Guest Wifi Isolated Well? (guest Vs Reg On Router)

[anode]

After seeing how insecure WiFi is, I'm thinking of going all wired.

But have a few items that are only WiFi, but really don't need access on local LAN, just internet. So I was pondering just turning off LAN WiFi and just leaving guest for the appliances.

So my Q is how isolated is the guest WiFi from the LAN on most consumer routers? (this is a netgear WNDR7300 ) Is it crackable?

[iamk3]

Any WiFi is theoretically crackable. WEP will definitely be cracked. Just don't use it. WPA(2) is a lot less likely to be cracked, just make sure to use a long and "randomized" password with letters, numbers and special characters.

If you really are that paranoid, you could get a "non-consumer" switch and put the wired and wireless sides of your network on separate VLANs.

I would however suggest that you don't freak out and spend a lot of money/time running Cat5 throughout your house. Just use best practices and secure both SSIDs with separate but secure (as mentioned above) passwords and NEVER give your main password to anyone you don't EXPLICITLY trust.

[Infiltrator]

Even thought wireless is not 100% secure, there are steps you can take to make it secure.

1) Use long and complex pass-phrases

2) DO NOT use WEP, use WPA2 Enterprise instead, it uses a radius server for authentication. (once a client has entered the pass-phrase, it will prompt the user for an username/password)

3) Mac address filtering won't stop an attacker from getting access to your system, what you could do in this circumstance is to limit the number of IP addresses from your DHCP server, to the number of devices you have on your network.

4) Keep an eye on what devices are connected to your wireless network.

5) Some wireless access points employs a security feature called (AP isolation) which isolate clients from one another, this help stop arp poisoning or related MITM attacks from taking place in your network.

6) If you want to completely isolate your wired clients from your wireless clients, you could use a Vlan capable switch to achieve that.

7) Change the default router username and password

8) Disable remote administration via wireless and use wired connection instead.

9) If the wireless router has support for HTTPS, make use of it.

Edited March 2, 2012 by Infiltrator

[anode]

I'm not worried about breaking the WiFi WPA or WEP. My router has a 'guest network' that's supposed to sandbox it from the real LAN.

(or that's my understanding of it)

The idea is to have a public WiFi that's isolated from the internal LAN (#5&6 from Infiltrator gonna look into the Vlan thingy)

Wifi just used by xbox, Wii, tablets, etc. Nothing that *needs* to be secure.

(and just for a smile I named my public wifi FBI Surveillance Van #3 :) )

Maybe a tiny Linux box as a router/firewall (and DNS if its not too taxing). I'm *trying* to get a raspberry Pi.

Thanks guys.

[Infiltrator]

My router has a 'guest network' that's supposed to sandbox it from the real LAN.

(or that's my understanding of it)

A guest network only gives access to the internet and nothing else.

This is a good security option, if you plan on sharing your internet connection with someone else.

[anode]

Its gonna have encryption. Only using it for the xbox, tablets, et all. (and only for me)

My main Q was who secure is that isolation? Any reports of breaking it?

[Infiltrator]

My main Q was who secure is that isolation? Any reports of breaking it?

I've never seen or heard of any reports of people who actually managed to bypass or break AP isolation in access points.

To a degree it's safe to use it, and it does protect wireless users from MITM attacks. If you need for your wireless to be totally isolated from your main network, use a switch that has Vlan capabilities.