Update 9.8.12: It has been three years since I wrote this article, and most of the wireless networks that I can see today are protected with WPA2, probably because modern routers are now secured using WPA2 by default. I’ve update the post a little, but good advice in 2009 remains solid in 2012.
Of the seven wireless networks that I can see from my living room, five are secured, or at least appear as such in the available networks list. That’s a good start, but most of my neighbors could be doing a better job of protecting their networks from intrusion.
In addition to slowing down your network connection, someone who connects to your WLAN may be able to:
- Send spam or perform illegal activities with your Internet connection
- Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords
- View files on your computers and spread dangerous software
IT security needs to use a layered approach. While no single layer of security is enough to withstand every attack, each additional layer serves to further harden your system and discourage would-be attackers and free-loaders. When it comes to your home wireless network, one aim is to make it obviously more difficult to hack than your neighbor’s network. Consider the old joke about the two explorers on the plain in Africa when they hear the roar of a nearby lion. One explorer quickly starts putting on running shoes, to the amazement of the other. “You must be crazy if you think you can outrun a Lion” says the second explorer. “I don’t need to outrun the lion” responds the first explorer, “I just have to run faster than you!”
To some extent, your wireless security works the same way. Unless your network is selected at random, or someone is just looking for a challenge, the amateurs and free-loaders are probably going to pick the weakest visible network to intrude upon. (And the availability of wireless hacking software makes it easy to poke around at neighboring networks.)
Here are five settings on your router which, if properly configured, will better protect your network, your computers, and your data.
- Change the default password for the administrator account on your wireless router or access point. This is absolutely essential and should have been the very first thing you did after you unboxed it. Don’t use a word in the dictionary or anything easily guessed.
- Change your SSID (network name). A router’s default SSID (Service Set Identifier) can be used to identify your hardware, which could help a hacker determine the default administrator password (see step 1). A default SSID also suggests that the network was poorly configured, making it appear to be an easier target. Change it to something you and your family would recognize (your pet’s name, for example), but that’s not publicly identifiable (don’t use your name, your address, etc.).
- Disable WiFi Protected Setup (WPS). WPS has become one of the easier ways to hack a wireless network, due to a vulnerability with the PIN function.
- Use the strongest encryption form supported by your router and all of your other devices. The best choice is WPA2 with the “TKIP+AES” algorithm, which is the newest type of wireless encryption and provides the highest level of encryption available. WPA2 has been available on most devices manufactured in the past few years. WPA-PSK, also called WPA-Personal, encryption is the next best, and 128-bit WEP is the weakest level of encryption and is barely better than no security at all. Use a strong password, ideally a string of at 20+ random alpha-numeric characters. You can find such random strings at https://www.grc.com/passwords.htm.
- Disable remote administration. The ability to remotely administer your WLAN router via the Internet should be turned off unless you absolutely need this. It is usually turned off by default, but it’s a good idea to check. The only downside to this is that you will have to physically connect a computer to the router in order to configure it, which isn’t necessarily a downside at all.
There are also some myths and incorrect assumptions around security your router. Two of the most common are MAC address filtering and not broadcasting the SSID.
- Myth: Limit access to your wireless LAN by using MAC address filtering. A MAC address (also called the physical address) is an identifier unique to each network adapter. MAC address filtering involves looking up the MAC address of each device that will connect to the WLAN and adding them to a list in the router’s control panel. MAC addresses can be spoofed, so filtering offers a false sense of security.
- Myth: Disable SSID broadcasting Disabling SSID broadcasting will prevent casual browsers from finding your network, but your devices will periodically ping your SSID, making it discoverable. Not broadcasting your SSID does nothing to secure your network, it just makes it less obvious to your neighbors.
With the router and WLAN now well-configured, hacking your home network will be much more difficult. Below are a few more suggestions to further increase your protection.
The farther the Wi-Fi signal reaches, the easier it is for others to detect and exploit it. If possible, place the router where it will have the most difficulty broadcasting the signal outside your home, such as in the basement, in a closet, or toward the center of your home. While not a feature of all wireless routers and access points, some allow you to change the transmitter power. If possible, adjust it so that you still get a decent signal inside, but it doesn’t leak too far outside your home.
If you can afford a second NAT router, you can dramatically improve your LAN’s security. Basically, you create a second LAN by connecting the wireless router to the modem, connecting a second, wired router to the wireless router and then putting one or more of your PCs behind the second, wired router. This means that anyone who accesses your WLAN still can’t get to the PCs behind the second, wired router.
Read more about using a second NAT router to create an even more secure LAN at GRC.com.
McAfee Wi-FiScan surveys your current Wi-Fi connection, your wireless equipment, and local environment to assess security risks introduced by your wireless network. Wi-FiScan uses an ActiveX control to gather information. If security or performance issues are found, McAfee will suggest ways to reduce your risk.
Netstumbler, by Marius Milner, will determine your network’s vulnerabilities and unauthorized access points, and also reveal the sources of network interference and weak signal strength.
Protect your machine from attacks from within your LAN. Use a software firewall on every device and make sure that port 113 is stealthed. If you are using Windows, run Windows Updates every month or keep Automatic Updates on. Install some anti-virus software (Microsoft Security Essentials seems quite nice) and keep that up to date, too. Turn off services like File Sharing unless you need them and understand the consequences.
For the borderline-paranoids, you can turn off DHCP (Dynamic Host Configuration Protocol) entirely and configure each device to connect using a specific IP, or at least assign all of your devices static IP addresses well away from the first address dynamically assigned by your router. For example, if your router starts assigning IP addresses at 192.168.0.100, give your devices static addresses above 192.168.0.150. This will make it slightly more of a nuisance for someone who does access your network to find the machines connected to it, as they won’t exist near the address assigned dynamically to the intruder. You can change the default IP address of the router itself, too, but that will be immediately obvious to anyone who gets in.
Test your connection for vulnerabilities with third-party software. Use the ShieldsUP! port probe from GRC.com to check whether your router (wired or not) is detectable by port scanners via the WAN.
Verify that your computer’s Wake on Wireless LAN (WoWLAN) function is disabled (check your BIOS).
A Wi-Fi network is only vulnerable when it is on, so turn off your router when you aren’t using it. Turn off your computers, or at least hibernate/sleep them, when not in use. (Don’t forget to turn off the monitors, too.) Better yet, turn off your computer and then kill the power at the surge protector, as some components can still draw power when the computer is turned off. There is some cost in electrical draw to be saved here.
Don’t connect to unprotected wireless networks yourself, as it’s possible for someone on that network to monitor your traffic. If you must connect to an unprotected network, enter passwords only on sites that use encryption (those that display the padlock icon in the lower-right corner of your browser and with a URL in the address bar that begins with https). Never select the ‘connect to available wifi networks automatically’ setup option under your Network Connections window.
Ensure that your router’s firewall is enabled, along with related built-in security features that block anonymous requests or pings from the WAN side.
The DMZ feature of your router allows you to put a machine ‘outside’ of the protection of the NAT router. In practice, this isn’t necessary for normal use. Only use this if you understand the consequences.
For a good Ars Technica article that includes a chart of common devices (Wii, PS3, Xbox 360, etc.) and their support for the various levels of encryption, read The ABCs of securing your wireless network.
While we’re on the subject of wireless channels, you might want to consider downloading inSSIDer for help choosing the right channel to obtain the best wireless signal. For best performance, you should choose the least-used channel that is at least 5 channels from your neighbors’ networks, which will most likely be 1, 6, or 11. You want your router to be the strongest signal on its channel.