How to Secure Your Wireless Network
November  23, 2003


Wireless networking via 802.11 b, g, or a has become extremely popular over the past few years.  Chances are if you have a laptop, you probably have an add-in wireless card or even a mini-PCI wireless card built right in.  While wireless computing is extremely convenient, there are many security issues.  In order to make wireless networking as simple as possible, most wireless routers and access points are setup by default to work out of the box.  In order to do this, most, if not all of the security features disabled.  There is a trade off between security and ease of use.  As you become more familiar with your wireless network and have all your wireless computers working correctly, then you can slowly increase the security of your wireless network.

Wireless network security is especially important if the wireless link is connected to your home network.  If somebody manages to connect to your wireless network, they could potentially access all the computers on your network, including your webserver or file server.  In a home network, the wireless segment is the most vulnerable connection and you must pay special attention to secure it as best you can.

While wireless security is not foolproof, it will put up a substantial barrier for the casual hacker or war driver (somebody who drives around with a laptop looking for a free wireless connection).  Below I point out several security measures that are built into most wireless routers and access points.  While your hardware may not support all of these features or your network situation may preclude certain configurations, you should enable as many of these features as you can.  Some of the items may make using your network less convenient, but once again, it is a trade off between ease of use and security.  Pick the balance that makes you happy.

Change the username and password of the configuration page of the wireless access point/router.

Each wireless router or access point has a built-in configuration page, usually in the form of an internal webpage accessed from your web browser.  Typically, the password is either blank or "admin".  You definitely have to change the username and password immediately.  You might be surprised that most people do not change either one!  You don't want somebody else configuring your access point or router so make sure this info is changed.
Change the default SSID of your wireless router or access point.
Your wireless access point or router comes from the manufacturer with a default SSID that typically is something like "linksys", "netgear", or "dlink".  Change the SSID to something that does not describe the manufacturer or model of the unit.  Specific units may have known weaknesses or configuration loopholes so don't give the hacker a hint on which unit you have.  An additional reason to change the SSID is that if a neighbor has the same model as you, and both models are set at their default configurations, the two units might interfere with each other.
Disable broadcasting of your SSID.
Most wireless access points and routers broadcast their SSID to everyone.  This makes it easy to connect to the network, however, it announces the SSID to everyone saying "A wireless network is here, come find me".  If possible, disable the broadcasting of the SSID.  This makes your wireless access point or router invisible to most people.  You'll have to manually input the SSID into your wireless client computer since it won't show up automatically as an available wireless network.  This isn't much of a problem if your client connection software allows you to create a profile that saves the wireless connection settings.  If people don't know you are using wireless, the more secure you are.
Change the channel number from default.
Pick any channel number that is different from the default channel number.  This prevents people from simply going with the default channel and also prevents interference if other people own the same model as you do.

Change the default IP number of the wireless access point or router.

Most wireless routers and access points are configured by pointing a web browser to the IP address of the unit and then using an internal web page to set the configuration.  Change the default IP number to something different so hackers cannot easily find the configuration menu.
Disable wireless configuration of the wireless access point or router.
The configuration menu for most wireless routers and access points can be accessed by either a wired or wireless connection.  If your unit can has the option to do so, disable wireless configuration of the access point or router.  This makes it so that you can configure the unit if you are physically attached to the network (wired) but not if you're connected wirelessly.  It is not likely that someone is going to physically splice into your wired network.
Enable MAC address filtering.
MAC address filtering only allows computers with MAC addresses you specify to connect to the wireless network.  You manually input the MAC address of each wireless network card into the configuration of your wireless access point or router, and then only these MAC address are allowed to connect.  The rest are not.  This is a great security feature and should definitely be enabled if possible.  For the most part, this feature is not very intrusive.  All you have to do is the update the permitted MAC address list each time you add a new wireless computer to the network.  For home use, this probably isn't that often.  With MAC address filtering, the content of the data being sent wirelessly is not encrypted and still can be intercepted using various snooping tools, but it is an effective way to prevent people from connecting to your wireless network.
Enable WEP or WPA encryption.
With WEP or WPA enabled, a user has to have a correct encryption key to connect to the wireless network.  Also, once they connect to the wireless network, data sent wirelessly is encrypted so that if somebody is snooping wirelessly, the information cannot be deciphered.  WEP comes with different encryption levels such as 64 or 128 bit encryption.  The higher the level, the more difficult it is to break the encryption code.  Even though that data may be encrypted, it is not 100% secure, but it is fairly safe against all but the most determined wireless network snooper/hacker.  Some wireless access point/routers/network cards runs slower with the encryption enabled.  The drop in transmission speed can be up to 40%.  However, most new wireless hardware do not suffer a speed loss when encryption is enabled.  Another thing to be wary of is that some manufacturers use encryption keys in hexadecimal and some use binary and others use a passphrase.  If you mix hardware from different manufacturers, make sure to find out if they use the same type of keys.  You may have to convert a hexadecimal key to a binary key or vice versa.  I found this out the hard way when I initially couldn't get encryption to work between hardware from different companies.
Disable DHCP dynamic IP assignment.
Most home wireless routers have a DHCP server that automatically assigns each computer a dynamic IP address.  This is very convenient for you but also very convenient for an uninvited guest to get an IP address if they manage to connect to your wireless network.  Assuming that somebody manages to connect to your wireless network, they still don't have full access to your network if they don't know the correct IP address and network information.  You can prevent them from getting this information by turning off the DHCP server on the wireless router.  With the DHCP server turned off, you will have to manually enter static IP numbers, subnet, gateway, and DNS information for each of your wireless clients.  If your home network doesn't change much, this isn't really that much of a hassle.
Minimize signal bleeding outside your facilities.
Try to place your wireless router or access point close to the center of your home or office.  This is a good practice for two reasons.  1. The signal will be strong throughout most of the desired area.  2. Less wireless signal will be outside your facility to attract attention.  If you put the wireless device close to the wall or window of your house/office, then the other side of the building won't get as strong signal strength and you'll waste a lot of the wireless signal outside your facilities.  The more wireless signal outside of your facilities, the more inviting it is for people to try to hack into your wireless network.
Isolate your wireless router or access point from the rest of your network.
If you use your wireless network to surf the Internet and really don't need it to connect to other computers on your home network, consider isolating the wireless access point by putting it on a different segment of the network which isn't able to connect to your main wired network.  You can do this by daisy chaining 2 routers together so that your home wired network is behind a firewall relative to the wireless access point or router.  The wired segment of your network would be safe from the wireless segment.  However, other wireless computers connected to the same wireless network would still be vulnerable so other security measures should still be implemented to lock down your wireless network.
Secure your home network.
Your home network should be secured whether or not you have a wireless network, but especially if you do have one.  This includes disabling all guest accounts on the network, using strong passwords to access shared network folders, printers, and drives.  By default, most home network share data using the TCP/IP network protocol.  Hackers know this.  You can change this so that your network uses some other protocol such as NetBEUI or IPX for the local network and use TCP/IP for Internet only.
Each of these suggestions helps make a wireless network more secure. You will probably not use all of the items, but the more you use, the safer you and your data will be.