Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Help me make my home network secure.

V

VooDooPope

macrumors member
Original poster
Jun 9, 2004
47
0
The Heights, Houston TX
Here is my current set up. I have a cable modem connected to my Airport Extreme Base station. I don't think I set any sort of security setting when I set it up I just plugged it in and ran with it.

Wirelessly connected to the base station is my Powerbook and my G5 iMac.

I also have an airport express hooked up in the living room to extend the range and stream music to my home theater system.

Right now I'm probably wide open so what to do I need to do to make this network secure?

Thanks in advance.
 
linksys

i use linksys router, has a great security features

can u log into the airport base and adminster the settings?

like

168.192.0.1 or whaTEVER
 
Linksys BITES.

I've yet to have a good experience with one of their POS routers.

You need to set your Airport to not broadcast it's network name. Here's a link: http://www.apple.com/support/airport/

Grab all 3 PDF's. They go over all you could ever want to know about Airport networks including how to secure them.

Just adding a router without securing your Airport network would be a huge waste. Just get the PDF's and learn how it works. As long as you remember your password, network name and/or have a paperclip handy you're cool. ;)

Don't be intimidated, just get the PDF's and you'll understand the whole shebang. It's a very friendly read as compared to most Networking manuals.
 
Although I have had tremendous success with my Linksys routers (went from wired to wireless), I agree that the need to add one is questionable, especially a wired one since it won't help at all.

The Airport has enough built-in security to cover your needs, as long as you follow the appropriate guidelines that mischief recommends, but the big ones are:

- Don't broadcast the SSID
- Use MAC address filtering
- Use a good password that others won't guess
- Change the default IP address and admin password on the router
 
I'd add, don't rely entirely upon the firewall/SPI/NAT of the router. Running a software firewall on the Macs behind the router is just a second line of a good defense. Also, make sure you use (and insist on, for others) a strong password for all accounts on all machines attached to your network. Passwords are your LAST line of defense.

Edit: And for the love of pomegranates, don't use the firewall control from the Sharing Prefpane. Learn to use it via command line or, use BrickHouse/SunShield to control it.
 
If you not planing on having others come over and use your network then turn on WPA. Everything from Apple should support it. If not you will have to use WEP which is not as good at WPA but not bad if you use 128 bits.

MAC address filtering is a royal PIA if you have others coming over and I really don't think it's needed.

If you want to broadcast the SSID that's fine just make sure that you change it from the default so hackers will not know which router your using, at least they have to work a little harder to figure it out. Even if you don't display it you still want to change it.

WPA and WEP passwords don't have to be hard to remember but just make sure you use upper and lower case with numbers. Sometimes you may want to use numbers as letters such as 5's for S's and 3's for E's. Just mix it up.

The Admin password is the one you really want to keep secure. Once set tape a copy to the bottom of your router, don't do this in an office, so you won't loose it.

Save a copy of your configurations so you don't have to put everything back in by hand.

And above all, HAVE FUN :D
 
VooDooPope said:
Here is my current set up. I have a cable modem connected to my Airport Extreme Base station. I don't think I set any sort of security setting when I set it up I just plugged it in and ran with it.

Wirelessly connected to the base station is my Powerbook and my G5 iMac.

I also have an airport express hooked up in the living room to extend the range and stream music to my home theater system.

Right now I'm probably wide open so what to do I need to do to make this network secure?

Thanks in advance.
Click to expand...

I too like the rest above, use a cheaper linksys router, but I'm sure the Extreme Base Station has the same options. Tell the Base Station to not broadcast SSID (and even change the default name), and use WEP to encrypt to keep others off your wireless network. Also change the default admin name and password. If you forget the name and password, there is a way to reset the Station back to default settings so you wont be locked out completely if you forget.

The Base Station will act as a natural firewall from the internet unless you open a port to forward to a certain computer. Such as if you wanted to run a web server to share a web site, you would need to forward port 80 to the correct machine, but you need to do that manually. So if you didn't open any ports, you are as safe as that setup will get without going out and getting more hardeware like a real firewall.
 
Password help:

If there's an obscure set of names you have totally in mind you can often just use one for the login and another, related term for the password itself, substituting numbers for letters where they're graphically appropriate.

Obscure sets of placenames work great (Hawaii, the Pacific Northwest, Pacific Islands are some good examples) along with Scientific Names, Chemistry terms, obscure novel characters/places, etc.

DO NOT use novels that are common knowledge. Realize that any hacker has memorized all of Tolkiens' works for example and will guess very efficiently if that's your theme.

You might want to get Norton Personal Firewall. Not because it's any better than the built in firewall in OS X but because it provides a convenient log of intrusion-attempting IP's. I used this feature when I was administering a network of Fixed-IP machines to smack around a number of students at the local HS (tracked their IP's) who wanted us for Quake servers. The OS X Network Utility can be quite useful in Unlimited-Pinging hackers into submission. ;)
 
mischief said:
If there's an obscure set of names you have totally in mind you can often just use one for the login and another, related term for the password itself, substituting numbers for letters where they're graphically appropriate.

Obscure sets of placenames work great (Hawaii, the Pacific Northwest, Pacific Islands are some good examples) along with Scientific Names, Chemistry terms, obscure novel characters/places, etc.
Click to expand...

I have to disagree with this. While this might foil your 10 year old sitting at your Mac, it won't stop a cracker for very long at all. Any words that appear in a dictionary are fair game. Any slang words are fair game. Pretty much, any printed word is fair game. The only SAFE passwords are those that are seemingly random letters and numbers.
 
yellow said:
I have to disagree with this. While this might foil your 10 year old sitting at your Mac, it won't stop a cracker for very long at all. Any words that appear in a dictionary are fair game. Any slang words are fair game. Pretty much, any printed word is fair game. The only SAFE passwords are those that are seemingly random letters and numbers.
Click to expand...

Law of diminishing return. Why would a hacker bother expending enough energy to crack a twelve digit password on my home network when there's a business with six digit passwords on their Wireless Access point two blocks away?

There's no such thing as a SAFE password unless it refreshes with every packet over top of a public/private style encryption scheme on a tunnelled VPN using keys larger than 512 bits.

Most people don't need anywhere near that level of paranoia however because the vast majority of folks with Wireless Access Points buy Linksys or Belkin routers that don't demand a replacement password for the one it comes with. Airport at least requires a custom one before it's setup closes. This means that just by setting your Airport up you're more secure than 99% of other wireless networks where all you need is:

Login: Admin

Password (Blank or "admin")
 
mischief said:
Law of diminishing return. Why would a hacker bother expending enough energy to crack a twelve digit password on my home network when there's a business with six digit passwords on their Wireless Access point two blocks away?
Click to expand...

Touché. While I was speaking of passwords in general, not those applied specifically to a WEP/WPA/WiFi webconfig login key.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back