How to configure my wired and wireless securely?

Posted on 2015-01-28
Medium Priority
Last Modified: 2015-03-04
I currently have a network setup in my home.  I have several Win7 pro machines,  two printers and a NAS where I store all my converted LP’s and cassette  (about 4Tb’s) connective CAT5 to my switch.  On occasion I connect my wife’s and my laptops wirelessly.  (I have a 2Gb connection with my ISP).

I have been trying to secure my network and wireless connections:   I have been using DHCP via my wireless router to assign IP address to my devices,  but I have been reading articles and a few articles in the local papers where Hackers (have and can infiltrate wireless networks).  Thus I have started to:

1.      Turn off my wireless network when not using it.
2.       Allow access only via MAC addresses
3.      Use WPA-2 encryption
4.      Disable broadcasting of my SSID
5.      *trying to determine how to disable ports that I don’t need open.

However,  I am confused as to how to reset/restructure my network  --  without the wireless router ON.  In particular  --  using my switch with the direct connection from my ISP  --  it would seem that I’m exposing my network devices  (should I have a filter, buffer, firewall  or another type of protection device)?  My intention to protect my computers and other devices  --  however have enjoy a speedy internet connections.  

Is there a means by which  --  I can setup my network  (using  or private addressing and yet once I power up my wireless router that my wireless devices can access my wired network devices and storage?
Question by:misterd
  • 2
  • 2
  • 2
LVL 101

Expert Comment

by:John Hurst
ID: 40576163
If you need absolute security, all you can do is turn everything off.

To be reasonable, WPA-2 or greater with very strong passwords (mine is about 30 characters long with special characters) will defeat drive by hackers. Someone would have to sit outside your dwelling for a long time to break this. And you need to be worth breaking into.

Also secure your computers with user names and strong passwords with special characters. This prevents people from logging on if they do break in.

Finally do NOT go to dodgy sites. At the 99% level, people are NOT hapless victims. You invite viruses in and that has nothing to do with the security above.

In short it is very easy to secure yourself very well. I have never been hacked and my desktop has been running connected to the internet for over 10 years.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40577401
The way home networks get attacked is if they are easy targets. Patch the WiFi's OS when possible, there are often hardcoded backdoors or bugs/flaws that allow for an easy take over.
The bottom line, use WPA2, don't worry about the SSID broadcast, it's not really hidden if you look promiscuously, and using MAC address auth is a good way to shore up the defenses locally. Turn off access to the remote management if you can, I use DD-WRT on my routers, and it allows you to only have access to the GUI if your going over the 4 wired ports if you choose. In your home, the wired part should be secure, you can always do more, but they have to get in through the cable modem and then your wifi first. Well that's not 100% true, someone can download and execute something that gives an attacker a backdoor, so make sure you have backups, perhaps turn off your NAS unless your using it. CryptoLocker and it's ilk could cost you if you don't.
Use the GRC Shields up test to see what port are open to your home from an attackers perspective, and see if there are any you can close.

Author Comment

ID: 40616900
I was hoping to receive something more than I have already done: changed the paraphrase 40 characters, changed the SSID, ENABLED ENCRYPTION, use mac filtering, upgraded my router’s firmware.

like what I found from my continued research:  If "serious about wireless security" only use the wireless device as an "access point"  -  disable the DHCP for the router, next install/use a server for (DNS and DCHP) and a modern switch.   Using static IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.

My investigations have shown that it "depends on how serious a person is about "security".   The way I have been approaching this was:  having my NAS always available,  the wireless --  I COULD turn off,  (however for long period of time where I KNOW that is not going to be used  (shut it down);  but I do like the server and Wireless router ONLY as an access point better.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 101

Expert Comment

by:John Hurst
ID: 40616913
but I do like the server and Wireless router ONLY as an access point better.  <--- I think you can safely leave Wi-Fi on but you just need to secure it very well. I leave my Wi-Fi on all the time without issue.
LVL 38

Accepted Solution

Rich Rumble earned 1500 total points
ID: 40617165
Static IP's add nothing, you can assign your own IP, if you get past the password/phrase.
40-Character is nice and all, but you'll be fine with half that using wpa2. Some wifi OS's allow you to control who can see who as well, you can keep other clients from communicating with other wifi clients, and or make exceptions.
The basics are very applicable, and you do not have to be super paranoid unless you data is that valuable. If it is, use wired instead. Perhaps you have a wifi still, but the only access to your NAS is through you RDP'ing into a windows machine, or being physically present at the machine. Some WIFI's allow you to have two SSID's, use one for guest and the other for your more critical information.
Have proper backups of whatever data is important, and use the tried and true wifi best practices.
Here's my paranoia settings:
Wifi management can only be reached by WIRED clients.
WPA2-TKIP using PreSharedKey
802.1x Mac address restrictions on SOME hosts...
AP Isolation for SOME hosts.
SSID = Broadcast
DHCP = Enabled
The host's that are on Wifi have their own firewall settings and security controls as well.

Author Closing Comment

ID: 40645253
I am very paranoid about my data (military info diggers)  very little trust.

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Anti-virus software today is fairly sophisticated, but virus writers are often a step ahead of the software, and new viruses are constantly being released that current anti-virus software cannot recognize. The key to anti-virus software is detect…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question