Sharing a link with kids.
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
You have tons of choices. Buying a separate DSL line is extremely over-done and there's better ways of acheiving the same protection. The easiest I can think of is to put one additional firewall between you and the network they share. So you would run in the main DSL feed to whatever hardware firewall you already have. Then put the kids in port #1 on that device and make sure it has DHCP enabled {DHCP is just easier. You can statically address to but it requires more work and knowledge.} On port #2 run Cat 5 from it into the WAN port on router #2 making sure the WAN interface of ROUTER #2 is a DHCP configurable interface. NOTE: On almost all routers you can change the WAN/LAN settings through a web browser. The manuals are very good at telling you how to do this. Running from Router->Router puts you in a double NAT situation but I doubt that will cause any problems. To test it make sure you can still reach http://windowsupdate.microsoft.com[^]. Double NAT isn't a big deal but it can be. This should give you decent protection. If you really want top security check out the devices at http://www.sonicguard.com[^]I think the TZ-170 with the Security Suite is one of the best products around bar none. I'd put it up against a PIX any day of the week. Does that make sense? - Rex
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
-- modified at 20:47 Monday 29th August, 2005
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
-
I have mine working on a Virtual PC so I can roll them back after they get trashed. I know it sounds like a lot but it has saved hours of work.
I think they are more interested in isolating the "kids" network from the "office" network so that the kids don't get into something and cross-contaminate the office... At least that is what I'm thinking they meant...
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
Configure the router to have static DHCP assignments based on MAC address for the kid's computer (it doesn't matter for the office computers) and setup a firewall rule that doesn't allow traffic from that IP address to any other destination in the LAN (depending on how you configure you may need static addresses for the office machines and disallow any traffic from the kid's machine to the office machines and/or you'll need a rule that allows traffic from the kid's machine to the router). If your current router doesn't provide that kind of configuration, go to best buy or some place and get a linksys or netgear or something for $40 and then set it up (I recommend the Linksys WRT54G or WRT54GS, you can get alternate firmwares since they run linux and do some fun stuff).
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
What do you mean by "separate on a hardware level" ? If you mean that there are no common hardware elements between the two networks - you obviously cannot achieve it. This is because from the ISP point of view - you represent one end point. You can also install various firewalls as suggested by code-frog, but they do not achieve hardware isolation. Your kids can easily log in to the firewall and play around with the configuration. Granted there are password and access control list protection - but still no hardware isolation. The easiest way is to go for two separate lines.
-
You have tons of choices. Buying a separate DSL line is extremely over-done and there's better ways of acheiving the same protection. The easiest I can think of is to put one additional firewall between you and the network they share. So you would run in the main DSL feed to whatever hardware firewall you already have. Then put the kids in port #1 on that device and make sure it has DHCP enabled {DHCP is just easier. You can statically address to but it requires more work and knowledge.} On port #2 run Cat 5 from it into the WAN port on router #2 making sure the WAN interface of ROUTER #2 is a DHCP configurable interface. NOTE: On almost all routers you can change the WAN/LAN settings through a web browser. The manuals are very good at telling you how to do this. Running from Router->Router puts you in a double NAT situation but I doubt that will cause any problems. To test it make sure you can still reach http://windowsupdate.microsoft.com[^]. Double NAT isn't a big deal but it can be. This should give you decent protection. If you really want top security check out the devices at http://www.sonicguard.com[^]I think the TZ-170 with the Security Suite is one of the best products around bar none. I'd put it up against a PIX any day of the week. Does that make sense? - Rex
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
-- modified at 20:47 Monday 29th August, 2005
-
What do you mean by "separate on a hardware level" ? If you mean that there are no common hardware elements between the two networks - you obviously cannot achieve it. This is because from the ISP point of view - you represent one end point. You can also install various firewalls as suggested by code-frog, but they do not achieve hardware isolation. Your kids can easily log in to the firewall and play around with the configuration. Granted there are password and access control list protection - but still no hardware isolation. The easiest way is to go for two separate lines.
Ummm... even on a WAN with two separate lines there's no hardware isolation. The hardware at any point can be traversed. They also cannot log into the office network from the WAN unless mom and dad allow remote management and I don't see them doing that. The only way they could get on the routers is from the LAN and at some point users have to take *some* responsibility. We can protect them from most things but nobody can protect them from their own stupidity. There's no reason to pay two monthly rates for an ISP. Essentially the ISP (if they used two of them) is doing the exact same thing they would be doing using another firewall in the home. You are just traversing up the WAN on both lines to two separate hardware devices on the exact same LAN/WAN at the ISP. They will use different gateways but aside from that the bandwidth is coming from the same place. The only difference is the ISP is also forcing the network by running the subnet mask way up to a 248 or a 252. But now we are so far out of the scope of what they were asking that I'm sure they have glass eyes at this point. We aren't protecting banks from the strip club. ;P They can/should save the monthly rate and acheive the same thing in their home. I highly doubt we need to involve managed switches and layer 2 networking to handle this. Sounds to me like some basic security concerns and they just want a level of protection higher than what they have got already.
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
-
Why not have him get a switch set the kids up on a VLAN (Virtual LAN) on a completely different subnet? This would be about best solution I could think of. ------------------------------- DEBUGGING : Removing the needles from the haystack.
Indeed. Get the common user to understand managed switches and VLAN's and you are one heck of an explainer and you've got a lot of time on your hands.;)
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
-
Ok, here's the situation. One ADSL link into my home. Four computers. Three of them run my home office and are as secure as I can make them. The last one is used by my kids to play games and surf the web - and the kids are just beginning to get more adventurous. They have great security habits for young kids but I would be foolish to rely on that. We have already done everything I can think of on a software level to insulate the office computers from kid's computer but I want to COMPLETELY quarantine the kids computer from the office network - to the point that I am considering bringing in a second ADSL link on the second line into my house. I figure that others must have experienced this need previously and maybe there is a way of sharing the existing ADSL link while keeping the kids computer and the office network separate on a HARDWARE level. Maybe an ADSL router that supports two separate networks. Anyone heard of such a thing? Paul Hooper If you spend your whole life looking over your shoulder, they will get you from the front instead.
how about a managed switch? I know management tend to be in top end equipment but that would let you control the routing. Elaine :rose: The tigress is here :-D
-
Indeed. Get the common user to understand managed switches and VLAN's and you are one heck of an explainer and you've got a lot of time on your hands.;)
My name is Inigo Montoya, you killed my process, prepare to die. Slightly modified quote from Princess Bride. Code-frog System Architects, Inc.
code-frog wrote: Indeed. Get the common user to understand managed switches and VLAN's and you are one heck of an explainer and you've got a lot of time on your hands Oh, Okay, I didn’t think using a managed switch was all that difficult. I could see it being a little difficult if you bought one of those nice Cisco switches. The 3Com switch I have isn’t so bad for setting up VLANs (not that I used them just poked around). My Bay Stacks Switch is a much nicer but I don’t have the software to manage it :(. But the average user doesn’t need either of those. I’m sure Linksys or the switches your so fond of have nice easy to use user interfaces. ------------------------------- DEBUGGING : Removing the needles from the haystack.