Top 10 Tips for Securing Your Wireless LAN

Updated: October 31, 2006

1. Turn on the security. Make sure your routers have their security, such as 802.11i, turned on. By default, routers, access points, and switches have security turned off, and many users never bother to change that setting.
2. Use 802.11i (WPA) security if available. The older WEP security is not very secure. If you must use WEP, use 128-bit encryption if available rather than 40-bit or 64-bit.
3. Use WPA-PSK if available, since it lets users type in English-like passwords they can remember, increasing the chance they won't leave their password taped to their laptop for a thief to notice.
4. All devices that connect to the network must support the security technology used by the network — you can't have some older systems connect with less security while keeping the rest at a higher level. So update older equipment rather than compromise overall security.
5. Change the Service Set Identifier (SSID), or network name, to something other than the default. Not only will let users know they are connected to your network and not the unsecured one down the street, it also helps prevent unauthorized users' systems from trying to log in when they see that familiar, default network name and think it's the one at home.
6. Change the login information for your routers and access points. Even if your wireless network is secure, someone might be able to access your routers over the wired network, such as by plugging their PC into a conference room jack, and change its security settings unbeknownst to you. If you use the default user name and password, you make it that much more easy for them.
7. Use long passwords, of at least eight characters, and be sure not to use obvious ones like "password," a family member's name, or your street's name. It's best to use both numerals and letters, and if the password is case-sensitive, to use mixed-case text as well. Passwords of this length are extremely hard to crack, requiring supercomputers to do the trick. If you let your laptop save your passwords for you, be sure to require a password to be able to use the laptop in the first place — otherwise, someone who steals your laptop has full access to the network while they're in range.
8. Keep your wireless routers and access points away from the edge of your building, to minimize the leakage of signal to outsiders. After all, if they can't get the signal, they can't break in. Wireless networks' range vary considerably based on the amount and types materials used in buildings, so your signal might ravel just 30 feet before being blocked, or it might travel 300 feet. Walk around your perimeter with a laptop to see where your signal is accessible on the outside.
9. Specify exactly who may connect. In a smaller office, you can add Media Access Control (MAC) addresses — the unique code that every wireless device has — to a list of approved devices. So an intruder must not only have the right login credentials, he must also have that specific device, a less likely scenario. In a larger office, use a network management or directory tool to manage these approved devices, since they can update all your network equipment rather than require you to manually update the MAC address list on each.
10. Turn the network off after hours. If there's no one in the office overnight, the wireless LAN shouldn't be on to tempt intruders who find that signal leak outside your building and have a few hours unseen in the dark to break in. Some network management tools will let you schedule when the routers are turned on and off, saving you the manual effort. In a small office, connect your computers, router, and so on to a power strip so you can turn everything off at once. You'll also reduce electricity costs and reduce the heat generated.