In-store wireless security question

M

maw

Supreme [H]ardness
Joined
Sep 27, 2000
Messages
4,135
So my father-in-law owns a restaurant franchise and wanted to offer free wireless internet to his customers. Right now he has a router and his store PC attached to it via CAT-5. I was thinking of attaching a WAP to the router for the customers to use.

But here's my dilemma, his store PC is also used for processing credit-card transactions, and transmits info over the internet to the processing center. Right now it is the only PC on the LAN and it is hardwired to the router. Is it safe to allow users wireless access to the LAN in this situation, or am I playing with fire here?
 
You are playing with fire, and a lot of it. Any wireless access should be on a separate network and some form of security device should restrict any access from the wireless network to the network you are using to send the sensitive data. The last thing you want is some nutball playing with ettercap decide he is going to play Man in the middle with your router and every one else and start capturing that traffic.
 
Definitely a bad idea. Take a look into PCI compliance standards if you haven't already, since one of the main criteria is to have a secure network. Doing what you're proposing would definitely violate that secure network criteria!

I would definitely suggest a separate internet connection if he wants to offer free wireless.
 
maw said:
i'll have to check for the specific brand, but I believe it's one of those modem/routers that Comcast hooks up for business-class accounts
Click to expand...

OK... May or may not support advanced stuff like ACLs or VLANS... If not and you can flash a custom firmware to it, you could put Tomato or DDWRT on it or something.
 
TechieSooner said:
OK... May or may not support advanced stuff like ACLs or VLANS... If not and you can flash a custom firmware to it, you could put Tomato or DDWRT on it or something.
Click to expand...

OK, I spent the day reading up on VLANS. I was toying with the idea of getting a different router (the Comcast one doesn't really have a lot of features), but after I told him about the potential problems, he's not so hot on the idea any more (he's still pretty shaken up form having his identity stolen last year).

Thanks for pointing me in the right direction though, at least I knew the original idea didn't sound safe. I learned a lot today that I can probably use in the future. :)

Thanks again!
 
maw said:
OK, I spent the day reading up on VLANS. I was toying with the idea of getting a different router (the Comcast one doesn't really have a lot of features), but after I told him about the potential problems, he's not so hot on the idea any more (he's still pretty shaken up form having his identity stolen last year).

Thanks for pointing me in the right direction though, at least I knew the original idea didn't sound safe. I learned a lot today that I can probably use in the future. :)

Thanks again!
Click to expand...

You just need to let him know it's possible, you just need to restrict access down. And getting another router might be the route you need to take, no idea what model router that is or anything, but DD-WRT or Tomato firmware adds tons more functionality.

You'd basically be sticking the WAP in a DMZ of sorts.
 
You must log in or register to reply here.
Back
Top