Is my network protected in using an anti-virus on all computers but what if a guest accesses my wifi?

[ymc226]

A recent thread recommended ESSET as a good antivirus program for the Mac. We only have Macs and would get a subscription for most of my Macs so they are protected. I do also have 3 NAS devices attached to our network (1 old Drobo FS and 2 new Synology units). If I let a guest sign on to our wireless network, if their computer is compromised, would that put the data on my NAS at risk or am I worrying about nothing?

My home system is Ubiquiti using a Dream Machine Pro as the router, a Switch PRO PoE 24 to distribute the signal and with 6 wireless access points (one in each bedroom + living room and family room). Each access point also has 2 ethernet ports where the guest could plug into. I did create several different wifi networks for the house and only give the guest access to one of them.

We have guests quite often who of course need wifi access. My issue is I don't want to pay for all the subscriptions for the anti-virus if any guests who bring their own computers and inadvertently compromise my network with its attached devices.

 

[atikovi]

My issue is I don't want to pay for all the subscriptions for the anti-virus if any guests who bring their own computers and inadvertently compromise my network with its attached devices.

Is it even possible that if your guest's computer has a virus it would automatically transfer to your computer? Wouldn't they have to send you an attachment that you would have to open?

 

[Hall]

Don't allow access to your NAS. Set up a "guest" WiFi if you have to with no visibility to the NAS devices.

 

[Owen Lucas]

Your network isn't using an anti-virus, just your computers. So if a guest user connects to your network, causing havoc depends on their skill level if they want to be malicious. If their computer is infected with something, I don't see how they would infect your computers unless they share files or links. Anything is possible with computers but I think this scenario is unlikely.

I guess one way to isolate yourself is adding a second router for guests instead of using guest access on your regular modem to completely separate users from that entry point? This might be a good way of separating IOT devices (that don't get updated) from interacting with your regular network as well.

 

[javacontour]

My guest WiFi is a separate network. Guests never see my computers when they use the guest WiFi.

 

[javacontour]

I don't think your network per-se is using an anti-virus, just your computers. So if a guest user connects to your network, causing havoc depends on their skill level if they want to be malicious. If their computer is infected with something, I don't see how they would infect your computers unless you share files or links. Anything is possible with computers but I think this scenario is unlikely.

I guess one way to isolate yourself is adding a second router for guests instead of using guest access on your regular modem to completely separate users from that entry point?

Or it's just built into the router. It puts the Guest WiFi on a different network.

So you home might be 192.168.1.0/24 while your guests get 10.1.1.0/24

The router never lets the guests on your network.

 

[Hall]

I don't see how they would infect your computers unless you share files or links. Anything is possible with computers but I think this scenario is unlikely.

Not unlikely at all. Virii, malware, etc can traverse networks and potentially infect any devices on that network.

 

[mez]

for a side note, What Ubiquiti AP are you using? I just hooked up 2 Ubiquiti UniFi AP AC Pro (UAP-AC-PRO-E-US). Not much vendor support. Thanks

​

​

 

[Dave9]

Not unlikely at all. Virii, malware, etc can traverse networks and potentially infect any devices on that network.

Still unlikely regardless of being possible. Separate network on guest wifi is enough for practical purposes, EXCEPT, if the data on the NAS is valuable, the more prudent thing to do is have an offline copy of it, not just relying on online redundancy, especially on the same NAS.

 

[Hall]

Still unlikely regardless of being possible. Separate network on guest wifi is enough for practical purposes, EXCEPT, if the data on the NAS is valuable, the more prudent thing to do is have an offline copy of it, not just relying on online redundancy, especially on the same NAS.

Comment I was responding to didn't refer to a separate guest network. It was phrased as if a guest comes over and asks "what's your WiFi password?" and they get on the same network as all of the other devices.

 

[Silver]

If they don't need access to your clients, definitely don't give it to them for a multitude of reasons including virus spreading. As mentioned, a guest account with no access to your data is the thing to do.

 

[Owen Lucas]

Or it's just built into the router. It puts the Guest WiFi on a different network.

So you home might be 192.168.1.0/24 while your guests get 10.1.1.0/24

The router never lets the guests on your network.

Is there a risk of still being on the same router, are the networks sandboxed from each other on the same machine? I'm sure anything is possible but in a "likely" scenario, lets say if the router firmware is not updated or someone being skilled enough to bypass safeguards. I'm not a network specialist by any means and I have been wondering about this for a while.

I personally would prefer to have all secure computer based traffic on router 1 and then IOT and guest on Router 2 if that makes sense?

The setup I'm thinking of is modem -> switch -> router 1 & 2, or is this a waste of time.

 

[uc50ic4more]

Is it even possible that if your guest's computer has a virus it would automatically transfer to your computer? Wouldn't they have to send you an attachment that you would have to open?

Not at all. Any virus worth its salt will scan for open ports on networks and wreak havoc with no user interaction required.

With that said, antivirus on a Mac or Linux system seems a bit... Unnecessary.

 

[simple_gifts]

Not unlikely at all. Virii, malware, etc can traverse networks and potentially infect any devices on that network.

On a home network scenario with a guest network, there is "zero chance" a virus can propagate to another network segment through normal network routing. The virus would have to exploit a vulnerability of the firmware of the switch/firewall/router. 192.168.1.0/24 10.1.1.0/24 et al are non routable network segments Normal networking tables will not route it and if those networks need to talk to each other explicit routes have to be set up. It appears my comments have already been made by O.L.

 

[Hall]

On a home network scenario with a guest network

There's no indication that the OP has an actual WiFi guest network set up currently. He/she said they have guests come over and use their WiFi but that could be "what's the WiFi password?" and using the primary WiFi network.

My 1st response to them said "Set up a "guest" WiFi".

 

[atikovi]

Tell them to use data. I'd have no idea how to even set up a guest wifi.

 

[ymc226]

Thanks for all the responses. I just googled and found how to set up a guest network on the Ubiquiti site. By definition, does a guest network just provide WiFi access but no possibility to get on the home network and see any of the devices connected? If so, this may be the answer. Just have to tell my wife and kids not to give out our present passwords and log into whatever guest network I set up.

 

[ymc226]

for a side note, What Ubiquiti AP are you using? I just hooked up 2 Ubiquiti UniFi AP AC Pro (UAP-AC-PRO-E-US). Not much vendor support. Thanks

​

​

I’m using the UAP AC IW which are the older in wall models.

 

[Hall]

By definition, does a guest network just provide WiFi access but no possibility to get on the home network and see any of the devices connected?

Yes. You have a LAN (Local Area Network) and WAN (Wide Area Network). You and your family want access to both (each other's computers, NAS, etc) and "the internet" (WAN) while guests only need WAN access. That's in simple, layman's terms.

 

[OVERKILL]

Thanks for all the responses. I just googled and found how to set up a guest network on the Ubiquiti site. By definition, does a guest network just provide WiFi access but no possibility to get on the home network and see any of the devices connected? If so, this may be the answer. Just have to tell my wife and kids not to give out our present passwords and log into whatever guest network I set up.

Yes, the idea is that the guest network is on its own subnet with L3 routing between the two blocked by the main firewall/router. Typically you'd employ client isolation as well so that guests can't communicate with each other on that segment as well (for the same concerns you articulated in the OP).