In this article we will show you how to secure your home network in a great way using IP Addressing. By making some simple changes to the way you address the home or small business network, you can easily provide visitors with Internet access, without exposing your own computers, appliances and servers to them. By logically separating visitors from your own devices you greatly reduce the chances of virus infection and loss of personal information.
Section 1: Setting Up WEP – DON’T – WEP IS NOT SECURE – USE WPA2 [or WPA3 when available]
[When this article was originally written, WEP had not been hacked. We have left the instructions for those of you who have older wireless routers without WPA, as well as historical interest. The process of using addressing is still valid in Section 2 below.]
Nonetheless, this section provides instruction on setting your WEP (Wired Equivalency Privacy) keys to lock down your wireless router. This should be mandatory for everyone that owns a wireless router.
You will want visitors to be able to use your network from time to time, so you must provide that key or password. So further protection is discussed in Section 2.
Your wireless router will connect to any Wi-Fi device when it comes out of the box. This is great to get started, but you don't want anyone just pulling up to your home or small business using the Internet you pay for. Also, you definitely don't want anyone attacking your computers or Internet appliances like gaming, iPods, and other devices. The solution to this is create an encrypted environment where messages between your wireless router and anything using the wireless are encoded with secret keys.
Because encryption is so important to network security, manufacturers build it into many wireless routers and AP’s (access points). Two popular encryption standards are WEP (Wired Equivalency Privacy) and WPA (Wi-Fi Protected Access); your AP may support one or the other, or both. We’ll show you how to set up the older (but still serviceable) WEP encryption.It’s worth noting that wireless adapters that don’t support your AP’s encryption standard (WEP or WPA) can’t connect to your network. If you buy a new AP for an old network, you may need to upgrade some components to take advantage of the AP’s best encryption.
WEP uses a key (a string of characters) to encrypt your vulnerable data. For example, your AP uses the key to encrypt the data before it’s released into the air. When your adapter receives the data, it uses that same key to decrypt the data. Only your devices know the key, which means that a hacker can’t break into the network until he determines the key. Of course, hackers have programs that attempt to crack the key, which is why you’ll want to change your key on a regular basis. If you set a key when you first install your AP and then ignore it, you’re ensuring that any hacker who manages to crack the key has access for an unlimited amount of time.
When you enable WEP for your network, you can most likely choose between 64-bit and 128-bit encryption. The key makes up 40 and 104 bits, respectively, and each key has a 24-bit code (hence 64-bit and 128-bit encryption). Choose the latter to provide the strongest defense. That said, you can’t expect 128-bit strength to completely protect you, as some cracking techniques can crack either standard over the course of a few hours. Think of WEP as latches on your home’s windows: they prevent average snoops from climbing into your home, but a skilled criminal is going to find a way to enter your house.
Keep in mind that WEP encryption may slow your network a little. If you find that 128-bit encryption has a large impact on network performance you may need to back down to 64-bit encryption.
To determine whether you are attempting to connect to a WEP-protected network, check your PC wireless adapter’s network utility or open Windows’ Wireless Network Connection feature (you’ll find the icon in your System Tray when your wireless adapter is active). The Windows Wireless Network Connection lists available networks and uses a lock symbol to indicate protected networks, but it doesn’t indicate whether the encryption standard you are facing is WEP or WPA.
You can set up your network’s encryption when you first install an AP or router, as well as any time after you’ve completed the network. Keep in mind that as soon as you enable WEP encryption, your PCs and notebooks no longer communicate with your network; you’ll need to supply the key for each device so it can re-enter the network.
The AP’s (or router’s) configuration menu houses your wireless encryption options. Browse your manual to find the device’s IP address (such as 192.168.1.245) and then enter the address in your Internet browser. The configuration menu varies by device and manufacturer, but you probably won’t have much trouble finding the section that handles wireless security; the configuration menus generally aren’t very complicated.
You may need to create your own key. To do this, simply enter random numbers and letters into the appropriate field: letters between A and F, and numbers between 0 and 9. If you use 64-bit encryption, enter 10 characters; if you choose 128-bit encryption, enter 26 characters.
Many of the configuration menus let you enter a passphrase that you can more easily remember. The menu then generates a key based on your password. You can use the password in lieu of the key on other devices from the same manufacturer, but devices from other manufacturers may not support passphrases, so be sure to write down the key, even if you use the pass-phrase feature. In our experience, you can use your passphrase to generate an identical key (to your AP’s key) even with adapters from other manufacturers.
The configuration menu may offer up to four key fields, but you’ll only need to enter one key. If you enter a different key into each field, you’ll find that three of the keys are inactive. Some vendors add those extra fields so you can save time when you come back later to enter a new key: You can simply select one of the other three keys, rather than enter a new key.
Once you enable WEP via your router or AP, you can reconnect the network’s computers to the network. If you want to use Windows’ Wireless Network Connection feature, right-click its icon in your System Tray and then click View Available Wireless Networks. The feature displays any networks that your adapter can reach—you may find many nearby networks if you live in a crowded area. Select your network from the list and then click Connect. Next, you’ll need to supply the WEP key. The feature then lets your computer connect to the WEP-encrypted network.
Many adapters include their own wireless networking utilities. If you open your adapter’s utility, you may see a message that asks permission to disable Windows’ Wireless Network Connection. Disable the feature and then use the adapter’s utility to select your network. Enter the wireless key (or passphrase, if the utility supports it). Finally, open your browser (or your Network Connections folder) to make certain you can access the network.
Section 2: Segregating Your Network into Two Subnetworks
This section discusses how you can create two subnetworks in your home or business: one for your personal use and one for visitors. This is a great way to prevent access to your personal information and block harmful virus infection from visiting computers and appliances that you cannot control.
The way to separate your home or small business into two logical networks is to use IP addressing. One logical subnetwork will support your personal computers and internet appliances, while the other can be used for visitors.
Subnetting is essentially the modification of a single IP network to create two or more logically visible sub-networks or sub-sections. This is accomplished by changing the network mask (sometimes called the subnet mask) in IP addressing It entails changing the subnet mask of the local network number to produce an even number of smaller network numbers, each with a corresponding range of IP addresses.
While we don't fully explain subnet masks here, you can still do this by following these simple instructions.
Before you continue - one downside is that once you do this, the equipment that is in obe logical subnetwork cannot communicate directly with the other subnetwork (but isn't that the whole point?) unless they are allowed to with routing. Of course, that does not mean that they cannot send email to each other or use any other Internet application.
The home router/gateway is probably set for IP address 192.168.1.1 with a mask of 255.255.255.0. Each connected device is getting its IP (Internet Protocol) address from the gateway via DHCP (Dynamic Host Control Protocol) whether they are wired or wireless.
To separate the users into two logical networks that cannot see each other, you first need to change the default network mask in the gateway/router to 255.255.255.128. This breaks your network into two groups: 192.168.1.1 through 192.168.1.127 and 192.168.1.129 through 192.168.1.255.
All the DHCP users will continue to work in the first of the two groups.
The PC's you want to separate must be manually configured on each device (Network Settings, select the interface, click the properties, select IPv4 and change from automatic) to be in the upper IP address range with the .128 mask and a default gateway of 192.168.1.1.
The result is the gaming systems will be DHCP, whereas you sensitive computers will be manually configured by you .
You can certainly do this the other way, but my experience is that the gaming systems are a pain to configure. Also, if you have laptops that then move to the office, you will probably have to change the IP settings to get their addresses automatically.