Advice required on securing home network

conamor

macrumors 6502
Original poster
Jun 27, 2013
335
19
hey!

I just started to draw my network diagram for home and will also assign manual ip's to all my devices, including video game consoles or anything that can be connected.

The setup for the network is, modem/ISP to Time Capsule then everything wifi'd.

WPA2 activated, no broadcasting. Nextx plan is to assign manual IP's to MAC addresses. I am concerned about the network security in general. I was using a dlink router dir-655 and replaced it with the TC.

I was wondering if I should have a better setup than that and maybe use a machine between the isp modem and the router to act as a firewall?

I will be waiting for your suggestions!

Thanks
 

BorderingOn

macrumors 6502
Jun 12, 2016
453
436
BaseCamp Pro
Not broadcasting SSID adds no security. Nor does MAC filtering. These are trivial to any hacker. If you want to keep your network simple, you can maybe just change DNS to something like opendns and set it to filter a lot of the nasties. Just basic protection against sites you would not intentionally visit anyway.

To go further, you can do a real firewall instead of the TC. Maybe one with a content filter service. This will require a fee, setup, and maintenance. You can also do a RADIUS server for authenticating wifi clients. All of this adds a lot of complexity.

For a home network, I really think a strong wifi password that you change frequently and controlling who gets the password goes a long way to keeping things safe. The other thing I do is put all of the IoT crap on the guest SSID so it doesn't become a back door into my LAN.
 
  • Like
Reactions: bigbird888

HDFan

macrumors 68020
Jun 30, 2007
2,322
631
I added a Cisco RSV4000 firewall router between my Comcast Modem and my Airports. It has been discontinued, but I see that it is still available on Amazon for a decent price.

Wonder if anyone has a recommendation about an affordable current Cisco replacement?

BorderingOn's comments about SSID broadcasting and Mac filtering were informative "IoT crap" ???.
 

BorderingOn

macrumors 6502
Jun 12, 2016
453
436
BaseCamp Pro
I added a Cisco RSV4000 firewall router between my Comcast Modem and my Airports. It has been discontinued, but I see that it is still available on Amazon for a decent price.

Wonder if anyone has a recommendation about an affordable current Cisco replacement?

BorderingOn's comments about SSID broadcasting and Mac filtering were informative "IoT crap" ???.
LOL. My wifi outlets, thermostats, etc. Internet of Things. Stuff known for security holes. Stuff that maintains a persistent connection to some server somewhere waiting to be compromised. I keep all of that off of my private LAN.
 

conamor

macrumors 6502
Original poster
Jun 27, 2013
335
19
Not broadcasting SSID adds no security. Nor does MAC filtering. These are trivial to any hacker. If you want to keep your network simple, you can maybe just change DNS to something like opendns and set it to filter a lot of the nasties. Just basic protection against sites you would not intentionally visit anyway.

To go further, you can do a real firewall instead of the TC. Maybe one with a content filter service. This will require a fee, setup, and maintenance. You can also do a RADIUS server for authenticating wifi clients. All of this adds a lot of complexity.

For a home network, I really think a strong wifi password that you change frequently and controlling who gets the password goes a long way to keeping things safe. The other thing I do is put all of the IoT crap on the guest SSID so it doesn't become a back door into my LAN.

Thanks!

The Time capsule isn't enough I believe. What would be a good firewall instead of using TC for one? Should I simply buy a new Asus AC3100 router and use it between the ISPmodem and the TC? I guess the TC could be bridge and there would be 2 networks. ISP-newRouter to TCC would be 192.168.1.x and TC to LAN could be 192.168.2.x. Would that be good?

I also had a look at PFsense sg 1000 and/or Sophos UTM home but to be honest, is it overkill for home?

I guess like you said a good router/firewall and a strong WPA2 password such as at least 20+ characters (numbers, caps, and special char.)

I am troubled with the money I spent for the TC and almost no configuration is available... such as reducing antenna wifi power...

I suppose hiding the SSID is enough to stop neighboor to try to connect to it. If someone wants to break in, they would use a wifi finder apps then simply masquerade the MAC address of one of the device talking to my router...

:)

Thanks for all the advice!
 

Attachments

Last edited:

cdcastillo

macrumors 65816
Dec 22, 2007
1,141
491
The cesspit of civilization
... no broadcasting...
Not broadcasting SSID adds no security...
I used to have broadcasting off on the routers at home and at work, and found that it wrecked havoc on some devices and some services, but thought the hassle was worthy for the added security it provided. Then, last month, when I first connected my new iP7, the phone gave me a "security warning" about how having SSID broadcast off was indeed more a security risk than an advantage.

So, now I have SSID broadcast on.
 

conamor

macrumors 6502
Original poster
Jun 27, 2013
335
19
I used to have broadcasting off on the routers at home and at work, and found that it wrecked havoc on some devices and some services, but thought the hassle was worthy for the added security it provided. Then, last month, when I first connected my new iP7, the phone gave me a "security warning" about how having SSID broadcast off was indeed more a security risk than an advantage.

So, now I have SSID broadcast on.
Oh weird... Good to know!
 

conamor

macrumors 6502
Original poster
Jun 27, 2013
335
19
Can't wait for your advices and replies!
Here's another question.

Put the Asus AC3100 between the ISP modem and the Time Capsule? or use Sophos UTM Home or NetGate SG1000 (PfSense Firewall)?

my thoughts are that the AC3100 should be enough...
 

posguy99

macrumors 65816
Nov 3, 2004
1,209
692
I suppose hiding the SSID is enough to stop neighboor to try to connect to it. If someone wants to break in, they would use a wifi finder apps then simply masquerade the MAC address of one of the device talking to my router...
Why do you care if your neighbor tries? Use a strong password and be done with it.
 

BorderingOn

macrumors 6502
Jun 12, 2016
453
436
BaseCamp Pro
Can't wait for your advices and replies!
Here's another question.

Put the Asus AC3100 between the ISP modem and the Time Capsule? or use Sophos UTM Home or NetGate SG1000 (PfSense Firewall)?

my thoughts are that the AC3100 should be enough...
What is the time capsule for in that case? Are you just going to use it for backup and shut off the wireless?

Have you defined your goals? What are you trying to accomplish with this device sitting between your home and ISP? If it's just a few devices connecting to the Internet, don't overthink it. If it's something more, let's hear some specifics.
 

conamor

macrumors 6502
Original poster
Jun 27, 2013
335
19
What is the time capsule for in that case? Are you just going to use it for backup and shut off the wireless?

Have you defined your goals? What are you trying to accomplish with this device sitting between your home and ISP? If it's just a few devices connecting to the Internet, don't overthink it. If it's something more, let's hear some specifics.
Like I said, I don't feel my TC can do as much as a regular router... (dlink, linksys, asus...) I don't find the TC easy to configure... No option for reducing signal wifi power, not much visual overview of open port or closed. There is not network traffic analysis. I would ike to be able to see which device is using the network and where it's going... Maybe a simple Asus ac3100 would do the job... The TC in this case would become a Wireless, 3TB back used with Time Machine. There are also the kids who will want to browse the web, with a device like this I could have a blacklist of websites and also could use it as an adblock by using already defined list.

Playing with a FW between the modem and TC might just be too much in this case...
 

Butchie-T

macrumors regular
Oct 29, 2014
145
34
Colorado
I run a Cisco 881W wireless integrated service router. It runs a full Cisco IOS with a zone based firewall and Intrusion Prevention System built in. I have a Smartnet subscription on the router so I can get the updated signature files. I'm running MAC security and have profiles built for each device connected to my network. Wpa2 and tkip are also configured. I change my authentication keys on a regular basis as well.

But then, thats just me.....
 
  • Like
Reactions: cdcastillo
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.