How to Secure Your Wireless Home Network
by Howard Fosdick
This tutorial tells how to
manually secure your home wireless network. Good security means
implementing a series of small steps to progressively lock down a
system. There is no single "silver bullet." Add up all the small steps
and you'll have a reasonably secure system.
Why care about security? If someone steals
your bandwidth that leaves less for you. But there's more. In the U.S.,
the courts have held that home network addresses (IP
addresses) uniquely identify individuals. You could be held responsible if
someone uses your wireless network -- without your knowledge or
permission -- to illegally
music, movies, or software. People have even been raided
by SWAT teams and convicted
for downloading child
I'll walk you through how to manually secure your home network so
you understand it.*
Turn Off Unused Wireless
If you don't need wireless to access
network, disable the router's wireless
capability. Here's how. As in all our examples, the first line below
shows how to configure this option in most Linksys
routers, while the second shows common D-Link
router phraseology. You should be able to map your own router's settings to what we show here:
Linksys: Wireless Access: ___
Enabled _x_ Disabledor
D-Link: Enable Wireless: ___
Even if you disable wireless, you still need to secure the router! So
Don't make your router a more available target than it need be. Turn it off when it's not in
Use Only Secure Routers and Wireless Devices
Ensure your wireless router and all your devices support current
security protocols. These are the most popular IEEE
802.11 wireless standards you'll encounter:
|Also Known As:
|b or B
|g or G
|n or N
|WPA2, WPA, more
|WPA2, WPA, more
The B standard supports
an older encryption method that crackers can break in minutes: WEP encryption. Toss any old B router and buy
a newer secure one!
routers, laptops, and other devices on your network should use either N or at least G standards.
Router Security Settings
Let's securely configure a wireless router. The
exact options and their wordings vary by brand. My examples are from
D-Link but you should be able to locate the equivalent settings on
whichever router you have.
A quick tip first. While you can immediately change
wireless settings for routers and devices, sometimes a reboot helps.
Especially when configuring a wireless laptop, a quick shutdown and
restart sometimes fixes a problem that can otherwise vex you.
SSID -- First, you assign
your new wireless
router a network name, better
known as a Service Set Identifier
Assign an SSID that someone can not easily identify or guess. A52c481757bc is better than Joe_Fox. Do not
keep the default name of Linksys
or dlink or whatever.
Write down the SSID for later. You'll have to
enter it into the network connection definition for each wireless
device that will connect to this router
when you set up its networking configuration.
To enter the SSID on Linksys and D-link routers:
Linksys: Wireless Network Name (SSID):
D-Link: Wireless Network Name:
______________ (Also called the SSID)
Disable SSID Broadcasting. Next,
disable the automatic broadcasting of your SSID name.
Unless you do, the router
contintually bleats its name out to the
world. The only
for this is to help someone who doesn't know your network is there to
notice it, and then to try and get on it. Disabling SSID broadcasting
alone does not stop good crackers any more than assigning an unusual SSID
reasons I won't go into here), nevertheless it is one of the many steps
you should take to enhance Wi-Fi security. To turn off SSID
Linksys: Wireless SSID Broadcast:
___ Enable _x_ Disable
D-Link: Enable Hidden Wireless: _x_
(Also called the SSID Broadcast)
Since your router is not broadcasting its presence and name,
you'll have to manually enter the SSID or network name into the network
connection definition for each device that will wirelessly connect with
If you have a laptop client configuration tool that only
configures for broadcast SSIDs, enable
SSID broadcasting on the router, configure the laptop for access, then
disable SSID broadcasting on the router. The client will now be able
to access the router even though it doesn't broadcast its SSID.
Router Password -- Assign
a tough password to the router to block
unauthorized users. Good passwords are long and contain intermixed
letters, digits, and special
characters. The router's HELP panel will
tell you its password rules. Enter any password into the free
online Password Strength
to find how crackable it is.
User ID -- You need a user
id to login to the router with the password. A few routers just
use the network name (one reason why an unusual SSID is better than one
that is easy to guess or identify). In this case enter:
ID: __network-name__ PASSWORD:
Most routers allow you to create both the user ID and its corresponding
password, so you would enter:
ID: __your-user-id__ PASSWORD:
Every cracker knows all the router default SSID's, user ids, and
passwords. Assign new good ones!
Wired Administration Only --
This setting ensures that only a physically connected computer can
access the router configuration
panels. So the router can not be remotely configured by wireless even
if someone has the password. Set
Linksys: Remote Management: ___
Enable _x_ Disable
D-Link: Enable Remote Management: ___
If you always use a
wireless laptop, this means that if you ever want to reconfigure the
again, you'll have to physically attach your laptop by wire to the
router to make changes.
Routers support various encryption standards. Your
goal is to use the strongest encryption method supported by your router
and the wireless devices that use it. Here are common encryption
levels, from weakest to strongest. Not all routers support all options:
Routers usually have a drop-down list box where you select the
encryption standard. It's labeled something like Security Mode or Encryption Mode or Authentication.
Unfortunately router vendors use
different terms to refer to the same encryption standards. I'll
list all the terms you might encounter below and show how
they are equivalent. You'll have to pick out the specific term your
Set the router
to use the top row setting:
(all are equivalent):
(all are equivalent):
|WPA Shared Key
|WEP Shared Key
|WEP Open System
Do not use WEP security, No Security or an Open System unless your goal is to
share your internet with everyone within the broadcast area. Options
containing the words Enterprise
are typically used by businesses using RADIUS servers, so you
normally wouldn't use them for a home network.
Next, you'll need to enter a password value that will become the basis for
encryption. It will be labeled something like:
Use the router's HELP panel
to see how complex it can be. Supply a strong, uncrackable key -- this
encrypts all the data that passes between your router and your
wireless devices. You may find the free
online Password Strength
- Shared Key
- Passphrase (a phrase that automatically generates a password for
When you set up your wireless devices, you'll also enter this value
into their Network Configuration definition. This is why this value
is often called a shared key
-- it is shared between the router and the wireless clients.
In addition to setting the router's encryption level and key,
to tell the router the kinds of wireless devices it will support and
their security algorithm. Select from the table below. Not all
routers support all settings:
||Your router and all your wireless devices support WPA2 (or WPA2 Personal or WPA2-PSK or WPA-PSK2 encryption).
|2nd Best Choice:
|You have a mixed set of wireless WPA2 and WPA
devices. The router will use the encryption standard appropriate to
each wireless device.
|3rd Best Choice:
and/or your wireless devices use WPA
(or WPA Personal or WPA-PSK security).
AES is best. Since nearly all devices made since 2004 support it, it should be your choice.
Some routers will ask you whether you want to support N, G and/or B
wireless devices. You want a N
devices only network, or at least N and G devices only:
- N devices only
- N and G devices only
- A mixed set of N, G and B
- B devices only
Remaining Router Security Settings
Address Filtering -- Every
wireless device or laptop has a unique Media Access Control Address, or MAC Address.
Many routers offer a feature called MAC address
by which you can either allow or disallow wireless devices with
specific MAC addresses. This
feature ensures that only the wireless devices you specify are
allowed to use your router.
To set this up, you need to know the MAC address of every
laptop or wireless device you want to use your router. Then enter it
into the router's panel of allowable MAC addresses. Most laptops have a
sticker underneath or on the wireless card that will tell you the MAC
address. Or use enter a software command to determine it:
|Windows line command:
||ipconfig /all (look for the Physical Address of your wireless
|Linux line command:
|| ifconfig -a (look for the HWaddr value for your wireless
|Mac OS GUI:
||System Preferences -> Network -> pick proper Location
-> AirPort -> see the AirPort ID
|iPhone/iPod Touch GUI:
||Settings -> General -> About -> see the Wi-Fi Address
A typical MAC address appears
as a series of hexadecimal values in one of these formats:
--or-- 00-14-F3-19-66-F0 --or--
Enter the MAC addresses of all your wireless devices into the MAC
Address Filter table in the router's configuration panels, then tell
the router to only accept
communications from these addresses. Voila!
Ping Response -- A ping
is an anonymous request that comes into your router and asks for
a response. Respond to an anonymous internet request? Not a good idea.
Tell your router not to respond:
Linksys: Block Anonymous Internet
D-Link: Enable WAN Ping Respond: ___
Firewall -- Routers
come with an embedded firewall. Ensure it is enabled. It should be
by default. Some routers allow you to specify rules or otherwise
configure the firewall. This is very router-specific so I won't
cover it here. The default configuration is
Firmware Update -- The
software embedded in your router is called firmware. Most routers allow you to
automatically perform a
firmware update across the web. This increases security
if vendors fix firmware bugs or add security features
since the router shipped. But be
certain the update occurs without interruption!
Never turn off the router or computer during the update or otherwise
interrupt the update. This could mess up your router's
firmware or even make it unusable.
Channels -- A channel
is a radio frequency used for wireless communication between
your router and its wireless clients. Routers typically offer channels 1 through 11, with 6 as the default.
Other routers default to auto
channel scan or auto channel
selection, which means the router dynamically determines the
channel to use.
purpose of having multiple channels is to find a
frequency that is free from interference with other devices (your
cordless phone, game box, etc). From the security standpoint, the
channel is irrelevant. I usually pick a channel other than 6 just
because it's less common. Remember
that the router and all wireless devices that use it must be set to the
WisdomThere is no single silver bullet for a router security. But if you follow these recommendations you'll have a reasonably
secure home network. Read more in Wikipedia articles
on Wi-Fi, wireless security,
LAN security, WPA,
- - - - - - - - - - - - - - - - - - -
- - -
The author is an independent consultant who
databases and operating systems. Read his other
Router Security Checklist
This checklist summarizes router configuration settings and our
|N or G router
|Replace any B
router with a N or G router.
|Set to Off or
Disable if you don't use wireless devices.
|Assign a unique
complex SSID (network name).
is usually Enable).
complex router password.
complex router user id if the SSID is not used as the login user id.
|Use WPA2 or WPA2
Personal if possible. Else use WPA or WPA Personal. Do not use WEP or "Open System."
||Use AES if
possible. Otherwise use AES+TKIP if possible, else use TKIP.
is "not used").
|I pick a lesser-used channel, but not really relevant to
Some routers are easier to configure than what I show. For example, they might use Wi-Fi
Unfortunately, WPS has a serious security defect, so you should disable WPS if your router has
it (details here).