Of the seven wireless networks that I can see from my living room, five are secured, or at least appear as such in the available networks list. That’s a good start, but most of my neighbors could be doing a better job of protecting their networks from intrusion. Among other things, someone who connects to your WLAN may be able to:
- Slow down your Internet performance
- View files on your computers and spread dangerous software
- Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords
- Send spam or perform illegal activities with your Internet connection
IT security needs to use a layered approach. While no single layer of security is enough to withstand every attack, each additional layer serves to further harden your system and discourage would-be attackers and free-loaders. Here are six settings on your router which, if properly configured, will better protect your network, your computers, and your data.
- Change the default password for the administrator account on your wireless router or access point. This is absolutely essential and should have been the very first thing you did after you unboxed it. Don’t use a word in the dictionary or anything easily guessed.
- Limit access to your wireless LAN by using MAC address filtering. A MAC address (also called the physical address) is an identifier unique to each network adapter. MAC address filtering involves looking up the MAC address of each device that will connect to the WLAN and adding them to a list in the router’s control panel. MAC addresses can be spoofed, so filtering shouldn’t be the only security method used.
- Change your SSID (network name). A router’s default SSID (Service Set Identifier) can be used to identify your hardware, which could help a hacker determine the default administrator password (see step 1). A default SSID also suggests that the network was poorly configured, making it appear to be an easier target. Change it to something you and your family would recognize (your pet’s name, for example), but that’s not publicly identifiable (don’t use your name, your address, etc.).
- Disable SSID broadcasting (if you’re using an AirPort, close your network). This will prevent casual browsers from finding your network, but it also means you will have to manually enter the name of your network on each device. Unless you’re a Starbucks, you shouldn’t advertise that you have complimentary Wi-Fi. Not broadcasting your SSID does nothing to secure your network, it just makes it less obvious to your neighbors.
- Use the strongest encryption form supported by your router and all of your other devices. The best choice is WPA2 with the “TKIP+AES” algorithm, which is the newest type of wireless encryption and provides the highest level of encryption available. WPA2 has been available on most devices manufactured in the past few years. WPA-PSK, also called WPA-Personal, encryption is the next best, and 128-bit WEP is the weakest level of encryption and not very good, but better than nothing. Use a strong password, ideally a string of at 20+ random alpha-numeric characters. You can find such random strings at https://www.grc.com/passwords.htm . If you must use WEP, change your key often.
- Disable remote administration. The ability to remotely administer your WLAN router via the Internet should be turned off unless you absolutely need this. It is usually turned off by default, but it’s a good idea to check. The only downside to this is that you will have to physically connect a computer to the router in order to configure it, which isn’t necessarily a downside at all.
With the router and WLAN now well-configured, hacking your home network will be much more difficult. Below are a few more suggestions to further increase your protection.
If you can afford a second NAT router, you can dramatically improve your LAN’s security. Basically, you create a second LAN by connecting the wireless router to the modem, connecting a second, wired router to the wireless router and then put one or more of your PCs behind the second, wired router. This means that anyone who accesses your WLAN still can’t get to the PCs behind the second, wired router.
Read more about using a second NAT router to create an even more secure LAN at GRC.com.
Test your connection for vulnerabilities with third-party software. Use the ShieldsUP! port probe from GRC.com to check whether your router is detectable by port scanners.
https://www.grc.com/x/ne.dll?bh0bkyd2
McAfee Wi-FiScan surveys your current Wi-Fi connection, your wireless equipment, and local environment to assess security risks introduced by your wireless network. Wi-FiScan uses an ActiveX control to gather information. If security or performance issues are found, McAfee will suggest ways to reduce your risk.
http://us.mcafee.com/root/wsc/default.asp
Netstumbler, by Marius Milner, will determine your network’s vulnerabilities and unauthorized access points, and also reveal the sources of network interference and weak signal strength.
http://www.netstumbler.com/downloads/
Protect your machine from attacks from within your LAN. Use a software firewall on every device and make sure that port 113 is stealthed. If you are using Windows, run Windows Updates every month or keep Automatic Updates on. Install some anti-virus software (Microsoft Security Essentials seems quite nice) and keep that up to date, too. Turn off services like File Sharing unless you need them and understand the consequences.
For the borderline-paranoids, you can turn off DHCP (Dynamic Host Configuration Protocol) entirely and configure each device to connect using a specific IP, or at least assign all of your devices static IP addresses well away from the first address dynamically assigned by your router. For example, if your router starts assigning IP addresses at 192.168.0.100, give your devices static addresses above 192.168.0.150. This will make it more of a nuisance for someone who does access your network to find the machines connected to it, as they won’t exist near the address assigned dynamically to the intruder. You can change the default IP address of the router itself, too, but that will be immediately obvious to anyone who gets in.
Verify that your computer’s Wake on Wireless LAN (WoWLAN) function is disabled (check your BIOS).
A Wi-Fi network is only vulnerable when it is on, so turn off your router when you aren’t using it. Turn off your computers, or at least hibernate/sleep them, when not in use. (Don’t forget to turn off the monitors, too.) Better yet, just kill the power at the surge protector, as all of these components still draw power when turned off. You’ll be surprised at how much energy you can save.
The farther the Wi-Fi signal reaches, the easier it is for others to detect and exploit it. If possible, place the router where it will have the most difficulty broadcasting the signal outside your home, such as in the basement, in a closet, or toward the center of your home. While not a feature of all wireless routers and access points, some allow you to reduce the transmitter power. If possible, adjust it so that you still get a decent signal inside, but it doesn’t leak too far outside your home.
Don’t connect to unprotected wireless networks yourself, as it’s possible for someone on that network to monitor your traffic. If you must connect to an unprotected network, enter passwords only on sites that use encryption (those that display the padlock icon in the lower-right corner of your browser and with a URL in the address bar that begins with https). Never select the ‘connect to available wifi networks automatically’ setup option under your Network Connections window.
Ensure that your router’s firewall is enabled, along with related built-in security features that block anonymous requests or pings from the WAN side.
The DMZ feature of your router allows you to put a machine ‘outside’ of the protection of the NAT router. Only use this if you understand the consequences.
For a good Ars Technica article that includes a chart of common devices (Wii, PS3, Xbox 360, etc.) and their support for the various levels of encryption, read The ABCs of securing your wireless network.
While we’re on the subject, you might want to consider choosing the right channel to obtain the best wireless signal.
how do you change your router / internet settings to a WPA security (13 alpha numeric)