A small office home office (SOHO) wireless router can be setup in just minutes, and can be a convenient and cost effective way to extend your home network. Many people don’t do much in the way of configuration or security on a SOHO wireless router when installing the device. However, just plugging in a wireless router without changing any of the factory default settings presents an insecure wireless network and can serve as an open internet portal to anyone nearby. Not only will it be an open internet connection, but it could open up unauthorized access to the computers on the network and the data stored on them. Anyone with a little knowledge of wireless networks and with the right utilities can sniff unencrypted wireless communications potentially capturing any data including passwords traversing the air waves.
Here is a list of some wireless security strategies that can be configured on most wireless routers. While no one feature will simply secure the wireless network, applying most or all will provide a layered approach to security. Some of these settings require an intermediate to advanced knowledge of wireless routers. For assistance or additional help with these settings consult the user’s manual for your specific wireless router.
- Change the default Admin password used to access the wireless router.
- Default passwords for routers are well known or can be found on the internet with some simple Google searches. If you setup encryption along with some of the other advanced security measures on the router it will all be useless if someone can just log into the router using the default password.
- Enable Encryption.
- Setting up encryption on the wireless network and protecting the traffic from being read by an unauthorized person is the most critical security feature to enable on the router. If someone in range of your wireless network was capturing the traffic encryption will scramble the data so it would appear as gibberish to that person. WEP was the original encryption method for wireless networks, but WEP has several known flaws and therefore should not be used. It is recommended to use WPA encryption or the stronger WPA2 encryption if all your wireless devices can support these levels of encryption. When using the WPA encryption methods a preshared key must be entered on the router and the same key is also entered on all of the clients wanting to join the network. When selecting a key avoid common dictionary words and use a random stream of letters, numbers, and symbols with a minimum of 20 characters in length. A wireless network using WPA encryption provides both security by controlling who can connect to the network, but also privacy by encrypting the communications as they travel across your network.
- Change the default name of your wireless network (SSID).
- The service set identifier (SSID) is the name of the network the wireless clients will use to connect to the network, and like the default password the factory set name given to the wireless network can be found out very easily. When selecting a name for the SSID don’t use anything that would identify who owns the network, such as your name, address, phone number, etc… You also don’t have use anything cryptic for the SSID, and a good choice is something that doesn’t bring attention to the name of the network and lets it blend in with any of the other surrounding networks.
- Enable MAC Address Filtering.
- Every network device is hard coded with a unique physical address called the MAC address. Wireless Routers can be configured with a list of MAC addresses allowed to connect to the wireless network. This sounds like a great setting to control the devices that connect to your network, but a reasonably skilled hacker can use free utilities from the internet to monitor traffic on the network to capture MAC addresses of devices on the allowed list. With the allowed MAC address the bad guy can spoof the MAC address on their device to make it appear as if it is in the allowed list.
- Disable SSID broadcast.
- Disabling the broadcast of the network name and essentially hiding the presence of the network sounds like a great feature, and I have seen some people rely on this feature alone for the security of their network. Similar to the MAC filtering setting mentioned before, anyone with a little bit of knowledge and the right utilities can scan the airwaves and discover hidden network SSIDs, so disabling the network broadcast should never be relied on as a cover all security setting. Don’t use this setting by itself, but combine it with other settings mentioned to have strength with multiple security layers.
- Disable managing the router from a wireless client.
- Force any client to be physically plugged into the router using a network cable to log in to the management interface.
- Enable HTTPS for accessing the management interface.
- Whenever HTTPS is available to encrypt communications it should always be taken advantage of. Using HTTPS to manage the router will prevent the user name and password from being compromised.
- Centrally locate the wireless router in the house.
- If you can locate the wireless router in a central location in the residence it should theoretically provide an even coverage area and control some of the leakage of the signal seen by your neighbors. You can also control the coverage area by adjusting the power setting on the wireless router, but this is a bit more of an advanced setting and not all SOHO routers allow power settings to be adjusted. Setting the power level to low may create dead zones in the wireless network coverage. Consult the user’s manual for your router for specific instructions on adjusting the power level.
- Set time constraints to disable access to the wireless network.
- Set restrictions when no one can use the wireless network without powering down the entire network or affecting the wired connections. For example if no uses the wireless network overnight a time restriction banning clients from connecting from 11:00pm to 6:00am to the wireless network can be configured. Powering down the router during vacations or during extended periods of non-usage can be the ultimate security setting to prevent outside hackers from trying to connect to the network.
- Check for firmware updates on the router.
- Routers have software called firmware loaded on them that control the capabilities of the router. The router vendors will release updates for the firmware to improve functionality or patch vulnerabilities. Checking every so often for firmware updates will guarantee your router has all the latest features and security patches applied.
Plugging in a wireless router and not configuring any of the security settings is the equivalent of leaving your house and not locking any of the doors. Hopefully the overview here will give you some information on how to lock down your wireless network and keep your neighbors from using you as an internet service provider.