ITRC Solution 33
Protecting Home Wireless Networks
Wireless networks have attained a de facto presence in home and small business environments during the past few years. The ever increasing ability (digital phones, personal handheld devices, gaming consoles, etc.) to connect to the Internet via a wireless node has propelled the wireless network router to a place of common acceptance in the home. Small businesses often reduce costs by using wireless laptop computers in place of (or in addition to) standard desktop computers. More recently, printers have included wireless connectivity, allowing the user to place the printer in a convenient location and still make it available to a network or single user. The convenience brought to users by the wireless connection is often significant. Unfortunately, so is the increased risk of hacking if the wireless network is not secured properly. Below are some considerations to improve your security when operating a wireless network:
- Wireless Setup: Wireless routers are often supplied with default settings that allow a user to quickly create an operating wireless network. However, until recently, these default settings did not adequately address security issues. This has changed with some manufacturers, so that the setup utility provides instructions to secure the network. It is still an excellent idea for the user to become familiar with the router setup, and verify that the settings are applied for appropriate security, especially if the user did not do the initial installation setup.
- Important Default Settings: The factory default user name and password for access to most routers is well known publicly, and can easily be found by doing a web search. So is the default SSID, the name that is publicly broadcast by the wireless transmitter to identify your network to any client computer that wishes to connect to your network. Resetting a router to the factory default settings is usually no more than depressing a back panel switch with a paper clip and rebooting the router. Here are some points that should always be checked:
- Always reset the administrator password (and the administrator user name, if possible).
- Use a strong password for the administrator password (8+ characters, mixed text, numerals, and special characters).
- Do not use a password that is related in any way to the wireless connection password, which must be given to each client user to gain wireless access.
- Always reset the SSID to a new name. It is also smart to pick a name that does not identify your family or business, since the SSID will (unless you make other changes) be visible to any wireless unit within range. A default SSID, like “Linksys” begs hackers to test your network, to see if any of the default login information is also being used for administrator access.
- Disable remote management of the router, unless you really do need to change router settings from a remote location.
- Ensure that the router firewall is enabled.
- Ensure that wireless encryption is enabled. All wireless devices that connect to your network must use the same type of encryption, such as WPA, WPA2, WEP, etc. If at all possible, use one of the newer standards, such as WPA2, or WPA, which are much harder to decrypt/hack than the earlier WEP standard.
- After setting a wireless “key” for the router, protect it. It is the password that will allow anyone in range of your wireless transmitter to easily join your network. A wireless client is “inside” the protection of your router’s firewall in most cases.
-See that a software firewall is running on each computer in your network, both those with wired and wireless access to the network. Windows firewall is available to most users, and most good antivirus packages include such a firewall (which replaces the Windows Firewall).
- Additional Security Measures: The measures above should be done in all wireless network installations. Below are some actions that can be done if you have a more serious need for securing your wireless network:
- Use a MAC address access list. All wireless clients have a unique “MAC” address number, which is specific to that particular unit. Many routers have the ability to restrict access to a list of known MAC addresses. This restriction is not a “save all” method, since MAC addresses can be faked by some types of hacking software.
- If possible, locate the router in a central part of the home or business. In addition to providing the best average coverage for your intended client wireless devices, this also limits the exterior coverage of the wireless transmitter. This decreases the possibility that an unauthorized user will be physically near enough to query your wireless network. A wireless router in a second story window can be accessible from several hundred feet away, or even further if a directional antenna is being used by the interloper.
- Instead of letting the router assign IP addresses automatically to the intended clients (DHCP), set the router to accept a small range of static IP addresses. Then configure each intended wireless client with a fixed (static) IP within the range you chose. You can also choose an IP range that is private, such as 192.168.4.xxx or 10.0.0.xxx, to further prevent direct connections to the client machines from the Internet.
- Turn the router off when you will be away for an extended time. Most routers will reboot in a minute or two. Most wireless clients that were previously connected to the wireless network will reconnect automatically when the router becomes available again.
- Choose a qualified supplier: There are many companies that build or rebrand wireless routers. ITRC believes it is worth your time to check online to see if the router model you are considering provides a thorough user manual. You should be able to download a PDF user manual that is thorough in explaining the setup and operation of your intended purchase, especially the security, encryption, and firewall settings available to you to protect your network. If you cannot find a thorough user manual which explains the router security settings in plain English, you would be better served to look for a different manufacturer. Ultimately, your network security will depend upon both the features available in your wireless router and clients, and the choice of appropriate settings to secure the network.
- Defend your computers: A secure wireless network will do little good if your client computers are open to viruses, malware, pop-ups, and other threats that can be imported through your firewall by ordinary web browsing and email. Antivirus and personal firewalls must be enabled. Operating system and antivirus programs must be updated automatically with patches and new virus definitions. An infected computer can allow system takeover, keystroke logging, and other hacking from within your network.
ITRC Fact Sheet FS 119 – Direct Connections to the Internet
ITRC Fact Sheet FS 118 - PC Perfect: A computer IQ test