2

I am considering renting out a room in my house (I'm the owner). One issue is about providing WiFi. I have Comcast Wifi.

I have asked another person who told me they give the renter a guest password (not sure who the provider is).

My concern is if they (or maybe one of their friends) does something in my network. Also, I don't want to be the go-to person every time something goes wrong -- my Wifi has been fine so far -- don't know if higher usage might change this. If I did this, I'd be specific in the lease that nobody else (friends) can use the WiFi.

I called Comcast twice, and basically they don't have an answer. The guest password seemed iffy -- I wasn't clear on it, and it sounds like it's temporary.

What would be a safe way to provide WiFi to a room renter? Or is it better just to have them get their own mobile hotspot and not deal with this issue?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
N.M.
  • 21
  • 1
  • 2
  • 1
    Watch out as with Comcast you have data caps which means your guest may make your bill explode. If you do indeed have those data caps either invest in a plan without them or just let the guest provide their own Internet. – André Borie Sep 12 '16 at 23:12
  • 3
    As far as providing internet access I would suggest avoiding the ISP's router (they are notorious for being insecure) and investing in a proper secure router. OpenWRT or a basic Linux box would do it, or Cisco/Ubiquity hardware but that's quite expensive. – André Borie Sep 12 '16 at 23:13

4 Answers4

2

In order to properly secure yourself from guests, you'd want the guest AP on a separate network (e.g a VLAN) and you would block access to/from the rest of your home network to the guest network.You'd want a dedicated router or firewall that can implement some form of usage caps and enforce network access controls. Unfortunately these things all carry a price tag - which can be minimized at the expense of time and effort.

I think you just have to trust your house guests. Depending on where you live you may also be able to protect yourself with some form of a written agreement with the guests.

Cameron Miller
  • 126
  • 5
  • 1
    What about potential malicious software on their computer though? I would advise against trust unless you are confident the person is experienced enough to keep their devices clean. – André Borie Sep 13 '16 at 07:59
1

You can get home wifi routers that offer 2 separate wifi networks (one for main use, one for guests). The networks cannot talk to each other, (and the guest has no access to the admin console) so this offers the separation you want, without a lot of hassle.

This sounds like what Comcast is offering, but you need more details from them. Apple makes one, as well as DLink.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    I wouldn't recommend [trusting consumer-grade network gear](http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/), let alone ISP-provided garbage (which is often the former but with a different name and even worse firmware). – André Borie Sep 15 '16 at 17:19
  • @AndréBorie Yes, there are crappy vendors, but high quality ones, too. – schroeder Sep 15 '16 at 19:23
  • Any examples? So far all the consumer-grade network equipment I've seen have disappointed me... – André Borie Sep 16 '16 at 21:14
0

I'll argue for the same argument as Cameron Miller: Trust is probably your best bet. It stems from one of my favourite quotes:

In a networked world, trust is the most important currency. -- Eric Schmidt

(not extremely relevant to computer networking, but hey)

Theory

Basically, the perfect option for network security is to have both:

  • a network that is as secure as you can make it (it will never be 100% secure of course);
  • and also have high trust in all members of the network.

This is often a possible scenario in an organization: you have network security people that actively ensure that the network is running well, and you have competent employees (which you treat well to reduce risks of a rogue employee). In simple words: in this environment, network security appliances do not reduce the trust people in the network have of the network administrator.

Applied to the household

In a household I'd argue that adding network security appliances will reduce the trust of your flatmate in you (which in turn reduces your trust in him). We just had a question about such a situation.

This may not be a bad thing, if the network security appliances perform better than trust then it is a good investment. Yet, if I had a flatmate whom I'd trust so little to go to the extent of buying expensive equipment to protect the network, I would move. The threat model most appealing is malware on your flatmates computer, yet if you guys trust each other you could talk about network security yourselves. This is analogous to network security training in an organization.

All this and following is under the following assumption:

Your flatmate is not a teenager that would go to random porn websites and then be ashamed to admit he did.

Finally let's count the costs of giving up trust and going with a hardware+software solution:

  1. Trying to implement a VLAN on three NICs is a hopeless situation, there is absolutely no way of performing this. You will need extra equipment.
  2. An industry grade router that has more than two NICs (one for LAN one for WAN) is pretty expensive, and I really mean the expensive. Even most (non-security related) organizations do not use such routers. For an example: my university (the main network of it) connects all 10k students and staff into the same network through several APs, then monitor the network, no VLANs.
  3. It is likely to be cheaper to buy three customer grade routers and connect them together.

Note that under the threat model of malware on your flatmates computer, the above is not very secure either. Assuming that the malware has full control of his machine he becomes a insider attacker. An insider can brute-force router admin interfaces for example.

Conclusion

It is a lot easier to chat to your flatmate in the morning and ask:

Dude, your machine is trying to send packets to mine. You got infected with something, wanna me to have a look later?

Adding all the network security on top of of your current network will reduce the chance that your flatmate will answer:

Yeah, let's do it

In terms of risk management that reduction is a reduction in the security of your network.

Therefore the costs of adding extra hardware (and software) into the network to secure it better far outweigh the added benefits, since the benefits are vastly reduced by the reduction in trust.

Extra notes

  • Kill Comcast, seriously, kill that with fire.
  • This answer does not apply at all for a professional environment
Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30
  • There are simple, cheap, non-invasive technologies to provide separation. You appear to assume that it's impossible, too expensive, and ineffective. I challenge your assumptions. – schroeder Sep 14 '16 at 06:52
  • @schroeder - I'm more-or-less talking from experience. I'm talking right now through a router which has a possibility to create two SSIDs but those are not two networks in my book since they share the same subnet and NIC. Since the router has just a single LAN NIC you can still talk between the two SSIDs (and it will be pretty difficult to configure a firewall inside the same subnet, moreover with DHCP). – grochmal Sep 14 '16 at 10:01
0

To be safe from un/intentional harm from providing Interent to your guest you need:

  1. Physical security of the network equiment: This is obvious as any security setup is pointless if the guest can directly connect his/her computer to your router

  2. Isolation of the guests devices from yours: So any virus/attack cannot affect your machines

  3. Ability to monitor bandwidth usage and throttle: In case you have a usage cap and/or have your connection saturated by your guest.

  4. (Optional) Ability to limit the devices connected by your guest

  5. (Optional) Isolate your guest's traffic: So any illegal stuff your guest does is clearly distinguishable from yours

For requirement 1 You can lock your router in a cabinet and the guest network solves requirement 2. Most routers support MAC address access control, which is probably the only way a consumer can achieve 4.

Some router can do 3, but rarely in ISP-provided ones. You'll need another router or a PC running a Linux router distro. For 5, you'll need above plus a VPN or a separated IP. You may need professional help for these.

billc.cn
  • 3,852
  • 1
  • 16
  • 24