How to Secure Your Wireless Home Network

by Howard Fosdick

This tutorial tells how to manually secure your home wireless network. Good security means implementing a series of small steps to progressively lock down a system. There is no single "silver bullet." Add up all the small steps and you'll have a reasonably secure system.

Why care about security? If someone steals your bandwidth that leaves less for you. But there's more. In the U.S., the courts have held that home network addresses (IP addresses) uniquely identify individuals. You could be held responsible if someone uses your wireless network -- without your knowledge or permission -- to illegally download music, movies, or software. People have even been raided by SWAT teams and convicted for downloading child pornography.

I'll walk you through how to manually secure your home network so you understand it.*

Turn Off Unused Wireless

If you don't need wireless to access your network, disable the router's wireless capability. Here's how. As in all our examples, the first line below shows how to configure this option in most Linksys routers, while the second shows common D-Link router phraseology. You should be able to map your own router's settings to what we show here:

Linksys: Wireless Access:  ___ Enabled   _x_ Disabled
or                                 
D-Link: Enable Wireless:  ___

Even if you disable wireless, you still need to secure the router! So keep reading.

Don't make your router a more available target than it need be. Turn it off when it's not in use.

Use Only Secure Routers and Wireless Devices

Ensure your wireless router and all your devices support current security protocols. These are the most popular IEEE 802.11 wireless standards you'll encounter:

Standard:
802.11b   802.11g 802.11n
Year Introduced:
2000
2003
2007
Also Known As:
b or B
g or G
n or N
Security:
Unacceptable
Acceptable
Acceptable
Encryption Mode:
WEP
WPA2, WPA, more
WPA2, WPA, more

The B standard supports an older encryption method that crackers can break in minutes: WEP encryption. Toss any old B router and buy a newer secure one!

All
routers, laptops, and other devices on your network should use either N or at least G standards.

Router Security Settings

Let's securely configure a wireless router. The exact options and their wordings vary by brand. My examples are from Linksys and D-Link but you should be able to locate the equivalent settings on whichever router you have.

A quick tip first. While you can immediately change wireless settings for routers and devices, sometimes a reboot helps. Especially when configuring a wireless laptop, a quick shutdown and restart sometimes fixes a problem that can otherwise vex you.

SSID --  First, you assign your new wireless router a network name, better known as a Service Set Identifier or SSID. Assign an SSID that someone can not easily identify or guess. A52c481757bc is better than Joe_Fox. Do not keep the default name of Linksys or dlink or whatever.

Write down the SSID for later. You'll have to enter it into the network connection definition for each wireless device that will connect to this router when you set up its networking configuration.

To enter the SSID on Linksys and D-link routers:

Linksys: Wireless Network Name (SSID):  ______________
or
D-Link: Wireless Network Name:  ______________ (Also called the SSID)

Disable SSID Broadcasting. Next, disable the automatic broadcasting of your SSID name. Unless you do, the router contintually bleats its name out to the world. The only use for this is to help someone who doesn't know your network is there to notice it, and then to try and get on it. Disabling SSID broadcasting alone does not stop good crackers any more than assigning an unusual SSID (for reasons I won't go into here), nevertheless it is one of the many steps you should take to enhance Wi-Fi security. To turn off SSID broadcasting:

Linksys: Wireless SSID Broadcast:   ___ Enable    _x_ Disable
or
D-Link: Enable Hidden Wireless:  _x_   (Also called the SSID Broadcast)

Since your router is not broadcasting its presence and name, you'll have to manually enter the SSID or network name into the network connection definition for each device that will wirelessly connect with this router.

If you have a laptop client configuration tool that only configures for broadcast SSIDs, enable SSID broadcasting on the router, configure the laptop for access, then disable SSID broadcasting on the router. The client will now be able to access the router even though it doesn't broadcast its SSID.

Router Password --  Assign a tough password to the router to block unauthorized users. Good passwords are long and contain intermixed letters, digits, and special characters. The router's HELP panel will tell you its password rules. Enter any password into the free online Password Strength Checker to find how crackable it is. User ID -- You need a user id to login to the router with the password. A few routers just use the network name (one reason why an unusual SSID is better than one that is easy to guess or identify). In this case enter: 

USER ID:  __network-name__   PASSWORD:  __your-password__

Most routers allow you to create both the user ID and its corresponding password, so you would enter:

USER ID:  __your-user-id__   PASSWORD:  __your-password__

Every cracker knows all the router default SSID's, user ids, and passwords. Assign new good ones!

Wired Administration Only -- This setting ensures that only a physically connected computer can access the router configuration panels. So the router can not be remotely configured by wireless even if someone has the password. Set this option:

Linksys: Remote Management:   ___ Enable    _x_ Disable
or
D-Link: Enable Remote Management:  ___

If you always use a wireless laptop, this means that if you ever want to reconfigure the router again, you'll have to physically attach your laptop by wire to the router to make changes.

Encryption

Routers support various encryption standards. Your goal is to use the strongest encryption method supported by your router and the wireless devices that use it. Here are common encryption levels, from weakest to strongest. Not all routers support all options:


Encryption Standards


Routers usually have a drop-down list box where you select the encryption standard. It's labeled something like Security Mode or Encryption Mode or Authentication.

Unfortunately router vendors use different terms to refer to the same encryption standards.
I'll list all the terms you might encounter below and show how they are equivalent. You'll have to pick out the specific term your router uses.

Set the router to use the top row setting:

Best Choice
(all are equivalent):

WPA2
WPA2 Personal
WPA2-PSK
WPA-PSK2
Ok Choice
(all are
equivalent):
WPA
WPA Personal
WPA-PSK
WPA Shared Key
Bad Choice
(never use):

WEP
WEP 64-bits
WEP 128-bits
WEP Shared Key
Bad Choice
(never use):
Open
WEP Open System
No encryption
None

Do not use WEP security, No Security or an Open System unless your goal is to share your internet with everyone within the broadcast area. Options containing the words Enterprise or RADIUS are typically used by businesses using RADIUS servers, so you normally wouldn't use them for a home network.

Next, you'll need to enter a password value that will become the basis for encryption. It will be labeled something like:
Use the router's HELP panel to see how complex it can be. Supply a strong, uncrackable key -- this encrypts all the data that passes between your router and your wireless devices. You may find the free online Password Strength Checker helpful.

When you set up your wireless devices, you'll also enter this value into their Network Configuration definition. This is why this value is often called a shared key -- it is shared between the router and the wireless clients.

In addition to setting the router's encryption level and key, you'll have to tell the router the kinds of wireless devices it will support and their security algorithm. Select from the table below. Not all routers support all settings:


Setting:
Use When:



Best Choice:
  AES Your router and all your wireless devices support WPA2 (or WPA2 Personal or WPA2-PSK or WPA-PSK2 encryption).
2nd Best Choice:   AUTO
  --or--
TKIP+AES
You have a mixed set of wireless WPA2 and WPA wireless devices. The router will use the encryption standard appropriate to each wireless device.
3rd Best Choice:   TKIP Your router and/or your wireless devices use WPA (or WPA Personal or WPA-PSK security).

AES is best. Since nearly all devices made since 2004 support it, it should be your choice.

Some routers will ask you whether you want to support N, G and/or B wireless devices. You want a N devices only network, or at least N and G devices only:

Remaining Router Security Settings

MAC Address Filtering -- Every wireless device or laptop has a unique Media Access Control Address, or MAC Address. Many routers offer a feature called MAC address filtering, by which you can either allow or disallow wireless devices with specific MAC addresses. This feature ensures that only the wireless devices you specify are allowed to use your router.

To set this up, you need to know the MAC address of every laptop or wireless device you want to use your router. Then enter it into the router's panel of allowable MAC addresses. Most laptops have a sticker underneath or on the wireless card that will tell you the MAC address. Or use enter a software command to determine it:

Windows line command: ipconfig /all  (look for the Physical Address of your wireless connection)
Linux line command: ifconfig -a  (look for the HWaddr value for your wireless connection)
Mac OS GUI: System Preferences -> Network -> pick proper Location -> AirPort -> see the AirPort ID
iPhone/iPod Touch GUI: Settings -> General -> About -> see the Wi-Fi Address

A typical MAC address appears as a series of hexadecimal values in one of these formats:

00:14:F3:19:66:F0  --or--  00-14-F3-19-66-F0  --or--  0014F31966F0

Enter the MAC addresses of all your wireless devices into the MAC Address Filter table in the router's configuration panels, then tell the router to only accept communications from these addresses. Voila!

Ping Response -- A ping is an anonymous request that comes into your router and asks for a response. Respond to an anonymous internet request? Not a good idea. Tell your router not to respond:

Linksys: Block Anonymous Internet Requests:  _x_
or
D-Link: Enable WAN Ping Respond: ___

Firewall -- Routers come with an embedded firewall. Ensure it is enabled. It should be by default. Some routers allow you to specify rules or otherwise configure the firewall. This is very router-specific so I won't cover it here. The default configuration is usually adequate.

Firmware Update -- The software embedded in your router is called firmware. Most routers allow you to automatically perform a firmware update across the web. This increases security if vendors fix firmware bugs or add security features since the router shipped. But be certain the update occurs without interruption! Never turn off the router or computer during the update or otherwise interrupt the update. This could mess up your router's firmware or even make it unusable.

Channels -- A channel is a radio frequency used for wireless communication between your router and its wireless clients. Routers typically offer channels 1 through 11, with 6 as the default. Other routers default to auto channel scan or auto channel selection, which means the router dynamically determines the channel to use.

The purpose of having multiple channels is to find a frequency that is free from interference with other devices (your cordless phone, game box, etc). From the security standpoint, the channel is irrelevant. I usually pick a channel other than 6 just because it's less common. Remember that the router and all wireless devices that use it must be set to the same channel!

Wisdom

There is no single silver bullet for a router security. But if you follow these recommendations you'll have a reasonably secure home network. Read more in Wikipedia articles on Wi-Fi, wireless security, wireless LAN security, WPA, and WEP.

- - - - - - - - - - - - - - - - - - - - - -
The author is an independent consultant who supports databases and operating systems. Read his other articles here.

Router Security Checklist

This checklist summarizes router configuration settings and our recommendations:

Completed:
Option:
Recommended Setting:



____
N or G router
Replace any B router with a N or G router.
____ Wireless enabled
Set to Off or Disable if you don't use wireless devices.
____
SSID
Assign a unique complex SSID (network name).
____ SSID Broadcast
Disable (default is usually Enable).
____ Router password
Assign unique complex router password.
____ User id
Assign unique complex router user id if the SSID is not used as the login user id.
____ Wired administration only
Enable.
____ Remote administration Disable.
____ Encryption protocol
Use WPA2 or WPA2 Personal if possible. Else use WPA or WPA Personal. Do not use WEP or "Open System."
____
WPA algorithm Use AES if possible. Otherwise use AES+TKIP if possible, else use TKIP.
____ MAC Address Filtering Enable (default is "not used").
____ Ping Response Disable.
____ Firewall Enable.
____ Firmware update
Recommended.
____ Channel
I pick a lesser-used channel, but not really relevant to security.

*
  Some routers are easier to configure than what I show. For example, they might use Wi-Fi Protected Setup.
  Unfortunately, WPS has a serious security defect, so you should disable WPS if your router has
  it (details here).

More Tutorials