One of my friends recently bought a wireless router for his home. After he bought the router, he asked me about what he should do—at a minimum—to secure the router. He had the following simple requirements: First, secure the router so that no one except him could change its settings, and second, prevent any unauthorized users from connecting to the router or gaining access to the network.
As most people do, my friend initially set up his router using the product’s installation and setup wizard. Using this wizard, he was able to secure the router by changing the administrator password. However, although using a router’s setup software to set an administrative password is a good start, it provides only basic security. And in my friend’s case, it met only his first requirement.
Chances are, if you’re like my friend, your wireless network remains wide open: Anyone in your wireless router’s range can connect to your network to access the Internet—and your home PC. If you’re in this situation, you have some work to do. Here are five steps that you can follow to secure your home wireless network:
Step 1: Change the Router’s Default Administrator Password
Out of the box, most routers contain a default user ID and password. Because this password is well known (i.e., printed in documentation included with the router), you must change the default password. You can easily make this change by running the router’s installation and setup wizard.
If you have a router that doesn’t provide such a wizard, you can connect to the router through an Internet browser and change the password. For example, to connect to a Linksys router, after powering up the router and connecting the Ethernet cable to the router, open a Web browser and type 192.168.1.1. Use the default user ID and password to log on to the router, then change the default password.
Step 2: Change the Default SSID and Disable SSID Broadcast
All routers are shipped with a Service Set Identifier (SSID) that’s set by the manufacturer. An SSID is a sequence of as many as 32 letters or numbers that comprise a wireless LAN’s (WLAN’s) ID or name. For example, the Linksys router’s default SSID name is Linksys. Default SSIDs are well known and published. Therefore, wireless-router manufacturers advise that you change the default SSID so that it’s unique. Moreover, router manufacturers suggest that you change SSIDs as often as possible: Hackers know that, in order to join a wireless network, wireless networking products first listen for “beacon messages,” which are transmitted unencrypted. These messages contain network information, such as the network’s SSID and the IP address of the network PC or Access Point (AP).
Also by default, a router broadcasts the router's SSID. You should disable this behavior. Although doing so won't provide tight security—a commonly available tool such as NetStumbler can detect hidden SSIDs—disabling the SSID broadcast lets you add one more layer of security against casual eavesdroppers. However, exercise caution if you disable SSID broadcast: Some devices, such as HP Palmtops, might not be able to connect or might drop connections intermittently if the SSID isn't broadcast.
Step 3: Change the IP Address Setting
Router manufacturers set every router with an IP address. Linksys routers, for example, come configured with an IP address of 192.168.1.1. These address settings are well known and published, and thus malicious users can easily discover your IP address if they know the router manufacturer and type. Therefore, you should change the IP address as a part of the setup process. Continuing with the Linksys example, you can change the default 192.168.1.1 IP address to 192.168.10.1. Although changing the IP address doesn't secure the router, it does leave the eavesdropper guessing for the IP address.
DHCP is also enabled by default on every router. DHCP provides IP address information to client machines. By default, the DHCP server hands out IP addresses in the 2-to-254 range. Therefore, 253 client machines can get an IP address from the router. You probably don't have that many systems at home, so it's best to reduce the DHCP range to the number of machines that you expect to have in your network. As a rule of thumb, I set the router to hand out addresses for the number of machines in my network, plus an additional two for visiting friends and family.
Step 4: Set Up Your Router to Use Encryption
A router's default settings don't include encryption. Because encryption provides security to your wireless communication, you must enable it. However, before setting up encryption, you must understand a few facts about wireless encryption and the security that different types of encryption standards—specifically, Wired Equivalent Privacy (WEP) and WiFi Protected Access (WPA)—provide.
WEP is the 802.11 standard’s optional encryption method. It's supported by most wireless NIC and AP manufacturers and is the most common method for securing home wireless networks. However, WEP has two limitations. First, it has a long key that's difficult to remember for a common user. Setting up the network for such a user can therefore be challenging. Second, the more serious problem with WEP is that malicious users can use freely available tools (e.g., AirSnort, WEPCrack) to easily decrypt WEP-encrypted data. By sniffing a heavily used wireless network (i.e., capturing transmitted data packets) for about 5 hours, an intruder—using these tools—can determine the WEP key and gain access to the network.
WEP vulnerabilities are well known and published. In January 2001, UC Berkeley published a white paper about WEP vulnerability, and in March 2001, the Department of Computer Science at the University of Maryland, College Park, published a document called Your 802.11 Wireless Network Has No Clothes that lists WEP vulnerabilities.
Although WEP isn't the most secure method available, it's nevertheless better than using no encryption at all. Home networks aren't as heavily used as corporate networks, so it can take an intruder much more time to sniff the home wireless network and gather enough packets to decipher the WEP key than to gather the same information from a corporate network.
WPA was created as a bandage for WEP security, an intermediate measure to take the place of WEP during the preparation of the 802.11i standard. WPA is designed for use with 802.1X authentication—for example, you might use WPA in conjunction with a RADIUS server that's responsible for distributing keys to each user. You might also use a less secure pre-shared key (PSK) process.
One big WPA improvement over WEP is the addition of the Temporal Key Integrity (TKIP) security protocol that dynamically (i.e., every 10,000 packets) changes the keys used to encrypt the data. This change alone makes WPA more secure than WEP. Another advantage of using WPA is that it takes a pass phrase as a key, which is easier to remember and set up than the long and complicated WEP key. Figure 1 shows the Linksys router's pass phrase key setup.
All this being said, WPA only recently became a standard, in February 2004. Since that time, devices must support WPA to pass certification, but older systems might not support WPA without a firmware upgrade. If you bought your device before February 2004, chances are that you'll need to update the firmware to get WPA support.
Besides the update required for older routers, a client-software update might be necessary. For example, if you aren't running Windows XP Service Pack 2 (SP2), you'll need to download and install the WPA support patch.
Step 5: Use the MAC Address Filter
Every NIC has a unique MAC address. You can configure most wireless routers to filter based on these addresses. To display XP's IP configuration, which includes the MAC address (as Figure 2 shows), simply type
at a command prompt. After you know the MAC (Physical) address, you can log on to the router (at http://router's IP address) and add the MAC address to the filter. Figure 3 shows how to add the MAC address to a Linksys router. However, you will have to add and save the MAC address to your router only once and subsequent visits will be seamless.
Before adding the MAC address, you must enable the MAC filter. Most routers let you either allow only specific PCs to access the network or deny specific PCs access to the network. Figure 4 shows the settings for the Linksys router that allow only listed PCs to access the network. Generally, you might not know who to deny access to; therefore, it’s best to use the Allow only specific clients option.
Filtering MAC addresses isn’t foolproof: An intruder can change a device’s MAC address to circumvent MAC address filtering. However, a hacker would need to know the MAC address of a device on your network before doing so.
Just Like Locking Your Home
Just as you secure your home by locking your doors and windows, you must take the precaution of securing your wireless network by locking it down. By changing your router’s default administrator password, changing the default SSID and disabling SSID broadcast, changing your IP address settings, setting up your router to use encryption, and using the MAC address filter, you can easily secure your home wireless network, as my friend did. Although these steps won’t prevent a dedicated intruder who’s intent on hacking your network, they’ll keep most malicious users and eavesdroppers away.