Isolating the work computer

networkingroutersubnetwireless-networking

My employer has supplied me with a work computer, a MacBook, which contains classified/proprietary information. I would like to connect it to my home network, but am worried that a) My employer could record or monitor traffic from other connected devices or b) Users who connect to my home network could access data/traffic from my work computer.

How could I go about isolating my work computer without sacrificing internet speeds and stability? I’m imagining some kind of isolated subnet or inter-subnet firewall, or perhaps just putting it on a guest network? If it matters, I have a Netgear Nighthawk router and Verizon FIOS.

Best Answer

There are a handful of approaches, from the most overkill to least overkill:

  1. Completely separate ISPs and network hardware. E.g., purchase a business internet line, connect its modem to a separate router, connect your MacBook to that router. Conceptually the simplest, but also the most expensive.
  2. Same ISP, separate hardware. E.g., there is at least one shared piece of hardware (typically a router) that handles partitioning the home and work networks, and this is its only purpose. This router would route to home and work routers which then handle their respective devices. Requires more hardware, and configuring that hardware.
  3. Same ISP, same hardware, with VLANs. E.g., you can use your existing router, and configure it to use a separate "work" VLAN for specific ports. With this configuration, both networks are meant to appear physically isolated; that is, they could both utilize the same subnets. Requires hardware that supports VLANs. Often times this is a commercial feature not available on consumer hardware.
  4. Same ISP, same hardware, separate subnets. E.g., work is on 192.168.1.0/24, home is on 192.168.2.0/24. Configure firewall to not permit traffic between these subnets. There may be configuration involved in setting up DHCP servers and WAN IPs for each individual network, and consumer routers may or may not expose this ability.

I'd start with option 4. If your router supports defining multiple wireless networks with different SSIDs, then this is typically how they implement it (separate subnets, firewalled off from each other) and will likely be sufficient.

If nothing else, setting up a "guest" wireless network with a password that has no other limitations on bandwidth that your work machine connects to will likely suffice.

Related Question