How to configure my wired and wireless securely?

I currently have a network setup in my home.  I have several Win7 pro machines,  two printers and a NAS where I store all my converted LP’s and cassette  (about 4Tb’s) connective CAT5 to my switch.  On occasion I connect my wife’s and my laptops wirelessly.  (I have a 2Gb connection with my ISP).

I have been trying to secure my network and wireless connections:   I have been using DHCP via my wireless router to assign IP address to my devices,  but I have been reading articles and a few articles in the local papers where Hackers (have and can infiltrate wireless networks).  Thus I have started to:

1.      Turn off my wireless network when not using it.
2.       Allow access only via MAC addresses
3.      Use WPA-2 encryption
4.      Disable broadcasting of my SSID
5.      *trying to determine how to disable ports that I don’t need open.

However,  I am confused as to how to reset/restructure my network  --  without the wireless router ON.  In particular  --  using my switch with the direct connection from my ISP  --  it would seem that I’m exposing my network devices  (should I have a filter, buffer, firewall  or another type of protection device)?  My intention to protect my computers and other devices  --  however have enjoy a speedy internet connections.  

Is there a means by which  --  I can setup my network  (using  or private addressing and yet once I power up my wireless router that my wireless devices can access my wired network devices and storage?
Who is Participating?
Rich RumbleSecurity SamuraiCommented:
Static IP's add nothing, you can assign your own IP, if you get past the password/phrase.
40-Character is nice and all, but you'll be fine with half that using wpa2. Some wifi OS's allow you to control who can see who as well, you can keep other clients from communicating with other wifi clients, and or make exceptions.
The basics are very applicable, and you do not have to be super paranoid unless you data is that valuable. If it is, use wired instead. Perhaps you have a wifi still, but the only access to your NAS is through you RDP'ing into a windows machine, or being physically present at the machine. Some WIFI's allow you to have two SSID's, use one for guest and the other for your more critical information.
Have proper backups of whatever data is important, and use the tried and true wifi best practices.
Here's my paranoia settings:
Wifi management can only be reached by WIRED clients.
WPA2-TKIP using PreSharedKey
802.1x Mac address restrictions on SOME hosts...
AP Isolation for SOME hosts.
SSID = Broadcast
DHCP = Enabled
The host's that are on Wifi have their own firewall settings and security controls as well.
JohnBusiness Consultant (Owner)Commented:
If you need absolute security, all you can do is turn everything off.

To be reasonable, WPA-2 or greater with very strong passwords (mine is about 30 characters long with special characters) will defeat drive by hackers. Someone would have to sit outside your dwelling for a long time to break this. And you need to be worth breaking into.

Also secure your computers with user names and strong passwords with special characters. This prevents people from logging on if they do break in.

Finally do NOT go to dodgy sites. At the 99% level, people are NOT hapless victims. You invite viruses in and that has nothing to do with the security above.

In short it is very easy to secure yourself very well. I have never been hacked and my desktop has been running connected to the internet for over 10 years.
Rich RumbleSecurity SamuraiCommented:
The way home networks get attacked is if they are easy targets. Patch the WiFi's OS when possible, there are often hardcoded backdoors or bugs/flaws that allow for an easy take over.
The bottom line, use WPA2, don't worry about the SSID broadcast, it's not really hidden if you look promiscuously, and using MAC address auth is a good way to shore up the defenses locally. Turn off access to the remote management if you can, I use DD-WRT on my routers, and it allows you to only have access to the GUI if your going over the 4 wired ports if you choose. In your home, the wired part should be secure, you can always do more, but they have to get in through the cable modem and then your wifi first. Well that's not 100% true, someone can download and execute something that gives an attacker a backdoor, so make sure you have backups, perhaps turn off your NAS unless your using it. CryptoLocker and it's ilk could cost you if you don't.
Use the GRC Shields up test to see what port are open to your home from an attackers perspective, and see if there are any you can close.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

misterdAuthor Commented:
I was hoping to receive something more than I have already done: changed the paraphrase 40 characters, changed the SSID, ENABLED ENCRYPTION, use mac filtering, upgraded my router’s firmware.

like what I found from my continued research:  If "serious about wireless security" only use the wireless device as an "access point"  -  disable the DHCP for the router, next install/use a server for (DNS and DCHP) and a modern switch.   Using static IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.

My investigations have shown that it "depends on how serious a person is about "security".   The way I have been approaching this was:  having my NAS always available,  the wireless --  I COULD turn off,  (however for long period of time where I KNOW that is not going to be used  (shut it down);  but I do like the server and Wireless router ONLY as an access point better.
JohnBusiness Consultant (Owner)Commented:
but I do like the server and Wireless router ONLY as an access point better.  <--- I think you can safely leave Wi-Fi on but you just need to secure it very well. I leave my Wi-Fi on all the time without issue.
misterdAuthor Commented:
I am very paranoid about my data (military info diggers)  very little trust.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.