Securing your Home Wireless Network
The use of some type of high speed Internet connection at home such as DSL or cable modem is now almost as common as a phone line. The next step is usually installing a wireless router so you can roam around on your laptop and other Internet-connected devices. Such an installation at home can be a relatively quick task, especially if you are inclined to do only the bare minimum and move on to using your computer, surfing the internet, etc.
Most people don’t think twice about “security and privacy issues” at home. However, just think about the tasks you are going to do and the type of information you may be accessing on your home wireless network. More than likely, you may be accessing banking information. You may be shopping online and submitting your credit card information. You may be accessing health information from your doctor and/or insurer. You may be doing your taxes. You might access social networking sites. You may even be using your employer issued credentials to work remotely. Are you comfortable exposing that type of information on an insecure network?
Take the time to configure your network properly (it won’t take long) and you’ll greatly reduce the risks to your sensitive information and maybe even improve the performance of your Internet connection. Improperly secured wireless networks (home and otherwise) are a goldmine of personally identifiable information. They are also a backdoor into corporate networks for seasoned hackers, the neighborhood “tech geek” who may or may not be malicious, and others simply looking for free Internet access. Wonder why your internet connection may be slow – it may be your neighbors.
“But my router already has a firewall. Why do I need these added security measures?” Your router may include basic firewall functionality, which can slow down or prevent hackers on the Internet from accessing your computer remotely.
But the firewall only protects against traffic coming from the Internet to your network. It doesn’t stop people in range of your wireless signal from joining your network and bypassing that firewall. A wireless network typically broadcasts its name and availability to anyone within range. This range is increasing and can be up to 300 feet for a “N” network. Your wireless router manufacturer wants to make it as easy as possible to setup, to minimize customer service calls – not necessarily to secure your information.
As information security has increased in importance, some manufacturers have improved the default settings, but it is up to you to ensure that your wireless network and information is secure as possible. This guide will instruct you how to thwart your neighbors and that suspicious-looking van down the street from piggybacking on your network and you’ll learn the basics of configuring your router to protect against attackers from the Internet.
This guide is divided into three sections. First, the mandatory, must-do, “why doesn’t it come this way?” configuration. Even a novice should be able make all these changes within five minutes and they won’t take any afterthought or need any maintenance. The second section is for more advanced users who want to take extra precautions. The tips in this section might require a little more time. The final section is more technical and debunks some common security methods that may increase the work for any potential attacker, but should not be relied on to protect your connection or sensitive data.
You’ll need to know how to access your router’s configuration. You should be able to quickly find this in the router’s documentation, but you can also follow these steps. Most routers have a web-based management system, accessible by typing your router’s IP address in your web browser’s address bar (Apple users, please see the end of this document). To find that address, click your Start button and find Command Prompt or run _cmd_. Type ipconfigand press Enter. You need the Default Gateway, which should appear as a list of four numbers separated by dots, e.g., 192.168.0.1.
Then, all you need your router’s username and password. If you don’t know it, look up your model on http://www.routerpasswords.com.
First, change your router’s administrative password. As mentioned above, all routers come with a standard username and password and any hacker can look them just as easily as you can if you don’t change them. All routers let you change the password, but some will also let you change the username. Change both, if you can. Don’t be cute and use a password such as “password”, “1234”, “asdfgh” etc. Ideally use a combination of letters, numbers, and special characters.
Change your router’s SSID or network name to something other than the default that does not identify you or your home. The first sign to an attacker that you have a poorly configured network is the use of the default network name such as Linksys, Netgear, D-Link, etc. Although many attacks on home networks are made only to commandeer a connection to the Internet, protect yourself and your sensitive information from directed attacks by using a generic word or phrase to name your network, instead of something like your name or address.
Use the strongest encryption scheme available, usually WPA2. As technology improves, new methods of encryption become available. The best encryption available today is WPA2 (also known as 802.11i), with an AES algorithm. Almost all devices sold in the last couple years should support that combination. Remember that both your router and the wireless device you want to connect must support and use the same encryption methods. If WPA2 + AES is not available, follow the list below until you find one supported by your devices. Note: WPA is also known as WPA-PSK; likewise, WPA2 may be listed as WPA2-PSK.
- WPA2 + AES
- WPA + AES
- WPA2 + AES + TKIP
- WPA2 + TKIP
- WPA + TKIP
Note:_Your router may present an additional choice: WEP. This is the oldest wireless encryption protocol, far outdated, and can be broken with relative ease. It may raise your network above any nearby low-hanging fruit, but should not be relied on for protecting sensitive information.
Set a strong password to access the wireless network. Remember that your network is always on, always allowing access, even when you’re not home or asleep. When setting up any of the encryption schemes you must enter a passphrase, essentially a password for your network. A phrase (multiple words) is going to be stronger than a single word. Use upper and lower case and include numbers or special characters for better protection.
Ensure that access to your router’s administration from the Internet is disabled. There’s little sense in having a firewall if it can be disabled remotely. Likewise, disable access to your router’s administration via SNMP and Telnet, if those options are available.
Control antenna power as needed. Some routers allow the administrator to control how much power is sent through the antennas to boost the signal’s range. It may be tempting to set this at the maximum, but keep in mind both security and etiquette.
Just as you wouldn’t let your dog run unsupervised around your neighbors’ lawns, you should treat your wireless network the same way. You want full use of your wireless signal inside your own home (and possibly in your front- or back-yard), but there’s no need for the signal to be available down the street. The smaller the range, the less places an unscrupulous person can try to hijack your signal. Plus, for most users, there are only a few channels that can be used without interfering with neighboring signals. Keeping your signal confined to your own home can prevent interference and keep your wireless network more reliable.
Keep your router’s software up-to-date. Your router, just like your computer, may have software vulnerabilities that require updates. You should check for firmware updates on a regular basis. Through its administration tool, your router should be able to check on command or have a link to the manufacturer’s website where you can look for the latest update.
The options explained below add only minimal protection and should not be expected to thwart experienced hackers. These are explained slightly more technically so you can understand why these do little to protect your network.
Address filtering. Each network adapter (whether wireless or not) should have a unique MAC address (Media Access Control, not related to Apple’s Mac computer), a series of twelve letters and numbers that functions at the most basic level so your router can communicate with your device. With MAC address filtering, each device that attempts to connect to the network must match its MAC address to a list you define in the router’s administration tool.
MAC address filtering shouldn’t be relied upon, however, because the addresses can be forged as easily as typing a new address into a program.
To find the MAC address for your computer, please see http://www.wikihow.com/Find-the-MAC-Address-of-Your-Computer. For Windows Vista and 7 follow the same directions as Windows XP. And remember, each time you want to connect a new device to your network, if you use MAC address filtering, you’ll have to add the new address to your router’s list of allowed devices.
Network name hiding. One option just about all routers support is hiding your SSID (Service Set Identifier), the friendly name you give your wireless network. Some routers call this option invisible. This will prevent the name from appearing in lists of available networks. To connect a device to your wireless network, you will have to manually enter the SSID.
Like filtering MAC addresses, this will create extra work for a would-be attacker, but is not a solution by itself. Although your router will not broadcast the SSID, devices that are already set up and attempting to connect to it will show the SSID to any hacker monitoring your wireless traffic.
Disabling dynamic IP addresses.
If you deactivate DHCP, each device connecting to your network would have to manually be given a valid IP address. The idea behind using this to protect your network is that the user of any unauthorized device would not know which addresses are valid in your network. Unfortunately, it takes little expertise to ascertain which IP addresses can be used to access a network.
Owners of Apple routers will need the AirPort Utility program, which can be downloaded at http://support.apple.com/kb/index?page=search&product=&q=%22airport%20utility%205.5%22.
Users of Apple computers without Apple routers can find their router’s IP address by:
- Open System Preferences
- Choose Network
- Select the device type: Ethernet, AirPort, etc.
- Click the Advanced… button
- View the TCP/IP tab
- Find the address to the right of Router:
For more information
- 10 Tips for Wireless Home Network Security
- How to Secure Your Wireless Network
- DSLReports.com Wireless Networking Forum FAQ 40.0 Security
Posted: October 5, 2010