Re: Home wireless free hotspot

[Todd Haverkos <infosec () haverkos com>]

"John Lightfoot" <jlightfoot () gmail com> writes:
> Hello,
>
> I have a home wireless network that Id like to make available to
> neighbors who need to borrow a connection from time to time. 
> Consider it karmic repayment for the times Ive had to borrow
> someone elses open connection.  Of course, Id like to do it
> securely, so Im looking for some advice.
>
> My main network has a wireless router connected to the Internet,
> with a few wired connections to my home computers.  The main
> routers wireless network is protected by WPA, access control via
> MAC address, etc.
>
>  My thought is I
> would attach a second wireless router (Netgear) to a port off the
> main router and leave it unsecured, using a second subnet, and block
> any routing between the two subnets, other than straight out to the
> Internet, but Im not sure the best way to do that.

Hi John, 

You may be interested in the third party firmware dd-wrt.  Assuming
supported hardware (which can be quite inexpensive), it seems to do
everything you want, allowing multiple ssids and configs on the same
radio.  You could give your neighbor one ssid and passphrase, yourself
another, and you can create separate bridges for both networks and
keep them from talking to each other if you want.  You could even
separate the wired LAN from the wireless LAN with restrictions if you
wanted.

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

WPA2 AES with a long complex passphrase and a non-default SSID is
plenty good these days, though.  If your SSID is default and your PSK
relatively short or guessable, freely available cracking tools and
precomputing hashes can make things awfully crackable these days with
offline attacks once the attacker has captured a handshake.  The mac
filtering your doing isn't a bad idea, but it is quite trivial to work
around since the mac addresses on the traffic on your network are
plainly seen by sniffing, and for an attacker to spoof a sniffed mac
is just a commandline away.     No harm though. 

> So, a few questions:
>
> If I set up a second router with a subnet subservient to my main router,
> presumably it has to get an IP address within the address space of the main
> network, but how can I limit access to that network to only my Internet
> interface?

Probably not in the firmware that comes with your router.   Give
dd-wrt a look though.  Your current router may even support it.
You'll have to be choosier than usual with router selection as noted
in the article above, the router has to have some hardware features to
support multiple WLANs. 

You can of course do what you want with multiple access points and
that device you mention may be able to separate those devices if it
has the ability to implement VLANs or enforce ACL's to isolate various
ports from one another.  Perhaps others more familiar with your
specific equipment can give more focused advice. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------