Advice required on securing home network

Discussion in 'Mac OS X Server, Xserve, and Networking' started by conamor, Oct 18, 2016.

  1. conamor macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #1
    hey!

    I just started to draw my network diagram for home and will also assign manual ip's to all my devices, including video game consoles or anything that can be connected.

    The setup for the network is, modem/ISP to Time Capsule then everything wifi'd.

    WPA2 activated, no broadcasting. Nextx plan is to assign manual IP's to MAC addresses. I am concerned about the network security in general. I was using a dlink router dir-655 and replaced it with the TC.

    I was wondering if I should have a better setup than that and maybe use a machine between the isp modem and the router to act as a firewall?

    I will be waiting for your suggestions!

    Thanks
     
  2. kiwipeso1 Suspended

    kiwipeso1

    Joined:
    Sep 17, 2001
    Location:
    Wellington, New Zealand
    #2
    A good router should have it's own firewall within the router settings.
     
  3. BorderingOn macrumors 6502

    Joined:
    Jun 12, 2016
    Location:
    BaseCamp Pro
    #3
    Not broadcasting SSID adds no security. Nor does MAC filtering. These are trivial to any hacker. If you want to keep your network simple, you can maybe just change DNS to something like opendns and set it to filter a lot of the nasties. Just basic protection against sites you would not intentionally visit anyway.

    To go further, you can do a real firewall instead of the TC. Maybe one with a content filter service. This will require a fee, setup, and maintenance. You can also do a RADIUS server for authenticating wifi clients. All of this adds a lot of complexity.

    For a home network, I really think a strong wifi password that you change frequently and controlling who gets the password goes a long way to keeping things safe. The other thing I do is put all of the IoT crap on the guest SSID so it doesn't become a back door into my LAN.
     
  4. HDFan macrumors 6502

    Joined:
    Jun 30, 2007
    #4
    I added a Cisco RSV4000 firewall router between my Comcast Modem and my Airports. It has been discontinued, but I see that it is still available on Amazon for a decent price.

    Wonder if anyone has a recommendation about an affordable current Cisco replacement?

    BorderingOn's comments about SSID broadcasting and Mac filtering were informative "IoT crap" ???.
     
  5. BorderingOn macrumors 6502

    Joined:
    Jun 12, 2016
    Location:
    BaseCamp Pro
    #5
    LOL. My wifi outlets, thermostats, etc. Internet of Things. Stuff known for security holes. Stuff that maintains a persistent connection to some server somewhere waiting to be compromised. I keep all of that off of my private LAN.
     
  6. conamor, Oct 19, 2016
    Last edited: Oct 19, 2016

    conamor thread starter macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #6

    Thanks!

    The Time capsule isn't enough I believe. What would be a good firewall instead of using TC for one? Should I simply buy a new Asus AC3100 router and use it between the ISPmodem and the TC? I guess the TC could be bridge and there would be 2 networks. ISP-newRouter to TCC would be 192.168.1.x and TC to LAN could be 192.168.2.x. Would that be good?

    I also had a look at PFsense sg 1000 and/or Sophos UTM home but to be honest, is it overkill for home?

    I guess like you said a good router/firewall and a strong WPA2 password such as at least 20+ characters (numbers, caps, and special char.)

    I am troubled with the money I spent for the TC and almost no configuration is available... such as reducing antenna wifi power...

    I suppose hiding the SSID is enough to stop neighboor to try to connect to it. If someone wants to break in, they would use a wifi finder apps then simply masquerade the MAC address of one of the device talking to my router...

    :)

    Thanks for all the advice!
     

    Attached Files:

    • n1.jpg
      n1.jpg
      File size:
      346.8 KB
      Views:
      64
  7. cdcastillo macrumors 6502a

    cdcastillo

    Joined:
    Dec 22, 2007
    Location:
    The cesspit of civilization
    #7
    I used to have broadcasting off on the routers at home and at work, and found that it wrecked havoc on some devices and some services, but thought the hassle was worthy for the added security it provided. Then, last month, when I first connected my new iP7, the phone gave me a "security warning" about how having SSID broadcast off was indeed more a security risk than an advantage.

    So, now I have SSID broadcast on.
     
  8. conamor thread starter macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #8
    Oh weird... Good to know!
     
  9. conamor thread starter macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #9
    Can't wait for your advices and replies!
    Here's another question.

    Put the Asus AC3100 between the ISP modem and the Time Capsule? or use Sophos UTM Home or NetGate SG1000 (PfSense Firewall)?

    my thoughts are that the AC3100 should be enough...
     
  10. boast macrumors 65816

    boast

    Joined:
    Nov 12, 2007
    Location:
    Phoenix
    #10
    Have you taken a look at the Ubiquiti Edgerouter or Mikrotik hEX?
     
  11. conamor, Oct 19, 2016
    Last edited: Oct 19, 2016

    conamor thread starter macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #11
    First time I hear of this! I'll search them.
     
  12. posguy99 macrumors 6502a

    Joined:
    Nov 3, 2004
    #12
    Why do you care if your neighbor tries? Use a strong password and be done with it.
     
  13. BorderingOn macrumors 6502

    Joined:
    Jun 12, 2016
    Location:
    BaseCamp Pro
    #13
    What is the time capsule for in that case? Are you just going to use it for backup and shut off the wireless?

    Have you defined your goals? What are you trying to accomplish with this device sitting between your home and ISP? If it's just a few devices connecting to the Internet, don't overthink it. If it's something more, let's hear some specifics.
     
  14. conamor thread starter macrumors 6502

    conamor

    Joined:
    Jun 27, 2013
    #14
    Like I said, I don't feel my TC can do as much as a regular router... (dlink, linksys, asus...) I don't find the TC easy to configure... No option for reducing signal wifi power, not much visual overview of open port or closed. There is not network traffic analysis. I would ike to be able to see which device is using the network and where it's going... Maybe a simple Asus ac3100 would do the job... The TC in this case would become a Wireless, 3TB back used with Time Machine. There are also the kids who will want to browse the web, with a device like this I could have a blacklist of websites and also could use it as an adblock by using already defined list.

    Playing with a FW between the modem and TC might just be too much in this case...
     
  15. Butchie-T macrumors regular

    Joined:
    Oct 29, 2014
    Location:
    Colorado
    #15
    I run a Cisco 881W wireless integrated service router. It runs a full Cisco IOS with a zone based firewall and Intrusion Prevention System built in. I have a Smartnet subscription on the router so I can get the updated signature files. I'm running MAC security and have profiles built for each device connected to my network. Wpa2 and tkip are also configured. I change my authentication keys on a regular basis as well.

    But then, thats just me.....
     

Share This Page