Question Network setup for two groups of users ?

hw_user

Distinguished
Mar 11, 2010
61
0
18,540
1
I am trying to set up a network for two groups of users. Group A wants speed and just need basic security. Group B needs high security. These users (wired or wireless) are in the same building with only one ISP connection and the two groups need to send files to each other .
I am thinking of using 2 routers. Router A for Group A and Router B for Group B and I have 2 options
  1. Cable Modem --> Router A (DHCP server) - LAN to LAN Ethernet connected --> Router B (AP). This may be the simplest. I am not sure if I can use router level VPN on router B . If yes, group B users will have VPN security. If not, then I will have to use option 2. The two groups will have no problem communicating because they are on the same network.
  2. Cable modem ---> Router A --WAN to LAN Ethernet connected --> Router B. This will make Group B feel more comfortable because they are on separate network isolated from Group A. But this require more sophisticated set up (routing table + firewall rules) to direct traffic between Internet and Group B users and also between Group A and Group B users. I am still studying on how to do it.
I still need to use VPN on router B for security.
Can someone comment on the 2 options or if there is other options that I can use ?
 
What security are you talking about. You have to always assume that traffic can be intercepted. A vpn does not solve that the traffic must eventually leave the VPN and enter the internet where it can be intercepted. The only difference a vpn makes is where the traffic can be intercepted. If you use things like https the traffic is encrypted so you don't care as much if someone can intercept it.

In option 1 the vpn does not protect against users intercepting traffic. They would just intercept it before it gets to the vpn....even though intercepting traffic even when there is no protection between users on a lan is not trivial.

In option 2 you have isolated your users but now they can not share data. Assuming you are using consumer grade routers you need nothing more the NAT alone will prevent any user from getting to user B network but users in B can get to A. This is the same protection that prevents someone on the internet from getting any access to your internal machines. The problem is now if you really need access from A to B you must use port forwarding rules. This is very messy when you have a large number of machines.

This all comes down to the actual security requirements. Likely the simplest method is going to be let everything be on the same lan and then put in firewall rules on the end machine to decide what access is allowed to come into the machine.

Remember the best security of actual traffic is end to end encryption using things like HTTPS and many encrypted DNS which is now supported by chrome and firefox.
 
Reactions: SamirD

kanewolf

Titan
Moderator
I am trying to set up a network for two groups of users. Group A wants speed and just need basic security. Group B needs high security. These users (wired or wireless) are in the same building with only one ISP connection and the two groups need to send files to each other .
I am thinking of using 2 routers. Router A for Group A and Router B for Group B and I have 2 options
  1. Cable Modem --> Router A (DHCP server) - LAN to LAN Ethernet connected --> Router B (AP). This may be the simplest. I am not sure if I can use router level VPN on router B . If yes, group B users will have VPN security. If not, then I will have to use option 2. The two groups will have no problem communicating because they are on the same network.
  2. Cable modem ---> Router A --WAN to LAN Ethernet connected --> Router B. This will make Group B feel more comfortable because they are on separate network isolated from Group A. But this require more sophisticated set up (routing table + firewall rules) to direct traffic between Internet and Group B users and also between Group A and Group B users. I am still studying on how to do it.
I still need to use VPN on router B for security.
Can someone comment on the 2 options or if there is other options that I can use ?
First don't think in home network topology. You need a business or enterprise quality router and managed switches. You want VLANs rather than VPN. You may need multiple SSIDs on your WIFI hardware. You may need a NAS or server with multiple NICs and ports in separate VLANs to provide shared storage.
 
Reactions: SamirD

hw_user

Distinguished
Mar 11, 2010
61
0
18,540
1
Neither me nor the Group B users are security experts. We just heard everyone out there saying that for better security we should use VPN. There are only 2 to 3 users in each group. Group B users need VPN for their office work. Most sites are using https these days. Please help me to understand why VPN is always recommended for better security. They also plan to use security camera. Google search result again suggested that security cameras should be on VPN.
Group A users are gamers and torrent downloader. That's why Group B users feel more comfortable if they are on separate network. I am just thinking that if Group B are all on VPN, they will not give me the pressure to put them on a separate network which cost me more work.
 

kanewolf

Titan
Moderator
Neither me nor the Group B users are security experts. We just heard everyone out there saying that for better security we should use VPN. There are only 2 to 3 users in each group. Group B users need VPN for their office work. Most sites are using https these days. Please help me to understand why VPN is always recommended for better security. They also plan to use security camera. Google search result again suggested that security cameras should be on VPN.
Group A users are gamers and torrent downloader. That's why Group B users feel more comfortable if they are on separate network. I am just thinking that if Group B are all on VPN, they will not give me the pressure to put them on a separate network which cost me more work.
If group A includes torrent downloaders, then they should be on a separate ISP feed. You don't want group B to be cut off because group A did something stupid.
 
Reactions: SamirD
A lot of the VPN for security is based on very old information. A huge number of people write articles with no actual knowledge and just cut and paste stuff they find on the internet. Nobody seems to challenge a authors credentials anymore. People seem to believe almost any crap on facebook or reddit.

VPN used to help a lot when people where intercepting facebook in internet cafes before facebook went to encrypted sessions.

VPN now days is primarily used to get past restrictions. Some people use it to try to hide their illegal activity.....which would mean your torrent uses not your main users should be using it. The other primary uses is to get past a restriction. Things like netflix or maybe game companies in korea or russia. There are geo blocking by IP so people try to get IP via VPN to pretend they live else where. There are also people who use VPN to get by firewall restrictions, the students trying to bypass school firewalls or the guy who wants to surf porn at work and not get caught.

VPN provides very little security. At best it prevents the ISP and maybe the government from tracking your activities.

Security cameras as well as many other so called smart appliances really should be a on separate network that has no internet access. Things like ring cameras have been hacked many times. Unfortunately many of these devices are designed to only work when connected to the internet so there is no way to really secure them. The vendors do a extremely poor job of securing devices like these. My solution is to not buy equipment that requires a internet connection to function but I seem to be in the minority lately.
 
Reactions: SamirD
My solution is to not buy equipment that requires a internet connection to function but I seem to be in the minority lately.
You and me both. It's getting harder to find stuff that isn't magically connected to some big brother box out in cyberspace with shoddy security. :rolleyes:

OP, you have gotten some really good answers here and really need to consider all the different use cases in more detail to see what is possible. Otherwise, these two networks should simply be physically separate.
 

ASK THE COMMUNITY

TRENDING THREADS