Networking

How to Secure Your Home Network

Reader Steve Hawley is all too typical. His home network houses a mix of Macs and Windows PCs, an old 802.11b Linksys router connected to a cable modem, and a couple of Airport Expresses connected to sound systems around the house. He wrote to us, seeking some advice on how to configure that network so he could:

1. Make the network work with both Macs and Windows clients, without letting strangers access it wirelessly ("I've tried to implement WEP128 security on all my devices, but when I do we lose access to the Internet");

2. Secure his network "so outsiders can't see into" it from the Internet; and

3. Remotely access files on the network--again, with security "so no random hacker can access my files while I'm away".

His letter touched on enough common home-networking problems that we thought the solutions could help plenty of other Mac users.

Cross-platform security

Steve's network has a mix of old 802.11b and newer 802.11g hardware. He should use WPA (Wi-Fi Protected Access), a 2004 update to Wi-Fi security, to protect it. 802.11b devices can be upgraded to work with WPA, but older devices work much more slowly, and drag the network and computer down.

That's why my first suggestion is to dump any old 802.11b hardware and replace it with newer 802.11g and 802.11n devices. Such hardware is available from Apple, Linksys, Netgear, and other vendors, with prices as low as US$30. Apple's latest AirPort Extreme Base Station for example, is priced at the high end (at $179), but includes a Gigabit Ethernet switch, supports multiple hard drives and printers via USB, and can transmit on two spectrum bands at the same time.

No matter which hardware you use, if it's all 802.11g or better, you should be able to use WPA Personal encryption system to secure your network. Introduced five years ago, WPA Personal replaced the broken WEP encryption system, which was less secure and harder to use. If your network contains even a single 802.11b device, you must use WEP or a hybrid WEP/WPA, which Apple supports, but it works poorly.

With WPA Personal, Windows XP (preferably Service Pack 2 or later) and Vista, Mac OS X 10.3.8 and later, iPhones, and other platforms can all use the same password to gain access to the network. That encryption key can be from eight to 63 characters long and combine letters, numbers, and punctuation marks. Nearly all Wi-Fi gear made since 1999, when used with these operating systems above, should support WPA Personal.

WPA2 Personal allows the use of a more secure encryption key, but requires more modern hardware (the AirPort Extreme made in 2003 or later or much third-party gear made in the same time frame). For most home networks, the more advanced encryption of WPA2 Personal won't make that much difference.

To enable WPA or WPA2 Personal, you open AirPort Utility, select your base station, then go to the Wireless pane, select WPA/WPA2 Personal from the Wireless Security drop-down menu, then enter and verify the password you want.

With WPA Personal implemented, no one without the network password can gain access wirelessly.

Barring outsiders

The best way to protect your network from outside intrusions over the Internet is to implement NAT (Network Address Translation). NAT shares out private IP (Internet Protocol) addresses to the computers and other devices on your network; these private addresses cannot be reached directly from outside the local network.

When devices inside your network try to connect with the outside--to visit a Web site or download a song from the iTunes Store, for instance--NAT opens up a temporary relay. The outbound connection is made, a server responds, and the data is passed back to the locally requesting computer. Those temporary relays are governed by what's called the PMP (Port Mapping Protocol).

NAT-PMP is built into all Apple Wi-Fi gear released since 2003. A similar technology, UPnP (Universal Plug and Play), is found in most routers from other makers. Services such as Back to My Mac in Leopard require NAT-PMP or UPnP to securely let you make external connections to your home net.

To turn on NAT-PMP on an Apple Wi-Fi gateway, you use AirPort Utility, connect to your base station, and click on Manual Setup. In the Internet pane's NAT tab, make sure Enable NAT-PMP is checked. If not, check the box, then click on Update. Routers other than Apple's put UPnP support in their network configuration dialogs, usually accessed through a Web browser, and grouped with port mapping, port forwarding, and similar controls.

If you want more protection than NAT provides, you can install firewall and network-monitoring software on each computer connected to the network. For Mac OS X, there are any number of options. For Windows, that might be something such as McAfee Security Center (which provides antivirus protection as well) or ZoneAlarm Pro.

Of course, outside intruders aren't the greatest security threat to your network. Windows systems are more likely to be attacked these days when you use Internet Explorer, Firefox, or Safari (for Windows) to browse a page embedded with malicious code. Antivirus software can help there

Remote access

Steve's final query had to do with securely accessing his files from outside his network, using either a Mac or a Windows PC. Fortunately, there are several ways to do this.

The first option is to host the files on a computer on your network, then turn on file sharing. To do so, open System Preferences and check the File Sharing box. Choose the volumes and folders you want to make accessible and which users will have access privileges through the Shared Folders and Users list.

The second alternative is to host the files on an NAS (network-attached storage) device: essentially, a hard drive with an IP address. Depending on the model, NAS devices can share via AFP, FTP, Samba, or some combination thereof. (Warning: Because FTP is not secure, I don't advise using it for remote access; SFTP is a more secure alternative.)

Whether you store the files you want on a single computer or on an NAS device, you'll also need to configure your router's port mapping to give you remote access to the device. This requires giving that hardware a fixed IP address, from the range of private addresses your router sets for the local network (typically something like 192.168.1.XXX), then mapping the AFP port on the device to the router's public port. The precise steps for doing so vary by router, so check your documentation.

If you're using a Time Capsule or an AirPort Extreme Base Station (from 2007 or later), you can share files over the Internet without any port mapping. Launch AirPort Utility, select your base station, type Command-L for Manual Setup. Then click the Disks icon, choose the File Sharing tab, check Enable File Sharing and Share Disks Over WAN (if those options are not already checked) and click Update to restart the base station if necessary.

Note that Apple also recently updated its Time Capsule and AirPort Extreme hardware to provide remote access to internal and external drives via MobileMe; that access, of course, requires that you're running Leopard (on the Macs from which you're trying to gain access) and that you have a MobileMe account.

If you'd rather not go to the trouble of configuring remote access, you can instead sync the files you want to some kind of shared storage on the Internet. The best options for doing so with a mix of Mac and Windows users are MobileMe's iDisk and DropBox.

With iDisk, you have as much as 20GB of online storage; you can get more for an annual fee in addition the service's basic $99 yearly subscription.

Windows users can access files on iDisk from Windows Explorer; Apple has posted instructions for doing so. The URL for public access is http://idisk.mac.com/membername-Public, where membername is your iDisk user name.

If you enable iDisk synchronization on your Mac (on the iDisk tab of the MobileMe system preference pane, click Start under iDisk Sync), files modified on the iDisk are available from any computer with access to that MobileMe account. You can also store files in a Public folder, which is password-protectable.

DropBox might offer a simpler alternative to iDisk. The service stores copies of your files on its own systems, tracks revisions to files, and constantly updates any changed files to anyone who subscribes to a given folder. You can have your own private DropBox folder and as much as 2GB of storage at no cost, and then share any folder within that main folder with any other user. If you need more room, DropBox charges $9.99 per month or $99 per year for 50GB of storage.

DropBox uses a secure process to transfer file updates, and as long as you're connected to the Internet, you'll have the latest version of any file in any common folders on each Mac OS X or Windows system you use.

Glenn Fleishman is author of the e-book Take Control of Back to My Mac and a frequent contributor to Macworld.

Subscribe to the Business Brief Newsletter

Comments