How to secure your home network

Reader Steve Hawley is all too typical. His home network houses a mix of Macs and Windows PCs, an old 802.11b Linksys router connected to a cable modem, and a couple of Airport Expresses connected to sound systems around the house. He wrote to us, seeking some advice on how to configure that network so he could:

1. Make the network work with both Macs and Windows clients, without letting strangers access it wirelessly (“I’ve tried to implement WEP128 security on all my devices, but when I do we lose access to the Internet”);
2. Secure his network “so outsiders can’t see into” it from the Internet; and
3. Remotely access files on the network—again, with security “so no random hacker can access my files while I’m away”.

His letter touched on enough common home-networking problems that we thought the solutions could help plenty of other Mac users.

Cross-platform security

Because Steve’s network has a mix of old 802.11b and newer 802.11g hardware, he should use WPA (Wi-Fi Protected Access) to protect it. An 802.11b device can be upgraded to work with WPA, but an older device will work much more slowly and could impair overall network performance.

WPA Personal is particularly useful in a mixed-platform network, because Windows (XP and Vista), Mac OS X 10.3.8 and later, iPhones, and other platforms can then all use the same passphrase to access the network. Nearly all Wi-Fi adapters made since 1999 have WPA Personal built in or can be upgraded to support it.

If Steve really wants to modernize his network’s security, he could make sure that all his networked gear is compatible with the WPA2 Personal protocol (which, among other things, uses stronger encryption than WPA Personal). AirPort Extreme hardware made since 2003 supports WPA2 Personal, as does much third-party gear made in the same time frame. But for most home networks, plain old WPA Personal will be fine.

To enable WPA or WPA2 Personal, Steve should open AirPort Utility, select the base station, go to the Wireless pane, select WPA/WPA2 Personal from the Wireless Security drop-down menu, and then enter and verify the password.

Barring outsiders

The best way to protect your network from outside intrusions over the Internet is to implement NAT (Network Address Translation). NAT shares out private IP (Internet Protocol) addresses to the computers and other devices on your network; these private addresses cannot be reached directly from outside the local network. When devices inside your network try to connect with the outside—to visit a Web site or download a song from the iTunes Store, for instance—NAT opens up a temporary relay. The outbound connection is made, a server responds, and the data is passed back to the locally requesting computer.

NAT-PMP is an Apple-designed protocol built into all of the Wi-Fi gear the company has released since 2003. NAT-PMP and a similar technology, UPnP (Universal Plug and Play), found in routers from other vendors, both enhance NAT by letting computers or other devices open direct inbound paths from the Internet on demand. Services such as Back to My Mac in Leopard require NAT-PMP or UPnP to let you make secure connections over the Internet to your home net.

Steve can turn on NAT-PMP in an Apple gateway by launching AIrPort Utility, selecting his base station, and clicking Manual Setup. In the Internet pane’s NAT tab, Enable NAT Port Mapping Protocol should be checked. If not, Steve could select the box, then click on Update. Routers other than Apple’s put UPnP support (together with port mapping, port forwarding, and similar controls) in their network configuration screens, which are usually accessed through a Web browser.

If you want more protection than NAT provides, you can install firewall and network-monitoring software on each computer connected to the network. For Mac OS X, there are any number of options. For Windows, that might be something such as McAfee Security Center (which provides antivirus protection as well) or ZoneAlarm Pro.

Of course, outside intruders aren’t the greatest security threat to your network. Windows systems are more likely to be attacked these days when you use Internet Explorer, Firefox, or Safari (for Windows) to browse a page embedded with malicious code. Antivirus software can help there.

Remote access

Steve’s final query had to do with securely accessing his files from outside his network, using either a Mac or a Windows PC. Fortunately, there are several ways to do this.

The first option is to host the files on a computer on your network, then turn on file sharing. To do so, open System Preferences and check the File Sharing box. Choose the volumes and folders you want to make accessible and which users will have access privileges through the Shared Folders and Users list.

The second alternative is to host the files on an NAS (network-attached storage) device: essentially, a hard drive with an IP address. Depending on the model, NAS devices can share via AFP, FTP, Samba, or some combination thereof. (Warning: Because FTP is not secure, I don’t advise using it for remote access; SFTP is a more secure alternative.)

Whether you store the files you want on a single computer or on an NAS device, you’ll also need to configure your router’s port mapping to give you remote access to the device. This requires giving that hardware a fixed IP address, from the range of private addresses your router sets for the local network (typically something like 192.168.1.XXX), then mapping the AFP port on the device to the router’s public port. The precise steps for doing so vary by router, so check your documentation.

If you’re using a Time Capsule or an AirPort Extreme Base Station (from 2007 or later), you can share files over the Internet without any port mapping. Launch AirPort Utility, select your base station, type Command-L for Manual Setup. Then click the Disks icon, choose the File Sharing tab, check Enable File Sharing and Share Disks Over WAN (if those options are not already checked) and click Update to restart the base station if necessary.

Note that Apple also recently updated its Time Capsule and AirPort Extreme hardware to provide remote access to internal and external drives via MobileMe; that access, of course, requires that you’re running Leopard (on the Macs from which you’re trying to gain access) and that you have a MobileMe account.

If you’d rather not go to the trouble of configuring remote access, you can instead sync the files you want to some kind of shared storage on the Internet. The best options for doing so with a mix of Mac and Windows users are MobileMe’s iDisk and DropBox.

With iDisk, you have as much as 20GB of online storage; you can get more for an annual fee in addition the service’s basic $99 yearly subscription.

Windows users can access files on iDisk from Windows Explorer; Apple has posted instructions for doing so. The URL for public access is http://idisk.mac.com/membername-Public, where membername is your iDisk user name.

If you enable iDisk synchronization on your Mac (on the iDisk tab of the MobileMe system preference pane, click Start under iDisk Sync), files modified on the iDisk are available from any computer with access to that MobileMe account. You can also store files in a Public folder, which is password-protectable.

DropBox might offer a simpler alternative to iDisk. The service stores copies of your files on its own systems, tracks revisions to files, and constantly updates any changed files to anyone who subscribes to a given folder. You can have your own private DropBox folder and as much as 2GB of storage at no cost, and then share any folder within that main folder with any other user. If you need more room, DropBox charges $9.99 per month or $99 per year for 50GB of storage.

DropBox uses a secure process to transfer file updates, and as long as you’re connected to the Internet, you’ll have the latest version of any file in any common folders on each Mac OS X or Windows system you use.

Glenn Fleishman is author of the e-book Take Control of Back to My Mac and a frequent contributor to Macworld.