Solved

How to configure my wired and wireless securely?

Posted on 2015-01-28
6
154 Views
Last Modified: 2015-03-04
I currently have a network setup in my home.  I have several Win7 pro machines,  two printers and a NAS where I store all my converted LP’s and cassette  (about 4Tb’s) connective CAT5 to my switch.  On occasion I connect my wife’s and my laptops wirelessly.  (I have a 2Gb connection with my ISP).

I have been trying to secure my network and wireless connections:   I have been using DHCP via my wireless router to assign IP address to my devices,  but I have been reading articles and a few articles in the local papers where Hackers (have and can infiltrate wireless networks).  Thus I have started to:

1.      Turn off my wireless network when not using it.
2.       Allow access only via MAC addresses
3.      Use WPA-2 encryption
4.      Disable broadcasting of my SSID
5.      *trying to determine how to disable ports that I don’t need open.

However,  I am confused as to how to reset/restructure my network  --  without the wireless router ON.  In particular  --  using my switch with the direct connection from my ISP  --  it would seem that I’m exposing my network devices  (should I have a filter, buffer, firewall  or another type of protection device)?  My intention to protect my computers and other devices  --  however have enjoy a speedy internet connections.  

Is there a means by which  --  I can setup my network  (using 192.168.0.0  or private addressing and yet once I power up my wireless router that my wireless devices can access my wired network devices and storage?
0
Comment
Question by:misterd
  • 2
  • 2
  • 2
6 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40576163
If you need absolute security, all you can do is turn everything off.

To be reasonable, WPA-2 or greater with very strong passwords (mine is about 30 characters long with special characters) will defeat drive by hackers. Someone would have to sit outside your dwelling for a long time to break this. And you need to be worth breaking into.

Also secure your computers with user names and strong passwords with special characters. This prevents people from logging on if they do break in.

Finally do NOT go to dodgy sites. At the 99% level, people are NOT hapless victims. You invite viruses in and that has nothing to do with the security above.

In short it is very easy to secure yourself very well. I have never been hacked and my desktop has been running connected to the internet for over 10 years.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40577401
The way home networks get attacked is if they are easy targets. Patch the WiFi's OS when possible, there are often hardcoded backdoors or bugs/flaws that allow for an easy take over.
http://www.scmagazine.com/black-hat-researchers-take-over-linksys-router-with-simple-javascript/article/252521/
http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers
The bottom line, use WPA2, don't worry about the SSID broadcast, it's not really hidden if you look promiscuously, and using MAC address auth is a good way to shore up the defenses locally. Turn off access to the remote management if you can, I use DD-WRT on my routers, and it allows you to only have access to the GUI if your going over the 4 wired ports if you choose. In your home, the wired part should be secure, you can always do more, but they have to get in through the cable modem and then your wifi first. Well that's not 100% true, someone can download and execute something that gives an attacker a backdoor, so make sure you have backups, perhaps turn off your NAS unless your using it. CryptoLocker and it's ilk could cost you if you don't.
Use the GRC Shields up test to see what port are open to your home from an attackers perspective, and see if there are any you can close.
-rich
0
 

Author Comment

by:misterd
ID: 40616900
I was hoping to receive something more than I have already done: changed the paraphrase 40 characters, changed the SSID, ENABLED ENCRYPTION, use mac filtering, upgraded my router’s firmware.

like what I found from my continued research:  If "serious about wireless security" only use the wireless device as an "access point"  -  disable the DHCP for the router, next install/use a server for (DNS and DCHP) and a modern switch.   Using static IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.

My investigations have shown that it "depends on how serious a person is about "security".   The way I have been approaching this was:  having my NAS always available,  the wireless --  I COULD turn off,  (however for long period of time where I KNOW that is not going to be used  (shut it down);  but I do like the server and Wireless router ONLY as an access point better.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 90

Expert Comment

by:John Hurst
ID: 40616913
but I do like the server and Wireless router ONLY as an access point better.  <--- I think you can safely leave Wi-Fi on but you just need to secure it very well. I leave my Wi-Fi on all the time without issue.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40617165
Static IP's add nothing, you can assign your own IP, if you get past the password/phrase.
40-Character is nice and all, but you'll be fine with half that using wpa2. Some wifi OS's allow you to control who can see who as well, you can keep other clients from communicating with other wifi clients, and or make exceptions.
http://www.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#AP_Isolation
The basics are very applicable, and you do not have to be super paranoid unless you data is that valuable. If it is, use wired instead. Perhaps you have a wifi still, but the only access to your NAS is through you RDP'ing into a windows machine, or being physically present at the machine. Some WIFI's allow you to have two SSID's, use one for guest and the other for your more critical information.
Have proper backups of whatever data is important, and use the tried and true wifi best practices.
Here's my paranoia settings:
Wifi management can only be reached by WIRED clients.
WPA2-TKIP using PreSharedKey
802.1x Mac address restrictions on SOME hosts...
AP Isolation for SOME hosts.
SSID = Broadcast
DHCP = Enabled
The host's that are on Wifi have their own firewall settings and security controls as well.
-rich
0
 

Author Closing Comment

by:misterd
ID: 40645253
I am very paranoid about my data (military info diggers)  very little trust.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now