Solved

How to configure my wired and wireless securely?

Posted on 2015-01-28
6
161 Views
Last Modified: 2015-03-04
I currently have a network setup in my home.  I have several Win7 pro machines,  two printers and a NAS where I store all my converted LP’s and cassette  (about 4Tb’s) connective CAT5 to my switch.  On occasion I connect my wife’s and my laptops wirelessly.  (I have a 2Gb connection with my ISP).

I have been trying to secure my network and wireless connections:   I have been using DHCP via my wireless router to assign IP address to my devices,  but I have been reading articles and a few articles in the local papers where Hackers (have and can infiltrate wireless networks).  Thus I have started to:

1.      Turn off my wireless network when not using it.
2.       Allow access only via MAC addresses
3.      Use WPA-2 encryption
4.      Disable broadcasting of my SSID
5.      *trying to determine how to disable ports that I don’t need open.

However,  I am confused as to how to reset/restructure my network  --  without the wireless router ON.  In particular  --  using my switch with the direct connection from my ISP  --  it would seem that I’m exposing my network devices  (should I have a filter, buffer, firewall  or another type of protection device)?  My intention to protect my computers and other devices  --  however have enjoy a speedy internet connections.  

Is there a means by which  --  I can setup my network  (using 192.168.0.0  or private addressing and yet once I power up my wireless router that my wireless devices can access my wired network devices and storage?
0
Comment
Question by:misterd
  • 2
  • 2
  • 2
6 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 40576163
If you need absolute security, all you can do is turn everything off.

To be reasonable, WPA-2 or greater with very strong passwords (mine is about 30 characters long with special characters) will defeat drive by hackers. Someone would have to sit outside your dwelling for a long time to break this. And you need to be worth breaking into.

Also secure your computers with user names and strong passwords with special characters. This prevents people from logging on if they do break in.

Finally do NOT go to dodgy sites. At the 99% level, people are NOT hapless victims. You invite viruses in and that has nothing to do with the security above.

In short it is very easy to secure yourself very well. I have never been hacked and my desktop has been running connected to the internet for over 10 years.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40577401
The way home networks get attacked is if they are easy targets. Patch the WiFi's OS when possible, there are often hardcoded backdoors or bugs/flaws that allow for an easy take over.
http://www.scmagazine.com/black-hat-researchers-take-over-linksys-router-with-simple-javascript/article/252521/
http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers
The bottom line, use WPA2, don't worry about the SSID broadcast, it's not really hidden if you look promiscuously, and using MAC address auth is a good way to shore up the defenses locally. Turn off access to the remote management if you can, I use DD-WRT on my routers, and it allows you to only have access to the GUI if your going over the 4 wired ports if you choose. In your home, the wired part should be secure, you can always do more, but they have to get in through the cable modem and then your wifi first. Well that's not 100% true, someone can download and execute something that gives an attacker a backdoor, so make sure you have backups, perhaps turn off your NAS unless your using it. CryptoLocker and it's ilk could cost you if you don't.
Use the GRC Shields up test to see what port are open to your home from an attackers perspective, and see if there are any you can close.
-rich
0
 

Author Comment

by:misterd
ID: 40616900
I was hoping to receive something more than I have already done: changed the paraphrase 40 characters, changed the SSID, ENABLED ENCRYPTION, use mac filtering, upgraded my router’s firmware.

like what I found from my continued research:  If "serious about wireless security" only use the wireless device as an "access point"  -  disable the DHCP for the router, next install/use a server for (DNS and DCHP) and a modern switch.   Using static IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.

My investigations have shown that it "depends on how serious a person is about "security".   The way I have been approaching this was:  having my NAS always available,  the wireless --  I COULD turn off,  (however for long period of time where I KNOW that is not going to be used  (shut it down);  but I do like the server and Wireless router ONLY as an access point better.
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 
LVL 92

Expert Comment

by:John Hurst
ID: 40616913
but I do like the server and Wireless router ONLY as an access point better.  <--- I think you can safely leave Wi-Fi on but you just need to secure it very well. I leave my Wi-Fi on all the time without issue.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40617165
Static IP's add nothing, you can assign your own IP, if you get past the password/phrase.
40-Character is nice and all, but you'll be fine with half that using wpa2. Some wifi OS's allow you to control who can see who as well, you can keep other clients from communicating with other wifi clients, and or make exceptions.
http://www.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#AP_Isolation
The basics are very applicable, and you do not have to be super paranoid unless you data is that valuable. If it is, use wired instead. Perhaps you have a wifi still, but the only access to your NAS is through you RDP'ing into a windows machine, or being physically present at the machine. Some WIFI's allow you to have two SSID's, use one for guest and the other for your more critical information.
Have proper backups of whatever data is important, and use the tried and true wifi best practices.
Here's my paranoia settings:
Wifi management can only be reached by WIRED clients.
WPA2-TKIP using PreSharedKey
802.1x Mac address restrictions on SOME hosts...
AP Isolation for SOME hosts.
SSID = Broadcast
DHCP = Enabled
The host's that are on Wifi have their own firewall settings and security controls as well.
-rich
0
 

Author Closing Comment

by:misterd
ID: 40645253
I am very paranoid about my data (military info diggers)  very little trust.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NVR Ubiquiti cameras compatible 14 1,511
Surveillance system 4 137
Viewing angle of those dark surveillance parabolic CCTV 1 406
how to mitigate against $ theft from ATM machines 5 128
Anti-virus software today is fairly sophisticated, but virus writers are often a step ahead of the software, and new viruses are constantly being released that current anti-virus software cannot recognize. The key to anti-virus software is detect…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now