Newbie
I have the following groups of devices on my LAN:
1) WiFi router, TIVO, Aluratek Internet Radio
2) 1 Linux and 2 Windows XP computers
3) Apple Mac Mini (used solely for photos and online banking)
I want Group 1 to be in a DMZ, isolated from Groups 2 & 3, and want to be able to use the Apple as the only device online when doing banking.
I am thinking of this setup:
Switch #1 to the WAN and connected to:
- Router #1 for Group 1 (this is the wireless router)
- Router @2 for Groups 2 & 3 (this router wired only)
Behind Router #2:
- using one port for Switch #2 for all of the Group 2 devices
- using one port for the Apple Mac Mini
The plan is that Group 1 should not have access to Groups 2 & 3 at any time, AND any time banking is to be done:
- Router #1 is unplugged from Switch #1 AND
- Switch #2 is unplugged from Router #2
leaving only the Apple online and only requiring unplugging of two ethernet cables.
This may seem like equipment overkill, but I have all the switches and routers that are needed, most of which are unused at the moment.
I don't understand enough about switches and routers to know whether one port of either device is effectively isolated from the other ports of the same device. So my question is how to improve/simplify the setup without compromising the objectives, or is this perhaps the minimum configuration to meet the objectives?
Super Moderator
Routers are used to divide (or isolate) two networks so your use of routers will work. But understand a router has only one input and one output. The 4 ports found on typical routers are actually 4-port Ethernet switches built into the same chassis as the router.
Think of switches as straight wires - they cannot block anything.
Newbie
That is very helpful.
As to switches, if a typical router with 4 ports is in effect 4 straight wires, can a sniffer on one of those wires pick up traffic (encrypted or unencrypted) on the other wires?
In other words does Switch 1 isolate Router 1 from Router 2?
Thanks.
Super Moderator
Everything depends on how you set the devices up, and the capabilities of your network equipment. A sniffer connected to the cloud side will see everything on the "cloud" side of the router. And all the devices hanging off the router's integrated 4-port switch will be able to see each other. This is why each computer on the network must also have a client based firewall (and real-time anti-malware) running too. So you are going to have to be careful about how you physically set your networks up, how you assign IPs, and also how each computer is setup too.As to switches, if a typical router with 4 ports is in effect 4 straight wires, can a sniffer on one of those wires pick up traffic (encrypted or unencrypted) on the other wires?
I really don't see the need for multiple routers unless you will be bringing in and connecting strange computers regularly to your network. For example, if you do PC repairs, you may want an isolated "business" network to connect client (and potentially infected) computers so they have Internet access, but not access to your personal or "home" network and computers.
Now everything connected via wireless is subject to monitoring by badguys. No way around that. Radio waves go everywhere. This is why wireless networks will never be as secure as wired. So even though I know my wireless N network is secured, I never do banking over it. Some may call that paranoia from supporting secured networks (wireless and radio) for the DoD for 30+ years, I call it due diligence from the experience I have for supporting secure networks for 30+ years.
Understand too, there is no such thing as a Wifi router. Routers have one input and one output, and they are wired connections only. "Wireless router" is a marketing term, a "technically" inaccurate marketing term. A wireless router is really 3 discrete, independent "network appliances" consolidated and integrated into one chassis. These are the (1) router, (2) 4-port Ethernet switch and (3) wireless access port (WAP). They are so popular because they save space and costs by putting the three devices on one circuit board inside one case and powered by one power supply. There are some versions that are 4 in 1 and they also include in the same case the "gateway device" which is the cable/DSL modem. One physical piece of hardware, but electrically isolated and separate network devices.
