Securing Your Wi-Fi Network – Step by Step
If you’re here, you’re probably an individual, like myself, who is interested in how to better secure and monitor wireless networks. Wireless Fidelity (WiFi) networks are becoming more and more common because they are convenient and powerful tools.
The availability and affordability of wireless devices has dramatically increased in the last several years. Also becoming more common are wardriving, identity theft, and other forms of malicious activities that are made possible by exploiting WiFi. This article is aimed at helping the average, non-IT savvy individual to easily secure a home or small business WiFi network.
Imagine this. You run a wireless network at home. You live in a quiet, residential neighborhood so you don’t think you need to worry about security on your network. After all, the Smiths next door don’t even own a computer! One day you wake up and check your credit card statement online and see a series of cash advance charges you didn’t make.
You call the bank to inquire about them, and they ask you how your recent move went and if you’d like to increase the limit on your new line of credit as they notice it’s maxed out. What? You don’t have a line of credit and you haven’t moved.
How It Happens
Someone, with a laptop no different than yours, drove by your house, scanning for wireless networks using any number of freeware programs. They see your network is unencryped so they stop for a brief moment and use a sniffer to scan your network for activity. Within a matter of seconds they can monitor all the activity that occurs, including anything your computer exchanges with the internet.
They grab your online banking passwords, credit card number, social security number, name, address and presto! They’re now you.
If you’re lucky, this hasn’t happened to you yet. Maybe your neighbor is just jacking your internet for free, downloading movies and hogging bandwidth. The point is you are exposing yourself to a massive degree of risk.
So, now that we understand what we want to prevent; how do we do it? The two basic components in a home-based WiFi network are a wireless router (called an access point or AP) and a wireless network interface card (WNIC). Most modern laptops come with WNICs built in, but that’s not enough. Many of them, especially the older ones, don’t support modern types of security. Even cable internet gateways for your “smart” TV is vulnerable. So take security seriously.
I’ll make some recommendations for good WNICs below. Same with routers. A lot of the older routers, or the ones that are bundled with a many of the new ISP modems, are not up to the task.
So what are the good tools to use? I always trust Linksys products. Linksys is owned by Cisco, the main manufacturer of commercial-grade networking components, and their commitment to quality and innovation in the field of wireless networking has been unprecedented. Other reputable suppliers are D-Link and Netgear.
Accessing Your Router
To make any changes to a router, you have to logon to the administration screen. To do this, I recommend plugging directly into the router via a network cable. You’ll be making changes to the wireless security on the network so it will be more convenient to be plugged directly in to avoid loss of connection when the changes take place.
To access your routers administration screen you have to ping the router. Open an internet browser window and type http://192.168.1.1 into the address bar and hit enter. The router will then prompt you to enter a username and password. Your routers manual will tell you what the defaults are.
For example, Linksys routers use the default username “linksys” and password “admin”. If your default login credentials are not working, you can reset the router by pressing and holding the reset button (it’s on the back for Linksys routers).
Once you are logged in, you will see the administration screen with a variety of tabs. The ones you want to focus on are setup, administration and wireless security.
Securing Your Network
- Change the defaults. When you use your router for the first time, it will use default settings. These settings are known to hackers and make your network vulnerable. Make sure you change the router name and the administration password. For Linksys, the router name can be found on the setup tab. It will default to WRT54G or whatever model your router is. When you change it and save settings, this will be your new login name for router administration instead of linksys. Next, go to the administration screen and change the administration password. Make sure you use a strong password with 8 characters, and a combination of letters, symbols, and numbers.
- Activate encryption. The very least you should do to lock down your network is to use encryption. You have your choice of two basic flavors: wired equivalent privacy (WEP) and WiFi protected access (WPA). WEP is an older and less secure type of encryption that uses a shared, static key. This makes the encryption easy to break. I won’t go into further details here, but if at all possible you should use WPA encryption. WPA uses dynamic, constantly changing keys that are harder to crack. For WEP encryption, the router will prompt you to enter a password. From this it will generate WEP keys which are used to set up the WNIC on the computers connecting to the network. Write these down. WPA encryption uses a passphrase that is user entered. Use a strong passphrase that is as many characters long as possible, and uses a combination of letters, numbers, and symbols.
- Change the SSID: The service set identifier (SSID) is the name of the network. The default for Linksys is – surprise surprise – linksys! Change this to something unique that does not identify what type of networking hardware you’re using.
- Disable SSID Broadcast: By default, routers send out beacon packets to broadcast to the world that they are there. Beacon packets include the SSID, or name, of the network to everyone within range. Within the setup screen, disable SSID broadcast. This will make it more difficult for a potential intruder to see the network.
- Use MAC Address Filtering: Every piece of networking hardware has a physical address (machine address code or MAC). Your router will have one, as will your WNIC. Routers allow you to block or only allow certain MAC addresses from connecting to your network. Find out the MAC addresses of the WNICs used on your network, enable MAC address filtering, and type the MAC addresses into the list (for Linksys this is in the wireless tab). To find out the MAC address of your WNIC, go to the start menu, select “run”, type “cmd” and hit enter. This will bring up your command prompt screen. Type “ipconfig /all” and hit enter. You’ll see information there about your wireless adapter and the MAC address will be listed as “physical address”.
Configuring Your WNIC
Now that you’ve configured your router, you must set up your WNIC. First of all, make sure your card is using the most recent driver. This is important, because older drivers may not support some security features. Once you’re sure you’re using a current driver, open the configuration utility. Some cards come with their own, but if not you can use the Windows utility found under network connections.
When you launch the utility, you will be able to create a profile for your wireless network. Type in the SSID of the network and specify what kind of encryption it’s using. Sometimes WEP is called “shared”, just so you’re aware. You will then be prompted to enter the WEP key or WPA passphrase. Entering this information should grant you access to the network.
One additional precaution you may wish to take, is to specify a required MAC address for this profile. This will make it more difficult for a hacker to emulate your router if they’re trying to establish a connection directly to your computer. You can view the routers MAC address in the administration screen.
So Now I’m Safe?
All of these steps are precautions that are designed to deter malicious intruders. Unfortunately, there are still ways a determined hacker can get in. Both WEP and WPA encryption can be broken, MAC addresses can be emulated, and SSIDs can be harvested.
There is no such thing as complete security, but what we’ve just covered will deter all but your most advanced and determined hacker. With all the unsecured networks out there, they’ll likely just keep driving.