Advice on how to protect a computer network

[Phoenix21]

Hello,

 

I'm working on building a small network within my new home, and I have sensive information retaining to my job that will use the network so I'm a bit worried as I don't know how to properly protect from threats as it will have multiple users who have access to the internet on it.

 

What advice on what to do/step to take will be greatly appreciated.

[Aytex]

VPN?

[SPAS-ID]

easy, never visit untrusted website and download from untrusted website

[WinNut]

Tell those using the network to never visit untrusted websites, and if you're seriously concerned about your data, just store the sensitive materials on a separate hard drive and unplug the SATA cable when you're not using it.

[Wombo]

Hello,

 

I'm working on building a small network within my new home, and I have sensive information retaining to my job that will use the network so I'm a bit worried as I don't know how to properly protect from threats as it will have multiple users who have access to the internet on it.

 

What advice on what to do/step to take will be greatly appreciated.

1. a good network firewall

2. network segmentation - users are on a separate network from the critical stuff

3. encrypt sensitive information

4. strong passwords and an additional firewall on any sensitive equipment

 

These would be my suggestions.

[BOT Edward]

Put that data on a separate drive and use bitlocker.

[.:MARK:.]

1. a good network firewall

2. network segmentation - users are on a separate network from the critical stuff

3. encrypt sensitive information

4. strong passwords and an additional firewall on any sensitive equipment

 

These would be my suggestions.

 

Let's not forget WiFi Wombo, run WPA2 with a password of length of 32 or higher, using all character sets, disable WPS.

[dalekphalm]

Let's not forget WiFi Wombo, run WPA2 with a password of length of 32 or higher, using all character sets, disable WPS.

My personal WIFI network uses full 64-character randomized password

 

It's a bitch to connect anyone new to it, but good luck brute forcing it

[.:MARK:.]

My personal WIFI network uses full 64-character randomized password

 

It's a bitch to connect anyone new to it, but good luck brute forcing it

 

I would just use EAP at that point. With active directory and a radius server.

[HapyM3al]

I would just use EAP at that point. With active directory and a radius server.

 

slightly easier way - Mac filter your wifi over WPA2.

 

a good firewall is a must. 

separate network over vlans maybe. one vlan for your connection and another for other users. 

[.:MARK:.]

slightly easier way - Mac filter your wifi over WPA2.

 

a good firewall is a must. 

separate network over vlans maybe. one vlan for your connection and another for other users. 

 

How would mac filtering help when I could just spoof the MAC of a trusted device, which is easy to get from airodump-ng?

[dalekphalm]

I would just use EAP at that point. With active directory and a radius server.

If I were a business, and not me, I would agree with you. But AD and a Radius Server is just too much of a hassle just for my personal WIFI.

 

However, for a small business? Sure, yeah that could definitely be a better option.

[.:MARK:.]

If I were a business, and not me, I would agree with you. But AD and a Radius Server is just too much of a hassle just for my personal WIFI.

 

However, for a small business? Sure, yeah that could definitely be a better option.

 

Heh, well I have the AD there for my virtualisation server with vsphere/vcenter and my VMs, so it was something I set up to familiarize myself. Though it's not operational now, I have to beta test some equipment.

[BOT Edward]

I would just use EAP at that point. With active directory and a radius server.

 

using a radius server is great if you have more than a certain amount of wifi users (like 20 or so) and want to use authentication within AD or something.

 

but for home use, the built-in AES256 encryption on modem/routers would do the trick as it would take years and years to brute force into it