Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That's totally understandable. It's also quite risky as numerous security problems can result.
Today's Wi-Fi networking products don't always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.
1. Change Default Administrator Passwords and Usernames.
The exact steps will vary depending on the specific model of router in use, but the process is similar in any case.
Step 1. Log In to the Network Router
Example - Router Administrative Console Home Page - Linksys WRK54G.
Log in to the router's administrative console through a Web browser using the current password and username. The address can be found on the back of the router or on the manufacturer documentation (or box).
Linksys routers typically have the Web address http://192.168.1.1/. Many Linksys routers do not require any special username (you can leave blank or enter any name in that field). In the password field, enter "admin" (the default for most Linksys routers) or the equivalent password for your router.
Step 2. Navigate to the Router's Change Password Page
Router Console - Administration Tab - Linksys WRK54G.
In the router's administrative console, navigate to the appropriate administration / security section where the password setting can be changed. In this example, the Administration tab at the top of the screen contains the Linksys router's password setting. Click the Administration button to open this page as shown below.
Step3. Choose and Enter a New Password
WRK54G Router Console - Administration Password.
Choose a suitable password based on the standard guidelines for strong password security. Enter the new password in the Password box, and re-enter the same password a second time in the space provided. Entering the password a second time ensures you did not accidentally type in the wrong password the first time.
The characters you type are not shown by design; they are replaced by dots as an added security feature.
Step 4. Save the New Password
WRK54G - Router Console - Administration Password Change.
The password change is not applied on the router until you save or confirm the change. In this example, click the Save Settings button at the bottom of the page (as shown below) to have the new password take effect. You will see a confirmation window appear briefly to confirm the password change was made successfully. The new password takes effect immediately; rebooting the router is not required.
2. Turn on (Compatible) Encryption
All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.
Related Article: http://malvastyle.com/wi-fi-security-encryption-options/
3. Change the Default SSID
Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.
Wi-Fi access points and routers establish a wireless network using a name called an SSID . Routers are configured with a default SSID pre-defined and set by the manufacturer at the factory.
Typical default SSIDs are simple names like
The SSID can be accessed from within the router's Web-based or Windows-based configuration utilities. It can be changed at any time, but wireless clients must then recognize the new SSID in order to reconnect to that router and wireless network.
To improve the security of your home wireless network, consider changing the router's SSID to a different name than the default. Here are some recommended do's and dont's, based on recommended network security practices:
- Don't embed your name, address, birth date, or other personal information as part of the SSID
- Likewise, don't use any of your Windows or Internet Web site passwords
- Don't tempt would-be intruders by using tantalizing network names like "SEXY-BOX" or "TOP-SECRET"
- Do pick an SSID that contains both letters and numbers
- Do choose a name as long or nearly as long as the maximum length allowed
4. Enable MAC Address Filtering
Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.
To set up MAC address filtering, you as a WLAN administrator must configure a list of clients that will be allowed to join the network. First, obtain the MAC addresses of each client from its operating system or configuration utility. Then, they enter those addresses into a configuratin screen of the wireless access point or router. Finally, switch on the filtering option.
Once enabled, whenever the wireless access point or router receives a request to join with the WLAN, it compares the MAC address of that client against the administrator's list. Clients on the list authenticate as normal; clients not on the list are denied any access to the WLAN.
MAC addresses on wireless clients can't be changed as they are burned into the hardware. However, some wireless clients allow their MAC address to be "impersonated" or "spoofed" in software. It's certainly possible for a determined hacker to break into your WLAN by configuring their client to spoof one of your MAC addresses. Although MAC address filtering isn't bulletproof, still it remains a helpful additional layer of defense that improves overall Wi-Fi network security.
5. Disable SSID Broadcast
In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.
Because SSIDs are not encrypted or otherwise scrambled, it becomes easy to grab one by snooping the WLAN looking for SSID broadcast messages coming from the router or AP. Knowing your SSID brings hackers one step closer to a successful intrusion.
Once your wireless clients are manually configured with the right SSID, they no longer require these broadcast messages.
Note that disabling SSID broadcast is just one of many techniques for tightening security on a Wi-Fi network. This technique is not 100% effective, as hackers can still detect the SSID by sniffing different messages in the Wi-Fi protocol. Still, using techniques like SSID broadcast disable makes it more likely that would-be intruders will bypass your home network seeking easier targets elsewhere.
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you. This setting should not be enabled except in temporary situations.
To verify whether automatic connections to open Wi-Fi networks are allowed, check the computer's wireless configuration settings. For example, on Windows XP computers having Wi-Fi connections managed by the operating system, the setting is called "Automatically connect to non-preferred networks." To check this setting, follow these steps:
Step 1. From the Start Menu, open Windows Control Panel
Step 2. Inside Control Panel, click the "Network Connections" option if it exists, otherwise first click "Network and Internet Connections" and then click "Network Connections."
Step 3. Right-click "Wireless Network Connection" and choose "Properties."
Step 4. Click the "Wireless Networks" tab on the Properties page.
Step 5. Click the "Advanced" button in this tab.
Step 6. Find the "Automatically connect to non-preferred networks" setting. If checked, this setting is enabled, otherwise it is disabled.
While Windows XP does not enable automatic non-preferred connections by default, some users enable it in an attempt to simplify connecting to their own home network. Users should instead configure these as Windows XP Preferred networks which allows automatic connection to the home equipment yet still prevents auto-connection to other networks.
7. Assign Static IP Addresses to Devices
Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.
Dynamic addressing is convenient. It also allows mobile computers to more easily move between different networks.
However, static IP addressing also offers some advantages:
- A static IP address best supports name resolution, so that a computer can be most reliably reached over the network by its host / domain name. Web and FTP servers in particular benefit from fixed addressing for this reason.
- Using static IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.
- Some network devices do not support DHCP. Using static IP address assignment for all devices on the home network guarantees to avoid potential address conflicts where DHCP may supply an address already assigned statically elsewhere.
When using static IP addresses on home and other private networks, they should be chosen from within the standard private IP address ranges listed :
- 10.0.0.0 through 10.255.255.255
- 172.16.0.0 through 172.31.255.255
- 192.168.0.0 through 192.168.255.255
These ranges support many thousands of different IP addresses. It's common for people to assume that any address in these ranges can be chosen and the specific choice doesn't matter much. This is untrue. To choose and set specific static IP addresses suitable for your network, follow these guidelines.
- Do not choose any addresses that end with ".0" or ".255" - these addresses are generally reserved for use by network protocols.
- Do not choose the addresses at the beginning of a private range. IP addresses like 10.0.0.1 and 192.168.0.1 are very commonly used by network routers and other consumer devices. These are the first addresses someone will attack when trying to break into a private computer network.
- Do not choose an address that falls outside the range of your local network. For example, to support all addresses in the 10.x.x.x private range, the subnet mask on all devices must be set to 255.0.0.0, otherwise some static IP addresses in this range will not work.
8. Enable Firewalls On Each Computer and the Router
Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.
9. Position the Router or Access Point Safely
Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.
Avoid reflective surfaces whenever possible. Some Wi-Fi signals literally bounce off of windows, mirrors, metal file cabinets and stainless steel countertops, lessening both network range and performance.
10. Turn Off the Network During Extended Periods of Non-Use
Most broadband Internet connections stay "always-on," keeping you online at all times. For convenience, residential network owners often leave their router, broadband modem and other network equipment powered up and operating, even when not utilizing it for long periods of time.
But should home network gear really stay always connected? What are the pros and cons of switching it off?
The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.
If you own a wireless router but are only using it wired (Ethernet) connections, you can also turn off Wi-Fi on a broadband router without powering down the entire network.
The security benefit makes this a worthwhile endeavor. Because computer networks can be difficult to set up initially, some people naturally fear disrupting it once working. In the long run, though, this practice will increase your confidence and peace of mind as a home network administrator.