WLAN internet security settings

I realize one can implement more secure wireless systems (VPN etc.), but for
normal home use where VPN are not feasible, does the following seem adequate
for home broadband internet access in a wireless lan using a router?

1. change the SSID to a personal one (broadcast to avoid lan problems)
2. Use WPA with pre-Shared Passphrase
3. enable MAC filtering
4. UPnP turned off
5. DMZ turned off

Does reducing the range of ip addresses the router's DNS server can use (to
4-5) make it more secure or does it have no security benefit?

[Of course I also have virus protection and regular Spyware checks].

Jeff

In my opinion restricting the number of DHCP assigned IP addresses offers no
additional level of security at all. Once someone accesses your network the
damage is done. Use WPA-PSK (AES) or (TKIP) or WPA2 if your hardware
supports it. Closely guard who has access to the encryption key. If you do
give it to a family member or friend for temporary use, change the key once
they leave...

In my opinion MAC address authentication as a security measue is also of
doubtful value...

I would also...

* Disable administration of the access point/router via the wireless
interface if your device supports it. Only perform admin tasks on the device
via a wired interface.
* Change the default admin password to somethng else and use a *STRONG*
password. Closely guard the password.

Personally I have UPnP enabled on my router and never use the DMZ
functionality. I only allow one port incoming to be open on my router and
that is for Secure Shell (SSH) use only. All remote access to my home LAN is
done through the SSH tunnel which is totally encrypted from start-to-finish.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

"Jeff" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I realize one can implement more secure wireless systems (VPN etc.), but
>for
> normal home use where VPN are not feasible, does the following seem
> adequate for home broadband internet access in a wireless lan using a
> router?
>
> 1. change the SSID to a personal one (broadcast to avoid lan problems)
> 2. Use WPA with pre-Shared Passphrase
> 3. enable MAC filtering
> 4. UPnP turned off
> 5. DMZ turned off
>
> Does reducing the range of ip addresses the router's DNS server can use
> (to
> 4-5) make it more secure or does it have no security benefit?
>
> [Of course I also have virus protection and regular Spyware checks].
>
> Jeff
>
>
>

Thank you. That is very helpful and I appreciate your taking the time to
write.

I have a SMC "barricade" G router that has all sorts of security features,
and I have successfully implemented the other suggestions you made, but I am
not sure how to do the following.

> . I only allow one port incoming to be open on my router
> and that is for Secure Shell (SSH) use only. All remote access to my
> home LAN is done through the SSH tunnel which is totally encrypted
> from start-to-finish.

What should I look for in the router interface? Would doing this disable
the ability to download files from the web or use FTP?

Thank you again.

Jeff


Sooner Al [MVP] wrote:
> In my opinion restricting the number of DHCP assigned IP addresses
> offers no additional level of security at all. Once someone accesses
> your network the damage is done. Use WPA-PSK (AES) or (TKIP) or WPA2
> if your hardware supports it. Closely guard who has access to the
> encryption key. If you do give it to a family member or friend for
> temporary use, change the key once they leave...
>
> In my opinion MAC address authentication as a security measue is also
> of doubtful value...
>
> I would also...
>
> * Disable administration of the access point/router via the wireless
> interface if your device supports it. Only perform admin tasks on the
> device via a wired interface.
> * Change the default admin password to somethng else and use a
> *STRONG* password. Closely guard the password.
>
> Personally I have UPnP enabled on my router and never use the DMZ
> functionality. I only allow one port incoming to be open on my router
> and that is for Secure Shell (SSH) use only. All remote access to my
> home LAN is done through the SSH tunnel which is totally encrypted
> from start-to-finish.
>
> "Jeff" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I realize one can implement more secure wireless systems (VPN etc.),
>> but for
>> normal home use where VPN are not feasible, does the following seem
>> adequate for home broadband internet access in a wireless lan using a
>> router?
>>
>> 1. change the SSID to a personal one (broadcast to avoid lan
>> problems) 2. Use WPA with pre-Shared Passphrase
>> 3. enable MAC filtering
>> 4. UPnP turned off
>> 5. DMZ turned off
>>
>> Does reducing the range of ip addresses the router's DNS server can
>> use (to
>> 4-5) make it more secure or does it have no security benefit?
>>
>> [Of course I also have virus protection and regular Spyware checks].
>>
>> Jeff

That is usually not a router function although some Linksys routers can be
configured as a SSH server if you use third-party firmware. You would need
to run a SSH server on a PC. This would allow for remote secure file
transfer functionality and remote access/control of your home desktop PCs.
If you have no need for that functionality then don't worry about it.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

"Jeff" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Thank you. That is very helpful and I appreciate your taking the time to
> write.
>
> I have a SMC "barricade" G router that has all sorts of security features,
> and I have successfully implemented the other suggestions you made, but I
> am not sure how to do the following.
>
>> . I only allow one port incoming to be open on my router
>> and that is for Secure Shell (SSH) use only. All remote access to my
>> home LAN is done through the SSH tunnel which is totally encrypted
>> from start-to-finish.
>
> What should I look for in the router interface? Would doing this disable
> the ability to download files from the web or use FTP?
>
> Thank you again.
>
> Jeff
>

Thanks.

I don't think I need that level of security <grin>

Jeff

"Sooner Al [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> That is usually not a router function although some Linksys routers can be
> configured as a SSH server if you use third-party firmware. You would need
> to run a SSH server on a PC. This would allow for remote secure file
> transfer functionality and remote access/control of your home desktop PCs.
> If you have no need for that functionality then don't worry about it.
>
> --
>
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the
> mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no
> rights...
>
> "Jeff" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Thank you. That is very helpful and I appreciate your taking the time to
>> write.
>>
>> I have a SMC "barricade" G router that has all sorts of security
>> features, and I have successfully implemented the other suggestions you
>> made, but I am not sure how to do the following.
>>
>>> . I only allow one port incoming to be open on my router
>>> and that is for Secure Shell (SSH) use only. All remote access to my
>>> home LAN is done through the SSH tunnel which is totally encrypted
>>> from start-to-finish.
>>
>> What should I look for in the router interface? Would doing this disable
>> the ability to download files from the web or use FTP?
>>
>> Thank you again.
>>
>> Jeff
>>
>