One of the biggest concerns for wireless users is making sure their router and wireless network are secure. I think we all know by now that, when it comes to technology, there is no such thing as being 100 per cent secure. Once you send data over a wireless signal, you've already potentially exposed your data to hackers, and once you've set up a router, Wi-Fi signal leeches are always a possibility.
That said, there are plenty of ways to strengthen the security of your router and wireless network. Most of these measures are fairly easy to put in place, while some take just a bit of configuration in the router's interface. In this article, I've detailed ten steps to get you moving towards a more secure Wi-Fi network.
The routers I use as examples are the Cisco Linksys Smart Wi-Fi AC 1750HD Video Pro EA6500 and the Netgear N600 Wireless Dual Band Gigabit Router (WNDR3700) — which boasts Netgear's new Genie management software. Management software varies from router to router, but most of the settings presented here can be found in just about all consumer wireless routers, especially those made in the last three years.
Tip 1: WPA2
I think it's common networking knowledge that there really is no excuse for failing to use WPA2 encryption. Just about all modern wireless clients support it, with only the oldest wireless devices lacking in this respect.
Tip 2: Change default passwords
You never want to set up a new router and leave the default password of either the SSID (if the router came preconfigured) or the admin account, which gives access to the router's management software. In fact, I like to change even the Guest Account default settings, if I enabled Guest Account and the router has guest credentials set up.
The option to change the admin password is usually found in the System or Administration areas of the interface. Changing the SSID's passphrase is typically under Wireless Settings. By the way, you see the password I have set in the image below? Don't use that one. That's just a router for testing, my home router has a much stronger password.
Tip 3: Change the default SSID name
I can't tell you how many times that I'll look at wireless networks in range and see SSIDs such as "NETGEAR095," in other words, SSIDs that are preconfigured and easily give away the make of the router. When I see this, I also think perhaps the person who set up the router left the default admin credentials to the router's software. Someone nefarious person could access an unsecured network, and with a quick web search, discover the default password to the admin account just by knowing the type of router. Give your network a name that does not reveal the make or model of your router.
Tip 4: Device lists
Most routers have a device list that shows the wired and wireless clients currently connected. It pays to periodically take a look and familiarise yourself with your router's device listing. Years ago, you would only see a list showing a connected client's IP address, MAC address, and maybe the hostname.
Newer router interfaces are getting fancier. The most recent interface on the Cisco Linksys routers shows all of this information plus an icon of the type of client that's connected ( a picture of a bridge, a NAS, a computer… and so on). I've met with vendors who are also releasing cloud and mobile apps that let you remotely see who (or what) is connected to your network and alert you when a device connects. If this is an important feature for you, you can expect to see a lot of innovation in intrusion detection and home networks soon.
Tip 5: Turn off guest networking
I've never tested a router out-of-the box that had guest networking on by default. If I did, that router would not get a very high review score. Guest networking allows others to access your routers, and by default it's usually unsecure access (although you can typically add security). That said, if you inherited your router from someone else, it pays to make sure guest networking is turned off (or at least secured) when you set the router up for your use. Generally, doing so requires nothing more than ticking off a checkbox in the router's interface.
Tip 6: Enable MAC address filtering
Creating a filter by MAC address allows you to grant or deny access to your wireless network based on the specific device being connected. A common scenario for good security is to only grant access to the MAC addresses of your own devices. You have to enter the MAC address manually for each client in just about any router I've tested, so you'll need to gather that information first. Of course, you can also get the MAC addresses from the device list as mentioned earlier, if they are connected.
Tip 7: Use WPS with caution
Personally, I don't use WPS (Wi-Fi Protected Setup) on my home network. I find it does not work consistently across wireless devices. Furthermore, a security issue was discovered with the PIN method of connecting via WPS, and it makes me want to stay far away from this feature. To their credit, router manufacturers have been doing a good job of securing WPS on their equipment; however, I would still use it sparingly. Some wireless extenders I've tested can only connect to a router via WPS, but for other devices, connect them manually.
Tip 8: Keep firmware up to date
I think a lot of users forget about this one. Periodically, router vendors will create and post new firmware for their products to their websites. Sometimes, this firmware can patch security holes. Routers keep getting easier and easier to update; newer ones will notify you when new firmware is available, and some will allow you to do the entire firmware update without leaving the router's interface — a feature that always gets a favourable rating from me. Don't forget to keep client wireless adapters patched for the same reason, as well.
Tip 9: Use firewall settings
Most routers have some sort of firewall or WAN protection to guard the device from Internet threats. Higher-end dual-band routers tend to have more advanced firewall and security features (though you can throw a third-party, open source software tool like Tomato on an old cheap router, which can add advanced functionality, too.) For example, the Cisco Linksys AC1750 has settings that allow you to enable firewall protection for both IPv4 and IPv6 traffic, as well as filter potential threats such as anonymous Internet requests.
Tip 10: Hide the SSID
Hiding the name of your wireless network (the SSID) is also referred to as preventing the SSID from broadcasting. Now, hiding the SSID is not in and of itself a security measure. Snoopers still have ways to detect wireless signals in a given area. However, for most other would-be leeches, not having your Wi-Fi network's name broadcasted is a good way to prevent anyone from jumping on. The downside is you will have to manually type in the name when you want to connect a device — which is especially tedious for friends who drop by and want to connect to your Wi-Fi.
One caution, though: If you use port forwarding to set up remote access back into your home LAN, enabling some WAN filtering may cause problems with the remote access — as I once discovered. Still, that should not discourage most users from making use of the SPI (Stateful Packet Inspection) firewall capabilities and WAN threat security features found in most wireless routers. Many of these security features can be enabled with a click. Advanced users can even use a feature found in lots of routers — setting up firewall rules to block specific types of services such as IDENT or Telnet from coming through your router.
With these settings, you really don't need to be well-versed in networking. You just need to get familiar with the features and interface in your router to create a more secure network.