Odd timing. I just emailed BOL about this. The link you provided to GRC doesn't work.
The proper way to allow both WEP and WPA encryption on your network without exposing your personal equipment to hackers requires three routers in a Y configuration. I?ll try to explain this succinctly and without too much technogarble.
The reasons for the Y configuration are subnetting and firewalling. Consumer routers each have an outside address and an inside address. The outside address is your public IP ? the address visible to everyone on the internet. The inside address is a private address, and only you have access to it. Data cannot pass from the outside into the inside unless it?s explicitly allowed or requested by a computer on the inside.
The way to set this up is to connect the first router (with no wireless or wireless disabled) to the DSL or cable modem. It will act as the last gateway. Your WPA router and WEP router then plug into this first router. All the equipment that you want protected gets connected to the WPA router, and the stuff you don?t care about (Nintendo DS, etc) connect through the WEP router.
Each router must give out different private IP addresses. That way, data cannot pass from the WEP router to the WPA router. The equipment inside the WPA router is essentially invisible to the WEP router. So if someone does decide to hack your WEP encryption, all they?ll be getting is access to the internet, and not access to your equipment.
Jerad from Indiana
Just a few thoughts on Veronica's wireless bunny problems...
On #495 there was a caller that suggested a second, less secure router. It can actually be set up to be completely separate from your main network. You could even leave it wide open, and your WPA network would still be secure. Steve Gibson sums it up nicely on this page, and on his Security Now podcast.
As for the work network, that "I agree" page is known as a Captive Portal. If you can, talk to your IT guys and they should be able to switch it off for your Nabaztag's MAC address. That may be the only way, and a lot easier than spoofing it every time you want to connect.