Creating a wireless hotspot on my network

J

Jeff Cook

Hi

I hope I have found the correct ng to ask this question ... microsoft
has 2324 newsgroups!

I have a network of three computers, all running XP and sharing some
files and drives on the network.

I have recently installed a wireless hub to allow "foreign" computers
to hook into my network and use my ADSL modem for internet access only.

So far so good. I had thought that as the "foreign" computer would
have a different workgroup, it wouldn't be able to see the my
workgroup. But ...

1. This doesn't seem to be the case - I can change the workgroup on
one of my computers and it can still see the shared files and drives.

2. Even if it had worked, my workgroup is still visible in "Entire
Network", so the "foreign" computer's workgroup could be changed to
match.

I'm looking for a simple solution here - something to prevent a simple,
possibly unintentional hack. Can someone point me in the right
direction - my searches of the microsoft site and Googling haven't
helped - must be using the wrong key words.

TIA

Jeff

--
Jeff Cook
Aspect Systems Ltd
www.aspect.co.nz
+
Joan and Jeff Cook
The Cooks Oasis
www.cookislandsoasis.com
 
L

Lanwench [MVP - Exchange]

Jeff Cook said:
Hi

I hope I have found the correct ng to ask this question ... microsoft
has 2324 newsgroups!

Actually, microsoft.public.windows.networking.wireless might've been better
(am setting an xpost to there), or microsoft.public.windowxp.network_web.

I have a network of three computers, all running XP and sharing some
files and drives on the network.

I have recently installed a wireless hub

Meaning an access point?
to allow "foreign" computers
to hook into my network and use my ADSL modem for internet access
only.

Do you have any security on this AP at all? WPA+PSK at a minumum.....
So far so good. I had thought that as the "foreign" computer would
have a different workgroup, it wouldn't be able to see the my
workgroup. But ...

Even if it had another workgroup, that doesn't prevent them from snooping in
your computers.
1. This doesn't seem to be the case - I can change the workgroup on
one of my computers and it can still see the shared files and drives.
Absolutely.

2. Even if it had worked, my workgroup is still visible in "Entire
Network", so the "foreign" computer's workgroup could be changed to
match.

Sure. Workgroups are not security barriers - they're just simple
conveniences for organization/viewing computers on a network. Even your
having a domain (which is a security barrier) wouldn't necessarily suffice
to do what you want....
I'm looking for a simple solution here - something to prevent a
simple, possibly unintentional hack.

Or intentional! Wireless extends outside your building, note.
Can someone point me in the
right direction - my searches of the microsoft site and Googling
haven't helped - must be using the wrong key words.

TIA

Jeff


If you want to provide wireless services for guests & keep them out of your
stuff, you will want to stick the access point *outside* your LAN entirely -
inside your ADSL modem but outsde your own router/firewall.

If you have only one public IP and if the AP isn't also a "router", this may
be tough.

What about a small SonicWALL firewall with wireless? the wireless is on an
entirely different IP subnet. These work really well - you can even use WGS
(wireless guest services, with a logon page) such as you'd find in a hotel,
etc.
 
J

Jack \(MVP-Networking\).

Hi
Depending on the type of logon that you would like to maintain, this is a
simple solution that can isolate Open Access from Private Network.
Network Segregation - http://www.ezlan.net/shield.html
Jack (MVP-Networking).

"Lanwench [MVP - Exchange]"
 
G

Guest

Lanwench said:
Actually, microsoft.public.windows.networking.wireless might've been better
(am setting an xpost to there), or microsoft.public.windowxp.network_web.



Meaning an access point?


Do you have any security on this AP at all? WPA+PSK at a minumum.....

Even if it had another workgroup, that doesn't prevent them from snooping in
your computers.

Sure. Workgroups are not security barriers - they're just simple
conveniences for organization/viewing computers on a network. Even your
having a domain (which is a security barrier) wouldn't necessarily suffice
to do what you want....

Or intentional! Wireless extends outside your building, note.



If you want to provide wireless services for guests & keep them out of your
stuff, you will want to stick the access point *outside* your LAN entirely -
inside your ADSL modem but outsde your own router/firewall.

If you have only one public IP and if the AP isn't also a "router", this may
be tough.

What about a small SonicWALL firewall with wireless? the wireless is on an
entirely different IP subnet. These work really well - you can even use WGS
(wireless guest services, with a logon page) such as you'd find in a hotel,
etc.

May this help:
Windows SteadyState at Home
http://www.microsoft.com/windows/products/winfamily/sharedaccess/seeit/athome.mspx
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
HTH.
nass
 
J

Jeff Cook

Lanwench said:
Meaning an access point?

Yes, an Access Point. You can tell I'm in unfamilar territory here!
(Also on a small tropical island with little choice of support
providers and limited hardware "bits" that I can buy off the shelf)
Do you have any security on this AP at all? WPA+PSK at a minumum.....

I'm using 64bit WEP which requuires 5 hex digit pairs as a "password" -
I'm changing these frequently.
Sure. Workgroups are not security barriers - they're just simple
conveniences for organization/viewing computers on a network. Even
your having a domain (which is a security barrier) wouldn't
necessarily suffice to do what you want....

OK I understand that now.
Or intentional! Wireless extends outside your building, note.

Luckily, this isn't likely to be a problem - mostly palm trees and sea
outside the building, so unless my AP's range is a lot better than
advertised I can take the risk.
If you want to provide wireless services for guests & keep them out
of your stuff, you will want to stick the access point outside your
LAN entirely - inside your ADSL modem but outsde your own
router/firewall.

If you have only one public IP and if the AP isn't also a "router",
this may be tough.

I have an ADSL/Router from Billion, plugged into an 8 port C-Net
switch. The AP and all my network plug into that same switch.
What about a small SonicWALL firewall with wireless? the wireless is
on an entirely different IP subnet. These work really well - you can
even use WGS (wireless guest services, with a logon page) such as
you'd find in a hotel, etc.

This is more hardware? And it will still allow access to the internet
from my LAN?

Is there someting I can do with subnets (another area of ignorance!) to
separate the wireless from the wired, but both accessing the
ADSL/Pouter?

Cheers

Jeff


--
Jeff Cook
Aspect Systems Ltd
www.aspect.co.nz
+
Joan and Jeff Cook
The Cooks Oasis
www.cookislandsoasis.com
 
L

Lanwench [MVP - Exchange]

Jeff Cook said:
Yes, an Access Point. You can tell I'm in unfamilar territory here!
(Also on a small tropical island with little choice of support
providers and limited hardware "bits" that I can buy off the shelf)


I'm using 64bit WEP which requuires 5 hex digit pairs as a "password"
- I'm changing these frequently.

OK - but that's not very secure - use WPA.
OK I understand that now.


Luckily, this isn't likely to be a problem - mostly palm trees and sea
outside the building, so unless my AP's range is a lot better than
advertised I can take the risk.


I have an ADSL/Router from Billion, plugged into an 8 port C-Net
switch. The AP and all my network plug into that same switch.


This is more hardware?

It's a firewall appliance, yes.
And it will still allow access to the internet
from my LAN?

Yes, easily.
Is there someting I can do with subnets (another area of ignorance!)
to separate the wireless from the wired, but both accessing the
ADSL/Pouter?

Yes, but it will still take more hardware - and ideally, more than one
public IP address.
 
G

Guest

This has been covered extensively in a previous post.

The most secure approach is double-NAT -Two routers daisy-chained, with your
LAN at the far end, public access in the middle. To do this you need a second
NAT router of the ethernet-in, ethernet-out type.

Approaches using an IP-based firewall may be adequate, but do take into
consideration that wireless IPs can be manually set (to be within the
priveleged range) instead of using DHCP. Also, if an internal computer loses
its IP address and reverts to DHCP, will this put it into the public zone,
and therefore at risk?
 
L

Lanwench [MVP - Exchange]

Anteaus said:
This has been covered extensively in a previous post.

The most secure approach is double-NAT -Two routers daisy-chained,
with your LAN at the far end, public access in the middle. To do this
you need a second NAT router of the ethernet-in, ethernet-out type.

That's one of the things I'd suggested, yes (so did Jack-the-MVP) :)
Approaches using an IP-based firewall may be adequate, but do take
into consideration that wireless IPs can be manually set (to be
within the priveleged range) instead of using DHCP.

Sure -
Also, if an
internal computer loses its IP address and reverts to DHCP, will this
put it into the public zone, and therefore at risk?

In what scenario?

The Sonicwalls to which I referred to have an entirely isolated subnet for
wireless. Supports WPA & if an internal user wants wireless, they can use
the Sonicwall VPN client to get in from the wireless network.They work quite
well.
 
P

Phillip Windell

"Lanwench [MVP - Exchange]"
What about a small SonicWALL firewall with wireless? the wireless is on an
entirely different IP subnet. These work really well - you can even use
WGS (wireless guest services, with a logon page) such as you'd find in a
hotel, etc.

Is the WGS a function of the SonicWall?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
L

Lanwench [MVP - Exchange]

Phillip Windell said:
"Lanwench [MVP - Exchange]"
What about a small SonicWALL firewall with wireless? the wireless is
on an entirely different IP subnet. These work really well - you can
even use WGS (wireless guest services, with a logon page) such as
you'd find in a hotel, etc.

Is the WGS a function of the SonicWall?

Yes, it does that quite nicely :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top