Is Airport Extreme's Guest Network Really Secure?

Question

Level 1

0 points

Is Airport Extreme's Guest Network Really Secure?

Hi,

How secure is Airport Extreme's guest network & how exactly is it configured?

I am trying to set up two separate networks. Presently I am running the following:

-ISP modem hardwired to wireless Mac Airport router
-2 older XP desktops hardwired to Mac Airport router & 1 MacBook connected to Airport router wireless

Like so- modem --> Airport --> 2 pc's & 1 wireless Mac

I need to add a work laptop to the mix & do not want it in my existing network. So, I was planning on doing the following but was having problems with double-nating:

-ISP modem wired to new internet router
-new internet router wired to Airport Extreme (i.e.: my existing network setup) & to new router (i.e.: new network)

Like so- modem --> new internet router --> Airport(existing network) & new router(new network)

BUT... after struggling to get this working, I removed the new internet router & went back to my original setup & reset the Airport Extreme. During this simple resetting process on the Airport, I was prompted to setup a separate guest network! I didn't know this was an option & that it seems to do what I need & was trying to do with the extra routers.

Which brings me back to my question...How secure is Airport Extreme's guest network & how exactly is it configured? Will this simple Guest Network truly give me two completely separate networks? In other words, if I connect my work machine to the guest network & the work machine is infected, for example, is my existing network protected?

Thank you!

Mac OS X (10.6.5)

Posted on Dec 20, 2010 2:58 PM

Reply

Answer 1

Tesserax

Level 10

157,764 points

Dec 20, 2010 3:10 PM in response to Orange991

Hello Orange991. Welcome to the Apple Discussions!

.How secure is Airport Extreme's guest network & how exactly is it configured?

As you found out, the AirPort's Guest network is only available when the AirPort is configured as a router and not a bridge ... like when you attempted to have it downstream of another router in your network configuration.

The AirPort's Guest network feature creates a VLAN which performs as a separate wireless network from the "main" or private network. It is enabled via the AirPort Utility via the Guest Network tab.

It can be configured with a separate Network Name or SSID ... as it should, and you can enable WPA or WPA2 wireless encryption that has a different password than the private network.

By default, network clients connected to the Guest network, cannot access resources on the private network ... but they do have access to the Internet. They can also be allowed to access other devices on the Guest network.

Reply

Answer 2

Orange991 Author

Level 1

0 points

Dec 20, 2010 3:35 PM in response to Tesserax

Thank you for the prompt reply!

A couple of things...

I did not use the guest network until after I experienced double-natting, while not in bridge mode. I discovered guest networking capabilities only while after resetting the Airport router as I lost all internet connection.

So, I am aware of everything you said but was hoping for some more details as to just how the guest network functions behind the scenes. Mac makes setup easy, but doesn't always allow for much user interaction.

I wonder if I would be more secure using the following configuration, as I initially mentioned:

*modem --> new internet router --> Airport(existing network) & new router(new network)*

This is the config that I had trouble setting up, but I know if I could get it to work I would be running two completely separate networks, which is what I want. I would be good with just using the Airport, & not buying two new routers, if I knew it was truly just as secure, but I am not sure what's actually occurring within the airport guest feature. Apple states that a portion of my internet service will be used for the guest network. Again, how exactly is this happening?

Again, if I connect my work machine to the guest network & the work machine is infected, for example, is my existing network protected? Still not sure of this.

Any more details would be appreciated! Thanks!

Reply

Answer 3

Tesserax

Level 10

157,764 points

Dec 20, 2010 8:02 PM in response to Orange991

So, I am aware of everything you said but was hoping for some more details as to just how the guest network functions behind the scenes.

The Guest network feature is a form of a Virtual Local Area Network (VLAN). Please check out the following if you are not familiar with the concept of VLANs: Wikipedia - Virtual LAN However, it is a "special"use VLAN implementation and not a full-featured 802.1Q VLAN capable router. Essentially, when you enable Guest Networking, the AirPort "splits" the wireless network into two VLANs. Both VLANs share the same overall bandwidth and the Guest Network must use both radio bands with the same Network Name on each. There are no options to fine tune the Guest Network ... and "guests" who are performing bandwidth-intensive activities will affect the performance of the "main" network.

Reply

Answer 4

Orange991 Author

Level 1

0 points

Dec 22, 2010 8:09 AM in response to Tesserax

Hi & thanks.

Still can't seem to determine how secure this Airport VLAN will actually be, which is bringing me back to my original idea of connecting my modem to a WAN port on a router, & then connecting 2 more routers(one being the Airport) to the LAN ports on the internet router.

This should produce 2 completely separate networks. Yet when I initially attempted this, the Airport warned me of double-natting & wouldn't connect. Any chance you could offer some suggestions that may help me to avoid further complications with such a set-up?

Thanks!

Reply

Answer 5

Orange991 Author

Level 1

0 points

Dec 22, 2010 10:11 AM in response to Orange991

Tesserax

Well, after further research, I have learned that I seem to have the right person involved here!

I have also learned some more...here are two quotes from you from other similar threads...

+"If your networking requirements necessitate two completely isolated networks, you will have to look at vendors that provide commercial-grade router solutions that include things like full VLAN implementation. Cisco would be an example of one of those vendors.+

+If you really need to isolate network clients, you would need a VLAN ... which the AirPorts only provide in a very rudimentary form via a Guest network."+

I have also read that the AEBS's guest feature may in fact be secure enough as it runs on a different subnet. Here is my situation...

Simply put, I need to connect my biz laptop to my/a wireless network in my home & I don't want it connected to my existing network. I do not know where that thing has been nor do I subscribe to many of the security practices that are used, or not used! So, I just need to be sure that I can connect wirelessly, at least, w/o risking the security of my existing network, within reason. Obviously if someone really wants in, they'll get in.

Your help with all of this is appreciated!!

Reply

Answer 6

Orange991 Author

Level 1

0 points

Dec 22, 2010 10:50 AM in response to Orange991

PS- Sorry for the multiple posts prior to one reply from you!

Correction: I checked my AEBS & it seems as though the guest network I setup(& am not using for my biz pc yet) does in fact have the same subnet mask but differnt IP's.

FYI, I have been at this for weeks to no avail so again, any help you can offer would be greatly appreciated. If you need more info, please ask. Here is a link to my original posting in another forum to which I received no reply, in case you're interested:

http://www.bleepingcomputer.com/forums/topic364080.html

Thanks again....now I will wait patiently 😉

Reply

Answer 7

Tesserax

Level 10

157,764 points

Dec 22, 2010 10:52 AM in response to Orange991

Simply put, I need to connect my biz laptop to my/a wireless network in my home & I don't want it connected to my existing network.

Then the Guest Network feature should work for this situation.

Reply

Answer 8

Tesserax

Level 10

157,764 points

Dec 22, 2010 11:14 AM in response to Orange991

Correction: I checked my AEBS & it seems as though the guest network I setup(& am not using for my biz pc yet) does in fact have the same subnet mask but differnt IP's.

VLANs are different than the traditional use of subnetting ... but have similarity in operation in that you can create multiple logical subnet networks regardless of the physical router configurations.

From Wikipedia: Virtual LANs are essentially Layer 2 constructs, compared with IP subnets which are Layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN or have one subnet spread across multiple VLANs. Virtual LANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process.

Again, the AirPort's Guest Network feature is a form of a VLAN. Unfortunately, Apple has not provided any details on how this is implemented and it would be impossible for me to tell you how exactly it performs security or otherwise. Sorry!

Reply

Answer 9

Orange991 Author

Level 1

0 points

Dec 22, 2010 1:29 PM in response to Tesserax

Please, no need to apologize. I appreciate your help!

Using the Guest Network certainly seems to be the easier, softer way but it seems as though running the other setup I mentioned might prove more secure, no?

Can you help with that sort of setup & config? Like I said, I ran into problems. First I bought a standard switch but after taking it out of the box, I realized there were no WAN & LAN ports & that the switch would only allow one network to run at a time. At least that's what cs told me.

I also bought a new Linksys 2000 to use for my work network which I was planning on connecting to the switch or internet router/switch, as it now seems that I need.

So, I tried using my 4 yr old Linksys BEFSR41 w/o wireless support, to run between the modem & my 2 wireless routers, & that's when the Airport reported double-natting. At this point I was stuck, disconnected the Linksys, & needed to reset my Airport from square one to get back online. I am sure there is a simple way to get this all to work, it just seems to be over my head w/o guidance. You game? 🙂

Message was edited by: Orange991

Message was edited by: Orange991

Reply

Answer 10

Orange991 Author

Level 1

0 points

Dec 22, 2010 4:55 PM in response to Orange991

Tesserax

Ahh hah! I wanted to catch you before you replied. I attempted to again set-up the 3 router config & am having initial success. I started over, did things a little differently & got my main/existing network set-up! This time I set-up the internet router directly to my old hard wired Ubuntu machine first & after I got that working I connected it & my other machines to the Airport & the Airport to the internet router & viola.

Now all I need to do add the new Linksys wireless router to the internet router to create my biz network & cross my fingers.

The Airport did warn me of double NATting but I chose the "ignore" option & it's working fine. +I wouldn't mind a double NATting explanation & what exactly is happening, if you have the time. I get it, somewhat! Double NATting doesn't in any way compromise security, does it?+ I was told if anything, it would make the network more secure.

I will post back later after connecting the other wireless router...Thanks!

Reply

Answer 11

Tesserax

Level 10

157,764 points

Dec 23, 2010 12:11 PM in response to Orange991

Using the Guest Network certainly seems to be the easier, softer way but it seems as though running the other setup I mentioned might prove more secure, no?

When adding network "complexity" you don't always achieve greater security. Based on what I understand your requirements are, the Guest Network feature should be sufficient.

However, I can understand your concerns about security. With three routers, all with NAT enabled, you could create three networks behind the modem.

Can you help with that sort of setup & config?

I will certainly be happy to help, but you understand since I don't have the same equipment available to me, I may be running a bit in the "blind" attempting to do so.

If I understand correctly, your current desired network configuration would have the Linksys BEFSR41 router connected directly to the Internet modem. In turn, you would have both the AEBSn & new Linksys 2000 routers connected directly to the BEFSR41 by Ethernet ... correct?

If so, I would suggest that you provide both the AEBSn and 2000 routers with their own static WAN-side IP addresses just outside of the DHCP range of the BEFSR41. Also be sure that both of these routers use the same Router & DNS IP addys in order for each to reach the Internet through the BEFSR41. (Note: The AEBSn, at least, will "complain" about being in a Double-NAT configuration, but as you already know, you can disable that warning via the AirPort Utility. Double-NAT is not an error in itself, but a configuration whereas a client will have to negotiate through two NAT-enable routers to access the Internet ...which is normally not a problem. A Double-NAT configuration only adds more complexity in getting traffic in from the Internet to let's say a Mail or Web Server that you may be hosting.)

On the LAN-side of the AEBSn & 2000, use different DHCP ranges to create their respective networks. Clients on either of these routers should now be able to access the Internet. They should not be able to access clients/resources that are connected to the other router.

Reply

Answer 12

Orange991 Author

Level 1

0 points

Dec 23, 2010 2:46 PM in response to Tesserax

Tesserax wrote:

If I understand correctly, your current desired network configuration would have the Linksys BEFSR41 router connected directly to the Internet modem. In turn, you would have both the AEBSn & new Linksys 2000 routers connected directly to the BEFSR41 by Ethernet ... correct?

Correct!

And I am happy to report that I have achieved success...at least for now! Let's see if I run into any frequency &/or IP conflicts down the road. So far so good!

I set one of the routers to a manual wireless channel & had conflicting issues with the router that was set to auto channel config. I suppose I could have manually set them both but chose to 1st try them both on auto channel config. We''ll see...so far it's working fine this way. It seems as though that each wireless router stays away from what would be a conflicting signal from the other.

Prior to reading your reply, I did choose to allow for auto DHCP instead of manually configuring static IP's as you suggested. Again, so far so good. Don't get me wrong...I had to fiddle & fail for a couple of hours before I got this working.

Since my internet & work routers are both Linksys, I needed to change the IP on the work router to avoid duplicate IP's.

So, thanks you very much for your help! I appreciate it!! If you see that I did something very wrong, please let me know.

In regards to double NATting...if I chose to disable the NAT feature on my work router, that would in no way reduce the security of my Airport network, correct? And, the router w/ NAT disabled would basically be acting as a bridge, using the internet router's firewall, so it too would be protected, correct? Granted, maybe not as secure as w/ two firewalls.

I have been reading up on double NAT & have somewhat of an understanding of it but am still not 100%. Any thoughts are welcomed 🙂

Message was edited by: Orange991

Message was edited by: Orange991

Reply

Answer 13

Tesserax

Level 10

157,764 points

Dec 23, 2010 3:12 PM in response to Orange991

I set one of the routers to a manual wireless channel & had conflicting issues with the router that was set to auto channel config. I suppose I could have manually set them both but chose to 1st try them both on auto channel config. We''ll see...so far it's working fine this way. It seems as though that each wireless router stays away from what would be a conflicting signal from the other.

In the long run, for best bandwidth performance, you will want the radio channels to be as far apart as possible to prevent Wi-Fi interference between networks. You can use utilities like iStumbler and AirRadar for this.

Prior to reading your reply, I did choose to allow for auto DHCP instead of manually configuring static IP's as you suggested.

This should work, but best practice would be to use static IP addresses for routers and wireless access points. Remember the upstream router with DHCP will update these IPs periodically ... and you always stand a chance of "breaking" the network.

In regards to double NATting...if I chose to disable the NAT feature on my work router, that would in no way reduce the security of my Airport network, correct?

Not really as both routers would still be going through the BEFSR41 for Internet access. However, any clients connected to the work router would now be getting the IP addys from the BEFSR41 and be able to "see" any clients connected directly to it.

I have been reading up on double NAT & have somewhat of an understanding of it but am still not 100%.

Nothing really to be excited about as, again, it is nothing more than two NAT-enabled routers in series. In commercial networking, we typically use VLAN to provide multiple network. The beauty of using them is that they are not restricted to the network's physical layout.

Reply

Answer 14

Orange991 Author

Level 1

0 points

Dec 24, 2010 7:25 PM in response to Tesserax

This should work, but best practice would be to use static IP addresses for routers and wireless access points. Remember the upstream router with DHCP will update these IPs periodically ... and you always stand a chance of "breaking" the network.

Which is one of the reasons I went w/ auto config w/ DHCP on all routers. This should keep things flowing w/o my input, no?

{quote}In the long run, for best bandwidth performance, you will want the radio channels to be as far apart as possible to prevent Wi-Fi interference between networks. You can use utilities like iStumbler and AirRadar for this.{quote}

So then, to avoid extra utilities, might it be better to manually set both routers channels & if so, how far apart? I was thinking that because I don't really know what channels operate best, that the Airport would choose the next best available channels as the Linksys seems to always use channel 1.

Thanks & Merry Christmas!

Reply

Answer 15

Tesserax

Level 10

157,764 points

Dec 24, 2010 11:51 PM in response to Orange991

Which is one of the reasons I went w/ auto config w/ DHCP on all routers. This should keep things flowing w/o my input, no?

Remember routers can be both DHCP clients and DHCP servers. In this case I was referring to using static IPs on all of the downstream routers' WAN-sides, regardless of if they are configured as bridges or not. For those not configured as bridges, configuring them to act as DHCP servers will make configuring the network simpler.

So the main Internet router would be both a DHCP client and server; the AEBSn would just be a DHCP server, and the Linksys 2000 would be neither as it would be bridged. Make sense?

So then, to avoid extra utilities, might it be better to manually set both routers channels & if so, how far apart?

For the 2.4 GHz band, you want at least 3-5 channel separation. Even more the better. So, if one is operating on channel 1. Use 6 or 11 for the other.

For the 5 GHz band, if one is operating on channel 149, the next available (153) would be fine. Note: The higher channels on this band provide operate at a higher power.

I was thinking that because I don't really know what channels operate best, that the Airport would choose the next best available channels as the Linksys seems to always use channel 1.

... and this may be perfectly acceptable performance-wise. To be more accurate, you would want to use a utility like iStumbler or AirRadar to determine if there are other Wi-Fis operating nearby. You would then note the ones with the strongest signal and what channel they are operating on. Then set your channels to be different. Most of the time, the "Automatic" mode does a decent job of figuring this out for you ... but it's not 100% perfect.

You're very welcome & Merry Christmas to you too!

Reply