a multi-router network (NAT Units - Linksys) is a
    small office complex with multiple clients and one T1. With a single
    bank of 32 IP and a 48 port switch, you can connect 48 Linksys BEFSX41
    routers and provide isolation to each office from the other offices.

    Another example is a development group in a company - the development
    group is isolated from the others by means of the DMZ and inside the DMZ
    they have multiple routers/nat to protect them from the publicly
    accessible DMZ systems.

    I'm not saying that personal firewall apps are not good, I use them on
    my laptops when I travel, but I don't use them on clients office
    computers, not when we already have true firewalls in place.

    For the home user, wanting wireless or a web server, a dual NAT router
    with the public side being connected to the first router and the secure
    systems being connected to the second router (wan port connected to the
    first router LAN) is a great idea. Heck, the wireless people can even
    VPN into the second routers to gain access to the secure lan router -
    makes it even more secure. I would never trust my wireless network on my
    LAN, not even with personal firewall software on it. I have my wireless
    connected to my DMZ (I have a real firewall) and then VPN from the
    wireless in the DMZ into the LAN to access the systems.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  4. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    > but, I can't turn off the wireless
    >transmitter function of my SpeedStream 2624 router during the 99% of the time I don't need
    >WiFi capability (so I remove it's antenna to help reduce the signal range when not using
    >WiFi)......................................................

    If you check the box "only allow 11Mb connections" when your not using
    the WiFi, it's virtually the same as turning it off. Provided the
    setup page has good options like that. This works since many people
    can't even get an 11Mb connection one room away from their AP.
  5. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b2521445c8e38c98a5aa@news-server.columbus.rr.com...

    <snip>
    > For the home user, wanting wireless or a web server, a dual NAT router
    > with the public side being connected to the first router and the secure
    > systems being connected to the second router (wan port connected to the
    > first router LAN) is a great idea.

    Okay, thanks to everyone for the help .... I'm going to try it with the two routers even
    though I do use the latest Zone Alarm Pro on all the clients.

    But one last important question from this rookie:

    Is it okay to use a standard patch cable (rather than a cross-over cable) to connect from
    the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??

    Internet
    |
    Cable Modem
    |
    WiFi Router #1 w/Print Server - - - - WiFi - - - Laptop
    | | (w/software
    FW)
    **std patch--> | Printer
    **cable?? |
    |
    Wired Router #2
    | |
    | |
    Desktop Other Client(s)
    (w/Software Firewalls)


    Thanks again everyone! BC
  6. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
    _nospam@yahoo.com says...
    > Is it okay to use a standard patch cable (rather than a cross-over cable) to connect from
    > the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??

    We can't really tell you - the hardware MAY support auto-xover or it may
    require a xover cable.

    The cable only makes the connection, it doesn't have anything to do with
    security.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  7. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    Okay ... The Wireless Router #1 is a Siemens SpeedStream 2624 and the Wired Router #2 is an
    inexpensive Airlink+ ASOHO4P. I do have both kinds of cables so I'll try them both
    starting with a standard straight through cable. Thanks, BC


    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b253d6dcd544bc298a5ab@news-server.columbus.rr.com...
    > In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
    > _nospam@yahoo.com says...
    > > Is it okay to use a standard patch cable (rather than a cross-over cable) to connect
    from
    > > the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??
    >
    > We can't really tell you - the hardware MAY support auto-xover or it may
    > require a xover cable.
    >
    > The cable only makes the connection, it doesn't have anything to do with
    > security.
    >
    >
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)
  8. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    Hmmm .... interesting, thanks for the heads up.

    I wonder why SpeedStream Tech Support has told me twice on separate occasions over the last
    year that it's okay to remove the single antenna on their 2624 if I don't want any signal
    broadcast beyond my home office?

    "Ron Bandes" <RunderscoreBandes @yah00.com> wrote in message
    news:%YHuc.32524$DC1.5703682@news4.srv.hcvlny.cv.net...

    > BTW, I wouldn't run the router with the antenna disconnected. It's not good
    > for transmitters to run without a load.
    >
    > Ron Bandes, CCNP, CTTT+, etc.
    >
  9. Archived from groups: comp.os.ms-windows.networking.misc,alt.internet.wireless,comp.security.firewalls (More info?)

    Actually, a straight-through cable is what's called for here. There are two
    kinds of wiring in Ethernet jacks: MDI (Medium Dependent Interface) and
    MDI-X (MDI Crossed). Remember that your 4-port router is really a router
    and an Ethernet switch in one enclosure. The router has two interfaces:
    the WAN port which is exposed with a jack, and a LAN port which is connected
    internally to the Ethernet switch. The Ethernet switch has an additional 4
    ports that are exposed with jacks, and if your router is wireless then the
    switch has an additional port which is connected internally to the built-in
    Access Point.

    Routers are computer hosts. All hosts (routers, servers, desktops, laptops)
    have MDI jacks. Switches and hubs have MDI-X ports (except for the uplink
    port on stand-alone switches and hubs). You connect dissimilar jacks (i.e.,
    MDI to MDI-X) with a straight-through cable. You connect similar jacks
    (i.e., MDI to MDI, or MDI-X to MDI-X) with a crossover cable.

    So when making a "normal" connection, like a host (MDI) to a switch (MDI-X)
    you use a straight-through cable. When making less common connections like
    laptop (MDI) to laptop (MDI) you use a crossover cable. Access Points are
    usually intended to be connected to an Ethernet switch, so Access-Points
    usually have an MDI jack.

    Back to your question: connecting a router's WAN port (a true router
    interface, MDI) to another router's LAN port (really an Ethernet switch
    port, MDI-X) requires a straight-through cable as they are dissimilar types
    of jacks.

    Leythos's point is that some Ethernet switches, and perhaps some NICs, have
    a feature called auto-crossover. This doesn't change the rules. It just
    allows you to be sloppy in your choice of cables.

    Ron Bandes, CCNP, CTT+, etc.

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b253d6dcd544bc298a5ab@news-server.columbus.rr.com...
    > In article <IdJuc.21657$pt3.7956@attbi_s03>, Bob_Cosby95841
    > _nospam@yahoo.com says...
    > > Is it okay to use a standard patch cable (rather than a cross-over
    cable) to connect from
    > > the Wired Router #2 WAN port to the WiFi Router #1 LAN port as below??
    >
    > We can't really tell you - the hardware MAY support auto-xover or it may
    > require a xover cable.
    >
    > The cable only makes the connection, it doesn't have anything to do with
    > security.
    >
    >
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)
Ask a new question

Read More

Routers Security WiFi Wireless Networking