Router Question: Separating a computer from a network

[doubleaxel195]

I want to separate my computer from the rest of the network in my home. I'm really scared about getting viruses through the home network because of other people in my family. I want a computer to use that I know will be safe for dealing with money online. Any ideas?

 

[fss]

I want to separate my computer from the rest of the network in my home. I'm really scared about getting viruses through the home network because of other people in my family. I want a computer to use that I know will be safe for dealing with money online. Any ideas?

What you want to do makes no sense. Malware comes from the internet, not from other machines on the same network segment. If you want your computer to be safe, don't connect it to the internet period.

 

[TylerH]

fss is right. If you don't want anything bad to happen to your computer, it's best to leave it disconnected from the internet. Even if they did get some malware, it would have to be a worm to infect your computer over a network. Worms work just as well over the internet as any other network, so you're not really gaining anything. You could always dual boot Linux. I've never heard of a worm for Linux (not to say they don't exist).

That said, sometimes this is not an option. To do what you want to do, I think what you need is to set up a VPN. They're not impervious to tampering, so there's no guarantee they'll work for what you want, but they concept behind them is exactly what you're asking for.

 

[jhae2.718]

While the source of malware is ultimately the Internet, it is possible to get infected from other computers on the same network. (Trust me, it's amazing how fast a worm propagates through a network.) Offline sources of infection include such things as autorun malware from USB sticks.

The fact is, a computer attached to a network cannot be considered secure. There are too many unknown zero-day vulnerabilities that can be exploited. However, you can reduce your risks. If you have a firewall you can block incoming connections from the other computers on your network. What you really want is defense-in-depth. A good software firewall that monitors incoming and outgoing connections, a good AV, locked down Windows, running as a limited user and using UAC to elevate to admin rights, encrypting important data, using strong passwords, minimizing threats by limiting software used, etc. Limiting the software you run reduces the "surface area" available to attack. Try to avoid Adobe software, as it is buggy and full of security holes. Keep the computer up-to-date.

Since you seem concerned with the security of your family's computers, why not offer to keep them clean, etc?

If you're really paranoid, create a known clean image and reimage the computer at each boot. You can also switch to a Unix-like OS, which are more secure than Windows in many ways.

When doing any online transactions, make sure that your connection is encrypted, preferably with AES-128 or AES-256. (This will be out of your control and will depend on the capabilities of your bank's servers.)

 

[doubleaxel195]

I know nothing will be 100% secure unless I do disconnect my computer from the internet, but I am willing to take as many safeguards as I can.

I already use a separate computer for business transactions, which is different from my personal computer. I don't download any software that I do not need on the business computer and I don't surf the internet on that computer either other than the financial websites that I visit. So my main concern is the other computers on the network. Twice this year, I have had to reformat and reinstall windows for people in my house because they got a virus that I couldn't get rid of. So keeping their computers clean would be too much of a hassle for me because they aren't very internet savvy to put it nicely.

Has anyone heard of connecting a second router to the main router to segregate a computer? Wouldn't that provide a layer of defense for any would be worms? By the way, I'm not that knowledgeable about networking.

I will look into your guys' suggestions and I'm sure I'll have questions. Thank you very much for your time. Any more responses will be greatly appreciated.

 

[TylerH]

Twice this year, I have had to reformat and reinstall windows for people in my house because they got a virus that I couldn't get rid of. So keeping their computers clean would be too much of a hassle for me because they aren't very internet savvy to put it nicely.

I don't think that's a good study case. Just because it's likely for people who know what they're doing to install trojan horses doesn't mean it's likely to get a worm. Worms are exceedingly rare; I've never had one, and I take no precautionary measures. That said, I use Ubuntu 90% of the time.

Has anyone heard of connecting a second router to the main router to segregate a computer?

That would work. It will be the equivalent of a VPN, but maybe a little harder to crack. Like I said, there's no sure fire method. For example, the network traffic on the outer network, the one with the infected computers on it, coming from your inner router, the one your "secure" computer is on, could be manipulated by an infected computer to do whatever they would have done if you were on the same network. VPN is defeated in essentially the same manner. Packet sniffing (the act of intercepting information on a network) works just as well whether the sending party is a router or a computer.

 

[DavidSnider]

What OS are you running? Windows 7 and Vista are pretty unlikely to be remotely exploited by a virus when they are kept patched and you have a personal firewall. I haven't had a remote exploit happen in at least 5 years. Also, make sure the user you do 90% of your work with is not running with admin privileges, what you think might be other people on your network could very well be you just picking stuff up off the net.