Securing Home Network - attached devices

[K G G]

Hi All,

I want to tightly control the devices that attach wired and wireless to my home network.

So far I have restricted the IP address range in the router and assigned fixed IP addresses on certain machines (AP, Laptop, Desktop etc).

I am wondering if this is the best solution as it could lead to conflicts when another device (e.g. laptop) snaggs up the same IP as the (turned off) intended machine.

Should I register the actual MAC addresses in the router configuration options to only allow specific devices to connect?

Or what other best practice options are there for me?

[SuperSparks]

I do use MAC filtering for wireless, but be under no illusions, anyone who is prepared to make a bit of effort can easily discover and spoof a MAC.

Whether you use static or DHCP addresses makes no difference at all from a security standpoint. I prefer to have all physical hardware on my LAN to have a static IP. I generally allow virtual machines to use DHCP, because if they clash it isn't that big a deal. To avoid any possible conflicts with real hardware, I keep my static IP range in a different subnet to the DHCP assigned range, which I found works very nicely.

[K G G]

Sounds like assigning MAC is not worth the effort.
I did the IP assignements so that I could 'easier' identify which devices are connected to my network (knowing which machine should be what number exactly). Not sure if I could truly spot any intruders though.

What do you recommend to do to restrict outsiders jumping on my network? Other than strong WPA2 and passphrase of course ?

[SuperSparks]

All you really need is a strong WPA2 passphrase. I recommend a completely random set of characters including upper and lower case letters, numerals and symbols. Make it a minimum of 13 characters in length. That will give it a bit entropy of more than 80 bits, which at the current state of computing hardware is estimated to take more than 133 years to brute-force. And with truly random characters, no amount of rainbow tables, or other trickery, will do the bad guys much good.

You may as well use MAC filtering as well, which will at least discourage casual hackers from even bothering to try and get in.

[K G G]

Sounds good. I think I will set up everything available, at least for the learning experience alone.
And I use random password generators (via KeePass) for my stuff... I don't actually KNOW most of my PW's that way... talk about ultimate security

Thanks.