Making my AirPort network as strong as possible


Mac Enthusiast
I've recently purchased an AirPort Extreme and set up a wireless network with 128-bit WEP protection and a password. However, I read that 128-bit WEP is insecure nowadays.

I've heard about some people in my local area driving around with a laptop and connecting to people's Internet connections and downloading stuff, etc., even accessing some of their files through shared drives.

There are so many options in the AirPort Admin Utility just for security (128-bit WEP, WPA Enterprise, etc).

I've read up on some tactics, heard that I should change default passwords, default IP addresses, etc.

Would it be safer if I could somehow specify only TWO IP addresses for two computers could only ever use it? If so, how?
If you want it very secure then use an ethernet cable instead of wifi. If that's out of question, setup a MAC filter in addition to your WEP protected wifi and turn off filesharing on your network systems. I am not sure how to tell the dhcp that only two IPs may be given out and never more. That would definitely be a good idea if you will never have more than 2 computers connected.
Logically it makes sense that you would only need 2 addresses for 2 computers, however this isn't always the way that it works.

DHCP gives out the next available address when it receives a request, unless the client specifies the address that it previously had. In which case the DHCP server checks if the address is available. If the address is available (or is leased to the requesting machine) the address remains the same. If not a new address is issued.

In practice this results in your computer getting the same address about 99% of the time. But there are cases where your computer will have requested an address and not release the address prior to asking for a new one (i.e. system crash, power outage, etc) and your computer will get a new address.

If this were to happen and your DHCP server only had a pool of 2 addresses, you would not be able to receive one, thus you've prevented yourself from joining your own network (the only way I know how to resolve this issue for hardware DHCP servers is to restart the device).

So, I would advise against setting up your DHCP server this way. MAC address filtering accomplishes the same task and is harder to break.
What you want to do for security is two things:

1) MAC Filtering
2) WPA Personal

#1 has one drawback, and that is nobody coming over can 'just connect'... you have to add their machine to the filter list before they can connect, although since you only have to do it once, it might be worth it.

I am surprised that #2 hasn't been mentioned yet... the base station and wireless cards from Apple support it (and many stations from other brands support it... just look for WPA on the box). WPA is leaps and bounds better than WEP, especially if you set it up to use AES for encryption.

The end result is that they have to defeat two layers of protection. They have to defeat WPA, which right now is enough to get someone to give up and go after a better target... and in the off chance they do that (weak password that falls to a wordlist attack), they have to fake their MAC address and have special equipment. This drops the number of people who would WANT in your network low enough that break-in is very unlikely.
Thank you all for your help.

MAC Filtering

So I assume this is where I add my MAC filters? I only ever want two computers to connect to my AirPort network (my iMac and the downstairs family PC). My understanding (and I'm a novice at this so I could very well be wrong) is that wireless cards have their own MAC address, and by adding them into this access control pane that only the computers with access to these actual wireless cards can access my network. For another computer to access my network I'd have to either add their MAC address to the list, or take out the AirPort card from my iMac and place it in theirs with the current configuration. Right or wrong? :p

WPA Personal

And with WPA Personal, do I change it here? How much more secure is this? And how do I make WPA Personal most secure when I activate it?

As for file security, I have totally revised my shares. All of the shared data is on the PC, so I've set it up so only our music folders are shared but cannot be written to or modified by anyone on the network and an empty transfer folder which can have its contents modified (always empty).

Thank you all for you help. My main concern is not having anyone use my Internet connection.
Definitely go with WPA. WEP is pretty much useless as you can crack it in under an hour.

WPA + MAC filtering and your wireless network will be as secure as you can get.
I know this is common but also hiding your SSID so that scans with apps such as KisMac dont pick it up means you are less likely to be found unless someone knows the name of your network.

I out of curiosity had a look around my area in my car with KisMac (for those of you that don't know, this is the single best wireless app) and found ALL people had SSID on, they lit up like a Christmas tree.....

...rather shameful most had no security. I almost wanted to write a letter offering them advice on how to be a little more secure.
Okay, while my AirPort Extreme supports WPA, unfortunately my iMac only supports the crumby 802.11b AirPort cards, therefore WEP is my only option. :(
Hide your SSID. That makes it harder for people to hack your network, especially if they don't know it is there.