Security concerns for main network when adding a "guest" or "lab" network

[tankman1989]

The network has 2 ISP's (load balanced & fail-over) running on pfSense 2.1. the router has one port dedicated to the main network & one for a guest network.

I have always been a little concerned about having unknown machines having direct access to the same network/router that runs the main network and wanted to know how much of a security concern this is. The main concern is of machines with virus's/malware operating on the guest network more so than a hacker using the guest network to try to access the main network (although I guess the latter is a possibility if the guest machine were being remotely controlled by someone).

Is this a major concern or is it fairly difficult to cross over to the main network when proper/strict (MAC filtering is enabled) security measures are in place on the primary network?

 

[jft135]

The network has 2 ISP's (load balanced & fail-over) running on pfSense 2.1. the router has one port dedicated to the main network & one for a guest network.

I have always been a little concerned about having unknown machines having direct access to the same network/router that runs the main network and wanted to know how much of a security concern this is. The main concern is of machines with virus's/malware operating on the guest network more so than a hacker using the guest network to try to access the main network (although I guess the latter is a possibility if the guest machine were being remotely controlled by someone).

Is this a major concern or is it fairly difficult to cross over to the main network when proper/strict (MAC filtering is enabled) security measures are in place on the primary network?

I'm sure there are safe ways to do it, but the way I have mine set up is two separate firewalls/routers that handle each side of the network. They are physically segregated and for all intents and purposes are two unique networks.

 

[nesrinamb]

You can't do a vlan?

Not familiar with pfsense but I know it does have capabilities.

 

[Markverhyden]

I can tell you that many, if not most, locations with a public WAP are setup with that being totally separate from the private LAN. Meaning it starts at the ISP. Even separate switches if needed.

A lot depends what they are doing on the private LAN. HIPAA, PCI, etc, etc requirements imply that you should have physical separation. Given the relative low cost of this stuff that is what I recommend if someone is asking.

 

[jft135]

I can tell you that many, if not most, locations with a public WAP are setup with that being totally separate from the private LAN. Meaning it starts at the ISP. Even separate switches if needed.

A lot depends what they are doing on the private LAN. HIPAA, PCI, etc, etc requirements imply that you should have physical separation. Given the relative low cost of this stuff that is what I recommend if someone is asking.

Just a side note, not properly segregating networks is part of what led to the recent Target fiasco.

 

[tankman1989]

Thanks for the suggestions. I can do vlans with the router but vlans is exactly my concern as it doesn't give physical seperation between the networks.

If I had a dual wan router that split to the main network and then to another router which hosted the guest network, I think that would be more secure - at least from what I understand.

I have always felt a little apprehensive about vlans and virtual machines for the same reason, there is no physical seperation in the event of a malicious attack. I've read some reports about major security holes in hypervisors that allow one VM to basically access all other hosted machines with root access (this issue was promptly fixed but it raised a red flag when I read it - no pun intended)

 

[frederick]

So this is why I like using MikroTik routers. They aren't wallet stealing, and they will do this perfectly. This is for our 1 line in folks.

From the ISP (or modem) we connect to a MikroTik router. The guest network will operate on Network 192.168.0.0/16 with 72 hour DHCP lease times. No device will be able to connect to the MikroTik Admin (Web/Winbox/etc) through physical ports assigned to the Guest Network. The Main/Operating Network will be assigned a 172.16.0.0/30 address, static IP which connects to a SonicWall or other UTM. The UTM is usually assigned a 10.0.0.0/8-24 address on it's LAN side.

The MikroTik utilizes the Firewall Policy I posted a while back, with some additional rules specific to the guest network access. The WAP for the MikroTik will operate on the same bridge as the guest network, or will be disabled (usually disabled as they are positioned in places that are well....not guest network friendly). Now, another step we take is preventing the guest bridge from talking to the main net bridge. This is all rules and what not. So even if you know the Main Nets IP, you'll never see it or be able to talk to it, as the firewall prevents one bridge from talking to the other. This makes eavesdropping hard as well.

As for connection speeds, we choke the hell out of the guest network when we only have one ISP connection. We can lower a ports available bandwidth (both TX and RX), depending on the clients needs etc. Our average client is running somewhere around 12M/128k DSL, and 20M/5M Cable. With DSL, the upswing doesn't get throttled, because they usually don't have VoIP and DSL at the same time. But with a 12M down, we will choke the guest to 2-5M down depending on client size, and for our cable folks, we choke the guest network to 5M/1M. Guests wont have blazing speeds, but at least your client wont be bogged down because of 30 people in the waiting room.

This way, the MikroTik separates the networks, but you still have another firewall to penetrate before you get to the main net. The MikroTiks rule based firewall makes for a great place to set up your DMZ as well. I've done this for a couple of clients already, but the real workhorse is the SonicWall.

 

[YeOldeStonecat]

We often do a similar thing to what Frederick mentioned....while I don't use a Microtik (granted..they are awesome)...I will use a feature we're given with most of the business class "gateways" from cable and phone ISPs. Most of them are combo modem/routers....and they have a built in 4x port switch.

I'll setup the primary router we use behind the ISP supplied gateway...and our router will pull the public IP addresses of their static range. And their network will be behind that router. However...if I need to separate guest network, I'll either physically cable it and upload it to a port of the ISP supplied gateway..so it goes out that IP address and is physically separated from the main network. Or...such as we often do with guest wireless, using managed switches...to tagged VLANs, and have the switch have the final port in that vlan uplink to one of the LAN ports of the ISPs gateway. This gives that guest network a totally different IP range, as well as being walled off via VLANs...so it's double security.