Beef Up Security
The only way to guarantee the security of your network is to barricade it from the outside world--no Web, no e-mail, nada. But you need not adopt NSA-appropriate tactics to keep your data reasonably safe.
Put up walls: The road to a secure home network begins with a hardware firewall. Most routers have one, but those built into some inexpensive routers rely on NAT (network address translation) alone rather than using SPI (stateful packet inspection) technology--a superior approach designed to ensure that your computers receive only data they have specifically requested. Be sure, however, to change your router's default password when you set it up, and periodically thereafter.
Establish a second line of defense at each computer by turning on automatic Windows Updates, and installing antivirus, antispyware, and personal firewall software. Either buy a security suite (Symantec and McAfee offer ones that cost about $70 each) or use individual best-of-breed utilities like Webroot Spy Sweeper ($30), BitDefender antivirus ($30), and ZoneAlarm firewall software from Check Point (in its basic form, ZoneAlarm is free).
Whichever approach you take, don't rely on Windows XP's Windows Firewall for your protection, because it can filter incoming data only. ZoneAlarm and other third-party firewalls are bidirectional, protecting both incoming and outgoing information. Windows Vista's firewall is bidirectional, too, but you have to configure outgoing filtering yourself in a screen that you reach by typing wf.msc at a command prompt (for directions on how to proceed, see "Windows Vista Includes Two Firewalls?" from the Ask Dave Taylor Tech Support Blog). Vista also comes with Windows Defender antispyware, but not antivirus software.
Keep things simple by using the same utilities on all your PCs (look for economical "family packs"). Then install them while signed in on an administrator account, or--if appropriate--work with the parental controls found in many packages (and in Windows Vista). Keep your password secret: Remember, your network is only as secure as its weakest link.
Cover the airwaves: Firewalls and security suites are futile against packet sniffers that capture wireless traffic on a given frequency. Use the strongest encryption standard your Wi-Fi equipment supports: From strongest to weakest, the options are WPA2, WPA, and WEP.
Intruders armed with readily available software can break into WEP in minutes, rendering it virtually worthless except as a method to prevent bandwidth hogging by your neighbors. We recommend that you invest in new adapters if necessary to ensure that you can make the switch to WPA. To provide both your old and your new adapters with maximum security, choose a router that offers a simultaneous WPA+WPA2 mode.
Regardless of anything you may have heard to the contrary, neither using MAC (Media Access Control, a unique hardware identifier) address filtering nor turning off SSID (service set identifier--basically your Wi-Fi network's name) broadcasting is an effective security measure. Both are easier to bypass than WEP, and they can create connection and administration hassles.
MAC address filtering, for example, requires you to enter a device's MAC address into your router's firmware to authorize it to connect to your network. But anyone listening in can spoof your authorized MAC addresses on their own equipment. Similarly, sniffers can detect even nonbroadcast SSIDs, so turning off broadcasting only makes it harder for legitimate users to connect to your network.
Safe travels: Open hotspots are notorious sources of infection. For true security on public networks, use a virtual private network to encrypt all Internet traffic between your computer and an intermediate server. Companies often run their own VPN servers for employees; or you can sign up for a VPN service such as WiTopia PersonalVPN ($40 per year) or JiWire Hotspot Helper ($25 per year). (Full disclosure: PCWorld.com relies on JiWire to power its HotSpot Finder.)
Next, in your Wi-Fi settings, turn off ad hoc (computer-to-computer) networking and prevent automatic connections to nonpreferred networks. In XP, you can change both of these settings by clicking the Wi-Fi icon in the system tray and selecting Change advanced settings. Under the Wireless Networks tab, click Advanced, followed by Access point (infrastructure) networks only. Also, uncheck Automatically connect to non-preferred networks.
In Windows Vista, turn off the Vista Network Discovery feature (which allows other computers to see you on a network) when you're at hotspots. Vista will switch it off automatically if you designate a connection as 'Public', but alternatively you can disable it manually in the 'View Network Status and Tasks' control panel.
Add a Second Network for Safety
If your kids open lots of ports on your router for games and video chats, or if you want to run a home Web server or public Wi-Fi network, consider setting up a second router to isolate these risky activities from the rest of your network. In a nutshell, you plug one router into the other, and assign each a different starting IP address (such as 192.168.1.1 and 192.168.2.1). Then you attach your servers--or the at-risk PCs--to the router that's directly connected to your broadband modem, and all your other computers to the second router. Internet traffic to and from the unsafe area will not reach your secure subnetwork at all.