Chaining Wireless Access Points for Improved Security
We've been using the Wired-Equivalency Protocol (WEP) encryption standard to secure our home's wireless network since we discovered that Tivo doesn't support the more secure Wi-Fi Protected Access (WPA) encryption standard. Unfortunately, it's not possible to run some devices on a wireless network with WEP, and some with WPA; rather, it's all-or-nothing. So, we've downgraded the security of all our devices for the sake of Tivo. Our Powerbook and Mac Mini connect to the network using WEP, when they could be using WPA instead.
Recently, I heard on a podcast program called Security Now! that it's advisable to chain wireless access points (APs) in scenarios like mine. The layout would have the DSL/Cable modem connected to a low-security access point, and a high-security access point connected to the low-security AP on one of it's ethernet ports. Here's a basic diagram:
[ethernet] [ethernet]
[Internet] ---> Modem -----------> Low-Security AP -----------> High-Security AP
| |
| low-security clients | high-security clients
The primary difference in this architecture is the presence of an additional AP that allows the creation of secure and non-secure network segments. Both segments are completed isolated from eachother. This might create problems if the high-security clients wanted to access resources on the low-security client segment, but allowing this would be invalidate the whole purpose of creating these two separate network segments. The low-security segment effectively becomes a Demarcation Zone (DMZ) that is distrusted as a policy. Yes, this is a good thing.
So, I'm thinking about buying another Linksys WRT54G, or WRT54GS, to handle the low-security clients. Having a low-security segment also makes it easier for friends or guests visiting your home to use the broadband connection without going through the hassle of configuring their client to use the high-security AP. Seems like a good idea!