Originally Posted By: Ethan1
Every security measure has a countermeasure. If we put enough measures in place, it will require a somewhat sophisticated and patient attacker to overcome them, which is a lot better than leaving the shoddy default settings. Clicking a few buttons can take us from "open access point" to "astute neighbor kids figured it out" to "an experienced wardriver could get in".
Yep, it is just some measures are far more effective than others. WPA2-AES with a complex password on a router with the most recent firmware, or even better, a solid firewall, also protected with a complex password, with UPNP and other "access" services disabled, not acting as a DNS proxy (have it set to hand out the OpenDNS, Norton or other 3rd party DNS service) is a good start. The actual benefit of adding MAC filtering and SSID hiding to this is questionable, but definitely makes it a bigger PITA to administer.
You can make it really complex with traffic filtering via an appliance and the like, but this is generally outside the comfort zone for your typical home user. Ultimately, the above is generally sufficient when coupled with a good AV solution. Further isolation of wireless devices by putting them on a separate network can also be easily implemented and is supported by a lot of the "better" consumer devices.
For somebody even remotely savvy, picking up a used Cisco ASA or Juniper SSG is an inexpensive way to get far more robust network gear. I would say the SSG is a fair bit easier to setup for your average user. There are also other commercial firewall solutions like CheckPoint and SonicWall which are also easy to setup and worth considering.