As most people do, my friend initially set up his router using the product’s installation and setup wizard. Using this wizard, he was able to secure the router by changing the administrator password. However, although using a router’s setup software to set an administrative password is a good start, it provides only basic security. And in my friend’s case, it met only his first requirement.

Chances are, if you’re like my friend, your wireless network remains wide open: Anyone in your wireless router’s range can connect to your network to access the Internet—and your home PC. If you’re in this situation, you have some work to do. Here are five steps that you can follow to secure your home wireless network:

Step 1: Change the Router’s Default Administrator Password
Out of the box, most routers contain a default user ID and password. Because this password is well known (i.e., printed in documentation included with the router), you must change the default password. You can easily make this change by running the router’s installation and setup wizard.

If you have a router that doesn’t provide such a wizard, you can connect to the router through an Internet browser and change the password. For example, to connect to a Linksys router, after powering up the router and connecting the Ethernet cable to the router, open a Web browser and type 192.168.1.1. Use the default user ID and password to log on to the router, then change the default password.

Step 2: Change the Default SSID and Disable SSID Broadcast
All routers are shipped with a Service Set Identifier (SSID) that’s set by the manufacturer. An SSID is a sequence of as many as 32 letters or numbers that comprise a wireless LAN’s (WLAN’s) ID or name. For example, the Linksys router’s default SSID name is Linksys. Default SSIDs are well known and published. Therefore, wireless-router manufacturers advise that you change the default SSID so that it’s unique. Moreover, router manufacturers suggest that you change SSIDs as often as possible: Hackers know that, in order to join a wireless network, wireless networking products first listen for “beacon messages,” which are transmitted unencrypted. These messages contain network information, such as the network’s SSID and the IP address of the network PC or Access Point (AP).

Also by default, a router broadcasts the router's SSID. You should disable this behavior. Although doing so won't provide tight security—a commonly available tool such as NetStumbler can detect hidden SSIDs—disabling the SSID broadcast lets you add one more layer of security against casual eavesdroppers. However, exercise caution if you disable SSID broadcast: Some devices, such as HP Palmtops, might not be able to connect or might drop connections intermittently if the SSID isn't broadcast.

Step 3: Change the IP Address Setting
Router manufacturers set every router with an IP address. Linksys routers, for example, come configured with an IP address of 192.168.1.1. These address settings are well known and published, and thus malicious users can easily discover your IP address if they know the router manufacturer and type. Therefore, you should change the IP address as a part of the setup process. Continuing with the Linksys example, you can change the default 192.168.1.1 IP address to 192.168.10.1. Although changing the IP address doesn't secure the router, it does leave the eavesdropper guessing for the IP address.

DHCP is also enabled by default on every router. DHCP provides IP address information to client machines. By default, the DHCP server hands out IP addresses in the 2-to-254 range. Therefore, 253 client machines can get an IP address from the router. You probably don't have that many systems at home, so it's best to reduce the DHCP range to the number of machines that you expect to have in your network. As a rule of thumb, I set the router to hand out addresses for the number of machines in my network, plus an additional two for visiting friends and family.

Step 4: Set Up Your Router to Use Encryption
A router's default settings don't include encryption. Because encryption provides security to your wireless communication, you must enable it. However, before setting up encryption, you must understand a few facts about wireless encryption and the security that different types of encryption standards—specifically, Wired Equivalent Privacy (WEP) and WiFi Protected Access (WPA)—provide.

WEP
WEP is the 802.11 standard’s optional encryption method. It's supported by most wireless NIC and AP manufacturers and is the most common method for securing home wireless networks. However, WEP has two limitations. First, it has a long key that's difficult to remember for a common user. Setting up the network for such a user can therefore be challenging. Second, the more serious problem with WEP is that malicious users can use freely available tools (e.g., AirSnort, WEPCrack) to easily decrypt WEP-encrypted data. By sniffing a heavily used wireless network (i.e., capturing transmitted data packets) for about 5 hours, an intruder—using these tools—can determine the WEP key and gain access to the network.

WEP vulnerabilities are well known and published. In January 2001, UC Berkeley published a white paper about WEP vulnerability, and in March 2001, the Department of Computer Science at the University of Maryland, College Park, published a document called Your 802.11 Wireless Network Has No Clothes that lists WEP vulnerabilities.

Although WEP isn't the most secure method available, it's nevertheless better than using no encryption at all. Home networks aren't as heavily used as corporate networks, so it can take an intruder much more time to sniff the home wireless network and gather enough packets to decipher the WEP key than to gather the same information from a corporate network.

WPA
WPA was created as a bandage for WEP security, an intermediate measure to take the place of WEP during the preparation of the 802.11i standard. WPA is designed for use with 802.1X authentication—for example, you might use WPA in conjunction with a RADIUS server that's responsible for distributing keys to each user. You might also use a less secure pre-shared key (PSK) process.

One big WPA improvement over WEP is the addition of the Temporal Key Integrity (TKIP) security protocol that dynamically (i.e., every 10,000 packets) changes the keys used to encrypt the data. This change alone makes WPA more secure than WEP. Another advantage of using WPA is that it takes a pass phrase as a key, which is easier to remember and set up than the long and complicated WEP key. Figure 1 shows the Linksys router's pass phrase key setup.

All this being said, WPA only recently became a standard, in February 2004. Since that time, devices must support WPA to pass certification, but older systems might not support WPA without a firmware upgrade. If you bought your device before February 2004, chances are that you'll need to update the firmware to get WPA support.

Besides the update required for older routers, a client-software update might be necessary. For example, if you aren't running Windows XP Service Pack 2 (SP2), you'll need to download and install the WPA support patch.

Step 5: Use the MAC Address Filter
Every NIC has a unique MAC address. You can configure most wireless routers to filter based on these addresses. To display XP's IP configuration, which includes the MAC address (as Figure 2 shows), simply type

C:\>ipconfig /all

at a command prompt. After you know the MAC (Physical) address, you can log on to the router (at http://router's IP address) and add the MAC address to the filter. Figure 3 shows how to add the MAC address to a Linksys router. However, you will have to add and save the MAC address to your router only once and subsequent visits will be seamless.

Before adding the MAC address, you must enable the MAC filter. Most routers let you either allow only specific PCs to access the network or deny specific PCs access to the network. Figure 4 shows the settings for the Linksys router that allow only listed PCs to access the network. Generally, you might not know who to deny access to; therefore, it’s best to use the Allow only specific clients option.

Filtering MAC addresses isn’t foolproof: An intruder can change a device’s MAC address to circumvent MAC address filtering. However, a hacker would need to know the MAC address of a device on your network before doing so.

Just Like Locking Your Home
Just as you secure your home by locking your doors and windows, you must take the precaution of securing your wireless network by locking it down. By changing your router’s default administrator password, changing the default SSID and disabling SSID broadcast, changing your IP address settings, setting up your router to use encryption, and using the MAC address filter, you can easily secure your home wireless network, as my friend did. Although these steps won’t prevent a dedicated intruder who’s intent on hacking your network, they’ll keep most malicious users and eavesdroppers away.

Article Information

Email this Article Printer-Friendly

Reader Comments
This article was very helpful. It addresses a strongly felt need. Thank you. Brad Bergh -January 25, 2006 What about WPA2? Is it a better choice for those that have it available? Lance Overk -January 25, 2006 To really know how to secure your wireless network go to http://www.grc.com/SecurityNow.htm and review episodes 10,11,13. Alex -January 25, 2006 I want to allow anyone to access the Internet via my router, but want to keep my home network and PCs as secure as possible. How would you later the five-step process to accomplish this objective? John Davis -January 25, 2006 thanks so much for this article it help me solve some little problems with my connections, its fantastic and i will like to recieve more about troubleshootings in the future. lateef a. ola -January 25, 2006 Good article, easy to understand, well strictured and effective. The comments on changing the base IP address are useful as is the tip to reduce the number of IP's the DCHP server allocates! Richard Hayes -January 25, 2006 TO JOHN DAVIS - You can make sure that your networked computers are all firewalled, which they should be anyway. Preferably, you'd add another router to your network and place your private LAN behind that. That's a bit of money just to be a nice guy doing something illegal. The other problem with allowing other "unknowns" access to your ISP through your WiFi is that if they start downloading tons of kiddie **** or trading it or doing other kinds of nefarious activity through your IP guess who's going to be answering questions from the FBI? Yes, John Davis. Then try to proving that it wasn't you. Good luck. Alex -January 25, 2006 it helps me to aware of wireless home network malai -January 25, 2006 There are a couple of minor errors: 1) MAC Address Filtering,WEP, disabling SSID broadcast and changing your IP are all useless to prevent access. A hacker will use Airsnort and Kismet to determine legitimate MAC addresses, your WEP key and any valid IP Addresses by grabbing frames directly. WPA is all you need to spend the time on enabling - the others are a waste and just interfere with your legitimate use. If WPA is a deadbolt, the other changes are pretty much that little lock on the handle - useless. Also "security through obscurity" is no security at all and just provides a false sense of safety. Better to focus on the really important thing here. 2) WPA is 99.9% secure currently against a hacker with realistic computing resources (e.g. less than a supercomputing cluster) provided you use a hard to guess key (long, not just words, not your bday, kids names, etc....). WPA2 uses a better encryption algorithm but isn't as widely supported on the client side. Currently there is no advantage to WPA2 unless you are concerned about organizations like the NSA who have the resources available to crack the RC4 algorithm with TKIP in WPA - WPA2 uses AES instead. 3) The other bigger hole in your security is your laptop. Realize that connecting to foreign networks at Hotspots and hotels opens you up to worms and hackers that can easily lead to malicious software being installed on your system. Where your wireless network might reach people in your neighborhood, once you have malicious software on your system you are open to everyone in the world....Microsoft has left huge vulnerabilities withing Windows Zero Config. You are actually broadcasting the name of your home network and every network you attach to everytime you fire up....Learn the advanced settings and disable the automatic connection and enable Windows Firewall. Do the same for your home systems - it is safer to assume a hacker already has access to your network or that every computer on your network is already publicly viewable. Check out D-Link's new Securespot to further secure your Internet conenction. http://www.dlink.com/products/securespot/ 4) And for those looking to host public access - you are taking a large risk. Spammers have already been convicted for relaying through insecure WLANs. Hackers are already using them for high speed, anonymous, launching points for attacks on target systems. The FBI will call and I am sure that Homeland Security is eventually going to lobby for legislation to fix this risk. Brad -January 26, 2006 Disabling SSID broadcast can prevent your neighbors from connecting to your wireless network by accident/chance, so it's not completely useless. Likewise, using MAC Address Filtering can prevent others from stumbling onto your network. Not everyone is a hacker, some are just temporarily confused users. Ola -January 26, 2006 Hey Brad, you make some interesting points. Let me know if you'd like to write a follow-up article. We want as much community involvement as possible here. Email me at jbovberg@connectedhomemag.com if you're interested. Jason Bovberg -January 26, 2006 This article was very helpful. Allow Me to understand better wireless security. After reading this article I proceeded to apply some of the learning point to my wireless network. Manuel -January 27, 2006 This article was very helpful. Allow Me to understand better wireless security. After reading this article I proceeded to apply some of the learning point to my wireless network. Manuel -January 27, 2006 WEP can be crack in less than an 1 hour. USE WAP! James -January 28, 2006 One more thing, MAC address filtering is usless because once a perp intercepts a single packet, he has the MAC. James -January 28, 2006 Your Comments (required): James you said: One more thing, MAC address filtering is usless because once a perp intercepts a single packet, he has the MAC. --And if he captures the MAC what is the next thing that can be done to recover from this attack? Name (required):Jim -January 28, 2006 Very interesting. I remember working on a friend wireless enabled laptop and there was a wireless network available although there was not one at that address. Obviously it was a neighbour's. This article opened my eyes as to how dangerous it is to leave your wireless network unprotected. Lawrence -January 28, 2006 Hahaha, Everyone is screaming about WPA, but it is just as insecure as WEP. All you need is two wireless cards, and a little knowledge and you can crack WPA in 5-10 minutes. And for all the crazy's who think this isn't true, here is a tip, you send disassociate packets to a host and it will keep transmitting packets to reconnect which you can grab parts of the WPA key from. Game over, you lose. security -January 31, 2006 Thanks for the info provided above, as for WPA not being secure, it the closest thing to being secure on an wireless network at this point in time. You information is of value of everyone on the forum, keep up the good work. Ed -February 2, 2006 Only "real" security on a wireless network is to connect the AP directly to a VPN solution, and use a VPN client for connecting from the wireless zone. A wireless network is about as secure as a direct internet connection, and should be treated as such. Crypto basically only gives you LEGAL protection, against potential abusers connecting from your network, since you can prove that you actually TRIED to prevent them from abusing your internet connection. I does not by ANY means give you anywhere NEAR the security of a shielded ethernet cable. Let's face it: Any radio signal can be intercepted. The only thing you obtain by adding layers of obscurity, is a slight delay to the hacker getting in, and a slightly added latency to your own legal connection. Using a vpn-setup adds about the same latency overhead, and is a LOT more secure. //Svein Svein -March 10, 2006 Going with the Kiss (Keep It Simple Seriously) premise, I would simply (admin) passwd protect the wireless router, chg the router default IP, limit the DHCP to EXACTLY the number of local systems. Or alternately assign the localsys's with a static IP. If you are concerned about hackers using your system - locke up all unused PORTs on your hardware firewall. P2E Press2Esc -April 16, 2006 How does one go about monitoring who may be accessing one's home wireless network? What tools can be used to see those connections (or those attempting to connect)? Is there anything which could pop up a warning on the host system to let you know someone is accessing your network? Thanks! Captain Nemo -May 7, 2006 Very good artical, now issue is how to control usage. Example 4 pc's on the router and I want to be able to control the time useage on 2 of the PC ( childern). Roger Currie -May 10, 2006 what do you put at the 2 spots for the dns thomas -July 18, 2006 how do u put tkip on wireless roter william -September 8, 2006 Check wireless resources at www.wavetraffic.com hyperwebby -October 11, 2006 I am printing off this whole thing. Can't wait to read it. I hope it's just what I'm looking for! Thank you! I will come back and let you know how I did with it!!! I'm SO happy to have found this information!!! Rose -December 14, 2006 Your Comments (required): Name (required): -January 15, 2007 Your Comments (required): Name (required): -January 15, 2007 Great article with a cherry on top(comments from others). Those five steps omitting the DHCP stuff is just what I already do. Looks like I have a little more playing to do however, the comments on cracking TKIP using two wireless cards is very interesting and makes perfect sense because only the data in a packet is encrypted the rest is out there. I've always agreed with MAC filtering, but thinking of it in terms of the structure of the packet and what part is encrypted now leads me to keeping this as a corporate policy for people who have been terminated to keep their personal wireless devices from connecting back to the network. If it's an admin however you would want to make sure you change everything about your access points. My next step personally is to get a PKI built with some VeriSign Keys and then the Radius server. Home users: the statements that included FBI calling you are actually reverse of what was said. Having an encrypted and harder to breach security scheme is less deniability for you when someone does break it and looks up child *********** or does something else illegal. So far in U.S. Court cases people accused of downloading music illegally have been acquited so long as they had wireless and no security. Could have been anyone at all, a neighbor or a hacker downloading music, is it their fault they don't know how to secure their wireless AP, not in the eyes of the justice system it is not. Deniability even though it probably was them. Thanks for all the comments and the great kick off article. Dru Oswald -January 27, 2007 John Davis - I agree with you. Typical scare tactics to keep people from sharing broadband width and keeping the cable and phone companies pockets loaded while decreasing the productivity and portability of wireless internet. If the FBI was ivestigating kiddie **** - it would take a half second to exonorate you. Craig -February 17, 2007 I want my wirless secruity so please you are help me thank you shahzad -March 26, 2007 don't forget about AP spoofing...the "man in the middle" attack. Tyler L. G. -April 24, 2007 I've installed a Trendset TEW-432brp. I type 192.168.1.1 on my web page. I expected to get "wireless security" page so I can change password. But I get a lot of articles etc. What am I doing wrong? thanks Mike -December 7, 2007 nice article.. ThanQ www.e-jamal.tk Jamal -December 26, 2007 Well written and USEFUL Article - Thanks. Lou -December 26, 2007 good and useful article given so many people have unsecured wireless networks in both home and office settings. But disabling ssid is counter-productive and increases the security risk. Microsoft strongly disagrees with hiding ssid braodcast. deeb -January 13, 2008 Your Comments (required): Name (required): -February 15, 2008 Your Comments (required): Bahi -April 22, 2008 USER ALI -April 22, 2008 this is a useful site Name (required): -May 5, 2008 Very nice article, really gave a lot of insight into my wireless network architecture and how to secure it ... Thanks a lot !!! Keep up the good job !!! AD -July 27, 2008 [quote]Hahaha, Everyone is screaming about WPA, but it is just as insecure as WEP. All you need is two wireless cards, and a little knowledge and you can crack WPA in 5-10 minutes. And for all the crazy's who think this isn't true, here is a tip, you send disassociate packets to a host and it will keep transmitting packets to reconnect which you can grab parts of the WPA key from. Game over, you lose. [/quote] You are obviously a script kiddie, If you weren't you wouldn't be reading this nor bragging like an idiot. While that's true, someone would have to be activly connected and you'd still have to attempt to crack the key. Even if you have a large Rainbow tables database can take quite an extensive amount of time on any decent Passphrase not to mention you have to than worry about security inside once you connect, considering it's their connection you're free reign to be hacked into without any consequences, reported, and/or I'll be outside waiting for you with friends trying to see who can pop your tires with a rifle first. Dorky -October 1, 2008 in the ammount of time it took me to read this you could have come to my house and fixed my computer for me! but hey thanks darren -November 3, 2008 I want to have open access to the internet (for friends and guests) and also have a secure network that they cannot get to. The only access they have will be wireless. Using a second router, how can I do this? Note: I do not want lectures about crime and kiddie ****. I am 100% sure that I do want to provide open access to the web while having a protected part as well. I am quite content to live with the limits of typical home security, I am not worried about hackers. Please don't lecture me, instead please help me. Thanks! Name (required): -December 28, 2008 Your Comments (required): Name (required): -May 27, 2009 well im in a mess here about my wireless i went to change my password and it unsecured my network and now i don't know how to put it back as me so if you could help me that would be great if not im going to have to bye a new wireless network so please help me anyone in my state or town could help me that would be great im in michigan michelle -August 29, 2009 I am intersted to setup a password for my LINkSYS router before accessing the Internet to show the outsider that the Internet access is secuire but I don't know how. Can any one assist me on this. At present I am traying to use MAC address of my PCs that can access my wirless router. to protect my router to be hacked by outsider. Many Thanks KK -September 7, 2009 Your Comments (required): Name (required): -December 24, 2009 I am no expert, Script kiddie, or dummy ? there is the question of “security vs. performance?” Many routers and adapters, especially relevant when crossing OEM's that create performance problems when adding minor "security through illusion" configurations. For example new technology “rough draft N” and others have compatibility problems ie when Linksys and belkin can’t communicate on certain firmware in N only broadcast or in WEP 128 bit etc. So is it worth the WPA2 when you get a connection of 54Mbps when you could disable security and pull 300 Mbps? Again this is more of an issue with new technologies and crossing vendors. But at the same time we all know those configs slightly hinder performance in all situations. I do agree with minor changes to keep your neighbor from being curious. But feel people would rather stream video faster than worry about Joe blow pulling a “driveby” on their wireless network unless they have amazing things on your PC to attract that type of attention. Some things that were indirectly mentioned but needing more detail is: * limiting the number of connections on your router to only the computers needing access at that time (not what could be needed) obviously encompassed with the MAC filter, *disable router management via wireless, or remote and require wired HTTPS connection to manage the non- 1.1 addressed routers?. You cannot prevent intrusion, but limit to those very few (if you live in smaller town they probably aren’t you neighbor) and make sure you monitor your logs, export them somewhere so they don’t get tampered with, and see what is going on reactively as well. 2cent -December 31, 2009 Well this is nice tips, visit my blog about wireless too in <a href=http://theautogadgets.com/>Wireless Home Security</a> Wireless home Security -January 23, 2010 This article is smokin helpful. Thanks! Charles -February 11, 2010 Your Comments (required): Name (required): -February 19, 2010 READER COMMENTS: We want to hear what you have to say about this article!     Acceptable Use Policy Your Comments (required): Your email is only used if our editors need to contact you. It is not used or stored for any other purpose, nor posted with your comments. Enter the text from the image below Please refresh the page if you have trouble reading this text.