Network security - small business

mushtafa · 4 Mar 2016 at 22:41

Lets start with this;

That's a rough idea of our setup.

The router is a standard issue Netgear model from BT. It's so old it doesn't have wireless.
The switch is just a cheap & cheerful hub.

We need to up the security on the wired network for the PCs, alarm system and payment machine.
We have a few older devices on the wireless network still, but these don't need to be secure.
Allowing customers access to the wireless would be a bonus.

I'm thinking I need to get a new wireless router which always different SSIDs for the wireless connections, or perhaps incorporate a VLAN somehow, and split the network into two separate networks. - I'm favouring this, but not sure what equipment I need?

Basically the red circle needs securing. Any advice please guys?

mushtafa · 5 Mar 2016 at 07:53

Thanks for your input, but that's not going to happen. I've told the boss it needs improvement, he's asked me to do it. He wants to do it as cheap as possible. I'm the most computer literate person there.

We are a very small company, we don't keep any payment details, only customer name/address/contact details.

The pic should have said hub, not switch.

I had a look at the DrayTek router and looks like it'll fit the bill OK. Their AP900 access point looks good as well - still need to have a look at UniFi.

mushtafa · 5 Mar 2016 at 13:31

Steveocee said:
If you are taking card payments I thought for compliance it has to be as separate as possible.

This is the main reason for this upgrade. Our original machine connected to the phone line, but the new one is ethernet. This is why I thought I'd try and split the network, keep one for the office PCs and payment machine, and another for the wireless side of things. That way our 'unsafe and insecure' wireless bits will be separate from the payment machine.

mushtafa · 5 Mar 2016 at 13:32

Caged said:
If you're determined to do this yourself then I'd start with the Meraki MX65W

Thank you for the advise, I'll take a look.

mushtafa · 5 Mar 2016 at 14:31

Yes, a single PDQ.

The alarm uses the internet and it's own 3G connection to alert the alarm company when it sounds.

As far as I've been told, we need to make sure the PDQ is secure as possible.

We have some old machines running on XP which are connected wireless to the AP. Now my thoughts are; XP is no longer updated, and Chrome has now decided to stop updates on XP machines. In my mind, these computers aren't considered secure.

mushtafa · 5 Mar 2016 at 15:17

The PDQ uses the internet via Ethernet. I completely agree with not going overkill and having it on its own dedicated line.

So I need a new wireless router which supports numerous VLANs, a switch, and a new AP which can also support multiple SSIDs.

mushtafa · 5 Mar 2016 at 17:53

Thanks for all the input.

I've got a lot of reading to do this weekend. I'll double check on Monday which standards need to be met.

mushtafa · 6 Mar 2016 at 08:44

I consider the wireless side to be insecure because of the outdated hardware/software connected to it. And like you say, this exposes the entire network.

mushtafa · 6 Mar 2016 at 08:45

While I'm here, does anyone know of a rugged AP? The AP will be in the workshop which gets cold, sometimes damp, and very dusty.