How To Secure A WLAN

Updated: February 15, 2007

Thankfully, securing your Wifi connection is extraordinarily simple to do. In this article we cover 10 simple steps that will take your wireless network from being a welcome beacon to hackers to the wi-fi equivalent of Fort Knox. So let's get started…

Changing Administrator Passwords and Usernames

After you've taken your wifi router out of the box and started the setup process, you will be asked to sign on to a specific Web page and are required to enter information such as your network address and account information. In theory, this Wifi setup page is protected with a login screen (username and password).

The Problem: Though the username and password are intended to allow only you to get access to your Wifi setup and the personal information you have entered, the fact remains that the logins provided are usually given to everyone with the same model router, and because most people never change them, they remain an easy target for hackers and identity thieves. In fact, there are sites that list the default usernames and passwords for wireless routers, making a hackers job even easier.

The Solution: Change the username and password for your Wifi setup immediately after the first login. And if you are going to spend the time changing your password, make sure it is difficult to guess. Your name, birth date, anniversary date, child's name, spouse's name, or pet's name are going to be among the hacker's first guesses. And because many hackers use a technique called 'dictionary hacking,' (running a program that tries common English words as passwords) you should make sure that your password isn't just a common English word, but rather is a combination of letters and numbers.

Upgrading your Wifi Encryption

If the information sent back and forth over your Wifi network isn't adequately encrypted, a hacker can easily tap into the network and monitor your activity. When you type personal or financial information into a Web site, that hacker can then steal that information and use it to steal your identity.

The old encryption standard Wired Equivalent Privacy (WEP) can be hacked within 30 seconds, no matter the complexity of the passphrase you use to protect it. Unfortunately, millions of Wifi users are still using WEP encryption technology to encrypt their information, despite the availability of the vastly superior WPA2 encryption standard.

The Problem: Despite the superior encryption protection that WPA2 provides, most Wifi home users have failed to upgrade their protection because they were unaware of the problem, or simply felt overwhelmed by the technical prospects of upgrading. As a result, many continue to use WEP encryption, which is now so simple to hack that it is widely regarded as little better than no encryption at all.

The Solution: The solution, of course, is to upgrade your Wifi encryption to WPA2. But before you can add WPA2 protection, you will have to complete a few steps in order to update your computer. The first step is to download and install Microsoft's WPA2 hotfix for Windows XP. You will also likely need to update your wireless card driver. These updates, if needed, will be listed in Microsoft's Windows Update page under the subheading "Hardware Optional".

Now that your computer and wireless card are up to date, you will need to log into your router's administration page through your web browser (this is the page you signed into in order to setup theWifi router the first time you opened it up, the specific URL can be found in your router's instruction manual.) Once signed in, change the security settings to "WPA2 Personal" and select the algorithm "TKIP+AES". Finally, enter your password into the "Shared Key" field and save your changes.

Changing the Default System ID

When you got your Linksys or D-Link router home from the store and set it up, it came with a default system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier). This ID is also commonly referred to as the name of your Wifi setup.

The Problem: Usually, manufacturers assign identical SSID sets to their devices, and 80 percent of Wifi home users leave their system on the default setting. So that means that 80 percent of homes have Wifi systems titled, "Default" or "LinkSys" or whatever your provider sets as the default name.

The problem with these default settings is that they serve as strong signals to hackers who have been known to just cruise neighborhoods looking for Wifi networks with default names to hack into. Though knowing the SSID does not allow anyone to break into your network, it usually indicates that the person hasn't taken any steps to protect their network, thus these networks are the most common targets.

The Solution: Change the default SSID immediately when you configure your LAN. This may not completely offer any protection as to who gains access to your network, but configuring your SSID to something personal, e.g. "The Smith House Wifi Network", will differentiate you from other unprotected networks, and discourage hackers from targeting you. As an added bonus, having a Wifi network with a unique name also means that neither you or your family will make the mistake of connecting through a neighbor's Wifi network, and thus exposing your computers through their unprotected setup.

MAC Address Filtering

If you've had an unsecured Wifi setup in your home in the past, you can be fairly certain that at least one of your neighbors is mooching off your Wifi to connect to the Internet. While everyone loves a friendly neighbor, providing an easy resource for others to steal Internet access is morally and legally questionable, but even scarier is the harm those moochers can do to your computer.

In order to check who has been using your network, you'll need to check the MAC address. Every wifi gadget is assigned a unique code that identifies it called the "physical address" or "MAC address." Your wifi system automatically records the MAC addresses of all devices that connect to them. But busting your Internet-stealing neighbors isn't all that MAC addresses are good for, they can actually be a great help in securing your WLAN.

The Problem: You are not sure who or what is accessing and endangering your wifi network, and once you find out that someone or something is mooching off your network, you want to stop them. But how?

The Solution: Checking the MAC address long for your wifi network will give you a quick view of all the devices accessing your network. Anything that isn't yours, you will want to keep out. To do this, you will need to manually key in the MAC addresses of your home equipment. This way, the network will allow connections only from these devices, so your mooching neighbors will be out of luck. Caution: This feature is not as powerful as it may seem. While it will stop your average neighborhood moocher or amateur hacker, professional hackers use advanced software programs to fake MAC addresses.

Stop Publicly Broadcasting your Network

By now you've renamed your wifi so that hackers won't see the default name as they sweep for unprotected wifi setups. But wouldn't it be even better if hackers and curious neighbors didn't know you had a wifi setup at all? Usually, your access point or router is programmed to broadcast the network name (SSID) over the air at regular intervals. While broadcasting is essential for businesses and mobile hotspots to let people find the network, it isn't needed at home, so eliminate it.

The Problem:Why broadcast to the world that you have a wireless connection? You already know it; why do strangers need to know? For most personal uses, you are better off without this feature, because it increases the likelihood of an unwelcome neighbor or hacker trying to log in to your home network. The broadcast works like an invitation to the hackers who're searching for just that opportunity.

The Solution: Most wifi access points allow the SSID broadcast feature to be disabled by the network administrator. If you are using a Linksys router, instructions to disable your SSID broadcast are here, and for those of you using D-Link, your instructions are here (See Figure 1.6 on page 4). Otherwise, you will need to check the manual for your hardware for specific instructions on how to disable broadcasting for your router.

Auto-Connect to Open Wifi Networks?

Most computers provide a wifi setting that will configure your computer to automatically connect to any open wifi network without notifying you. While this setting isn't the default, many individuals select the setting because it makes connecting faster when you are traveling, or connecting at a friend's house. Even more common, is to have selected 'connect automatically' to networks that you regularly connect to. Again, this makes sense, as most people do not want to have to manually type in the name of their wireless network and the password each time they want to sign in at home. Unfortunately, both wifi setups can cause major security problems.

The Problem: If you connect to every available wifi network automatically, you will inevitably end up connecting to dummy wifi networks designed specifically to catch unsuspecting users and hack their computers.

Similarly, if you automatically connect to your regular wifi networks (meaning you don't manually type in your network name and password every time) then you may be setting yourself up for a security breach. That is because 80 percent of wifi users have not changed the name of their wireless connection. Therefore, it is very easy for a hacker to create a dummy network entitled "Linksys" or "Default", then sit back and watch 80 percent of computers automatically connect to the network since it has a 'trusted' name.

The Solution: Never select the 'connect to available wifi networks automatically' setup option under your Network Connections window. If you don't want to have to manually type in the name and password to your wifi connection each time you sign in (the safest option), at least make sure that you have named your wifi connection something unique, and that you eliminate all generic titled networks from your 'preferred networks' list. That way, you won't get automatically connected to dummy wifi networks setup by hackers and given the names, "Default" or "Linksys".

You've got a built-in firewall, so use it

Your IT security needs to use a layered approach. While no single layer of your security is enough to withstand every attack, adding layers to your security will help ensure that spyware and malware are kept out. Two important security layers are the router firewall and your individual PC's firewall.

The Problem: Routers come with built-in firewall capability. However, since there is an option to disable them, they can often be accidentally turned off by someone toggling options.

The Solution: Ensure that your router's firewall is enabled, along with related built in security featured which block anonymous internet requests or pings. This extra step will help hide your network's presence to the internet, and thus help protect your network. After all, it's harder for hackers to infiltrate what they can't find.

Positioning of the Router or Access Point

Wifi signals don't know where your house ends and where your neighbor's begins. This wifi signal leakage gives hackers and neighbors the opportunity to find your wireless network and attempt to access it.

The Problem: While a small amount of overflow outdoors is not a problem, it is important to keep this leakage to a minimum. This is important because the further your signal reaches into the neighborhood, the easier it is for others to detect and exploit.

The Solution: If you haven't yet installed your wireless home network, make sure to position the router or access point in the center of the home rather than near windows or doors. If you live in an apartment, consider that a wifi network is restricted in part based upon the materials that it must pass through, the more walls, doors, and metal the signal passes through, the weaker it is. So if your goal is to reduce leakage, you might consider mounting your wifi in a closet in order to reduce signal strength.

When to Turn Off the Network

Most of us know that it is impractical to constantly turn devices on and off. Having a wifi connection is in large part a device of convenience, and having to turn it off every time you aren't using it, eliminates much of that convenience. Unfortunately, a wifi connection is vulnerable when it is on; therefore shutting off your wireless signal when not in use would be a huge boon to its security.

The Problem: There is an inherent tension between convenience and security in deciding whether to turn off a wireless access point between connections.

The Solution: Just as you take extra home security measures when taking a vacation, like asking your neighbors to pick up the mail and leaving a light on, so also should you take extra wifi security measures when your network will not be in use for expended periods of time. Shutting down the network is a basic but effective security measure that can protect your network when you are not around to protect it, and hackers may take the opportunity to mount their attack.

Putting your Improvements to the Test

Now that you've made all these changes to your wifi setup, it would be nice to know that you are secure. Unfortunately, the only surefire test for how secure you are is to wait to see if you get hacked. Trial by fire is no way to test your security, however, so thankfully there is a program to help audit your wifi security.

The Problem: There is no way for the average home wifi user to know if the changes they made to upgrade their wireless security will really prove successful in keeping them safe.

The Solution: The Netstumbler utility, by Marius Milner will both determine your network's vulnerabilities and unauthorized access points. In addition to these security concerns, the downloadable program will also reveal the sources of network interference and weak signal strength, so that you can improve the strength of your wifi signal. Netstumbler is free for download, although the author asks that those who find the tool helpful make a donation to support the creation of future utilities.

Featured Research