Pain in the Tech

5-Minute Wireless Network Security for your Home

Posted by Andy Atkinson on October 26, 2005 | Post type: Gain

Everyone agrees that security is important, no one agrees on how much effort should go into securing your home wireless LAN. The good news is that there are some basic steps you can take that require just 5 minutes of your time. In this article I will show you how to add various layers of security to your home wireless LAN. The specific wireless router I will be using is a Linksys WRT54G, a popular 802.11g (54 Mbps) device. Most wireless routers use similar terminology so you will likely be able to find some useful information in this article even if you don't have this specific Linksys router.

UPDATE July 13, 2006: Linksys has revised the WRT54G to include a new OS and reduced the onboard hardware. I am no longer recommending this router. Read this WRT54G article for details. HOWEVER, the security steps here still apply for all brands of routers. Linksys may have changed menu options, but the methods listed here will still secure your wireless network.

If you have not yet purchased a wireless router and plan to, I recommend this router over all other current "B" and "G" devices. "G" networks have a theoretical maximum transmission rate between devices or between a device and the router of 54 megabits per second (Mbps), while "B" routers are slower at 11Mbps. I've had direct experience with the Belkin 54g, D-Link DI-514, and Netgear MR814, and this router is by the most reliable, easiest to set-up, and most feature-rich (albeit the most expensive). However either a B or a G router, although they operate at half-duplex (half their claimed throughput), will provide more than enough bandwidth for the typical consumer residential broadband connection (Comcast Cable, SBC DSL, etc.).

There is a trade off between security and convenience. Most wireless routers are setup by default to "broadcast" their settings to any devices within range. This configuration is convenient but unfortunately very insecure. By changing certain settings to values other than their default, you will spend more time setting up your wireless network initially, but it will be more secure. Despite knowing that a neighbor might steal my WiFi or that a teenager might be watching my packet flow outside my house, I did not get around to adding any security to our wireless router and instead had left it "open" because that was just easier. Unfortunately wireless routers arrive from the manufacturer as very insecure devices and don't require a lot of effort to "hack" or otherwise use maliciously. Even more alarming is that if you don't encrypt (scramble) the data that you send back and forth, a person within range could use a packet sniffer to watch all the websites you go to, the email you send and receive, or passwords that you send (in clear text) when you log-in to various websites.

I wanted to write this article to show you how to setup your home network and implement some basic security layers that will get you up and running. In an office environment however, or if you live in a densely-populated area where there is a lot of wireless traffic (like a townhouse, apartment, university dorm), you should be encrypting your traffic with WEP, or much better WPA. WPA is available on most recent wireless routers and is a much better protocol than WEP encryption. For more on encryption, please read the last section of this article.

How quickly can I make my router secure?

I have broken down the article into three sections. The sections are based on how much time they will require. The first section is just a few tips, but in the next two sections you will modify settings on the wireless router itself.

1. Less than 5 minutes, no settings to modify on your router
2. Security in 5 minutes, settings to modify on your router
3. More than 5 minutes, advanced settings and Encryption!

Less than 5 minutes, no settings to modify on your router

Position your router in your home so that it is only strong enough to reach the wireless devices you want to connect. If you put your wireless router in your basement, it is unlikely that your neighbor or someone trying to connect outside your home will be within range unless they have some fancy signal-boosting antenna. Do some testing of distances and plan for future usage, like adding a deck to your home and connecting outside.

Note: You could also disable wireless administration, meaning you will have to physically connect to the router to make changes with an Ethernet cable. However, in many home wireless networks there are only wirelessly-connected devices. If that is the case you will want to keep wireless administration turned on so that you can make changes, but keep in mind that if you can connect to your router to make changes physically, wireless administration is not necessary and should be disabled if possible.

For those that are really paranoid, there is also some "WiFi-reducing wallpaper" available that supposedly blocks WiFi signals but not other wireless transmissions like cellular. Try some searching online if you are interested in this. Perhaps this could be useful and cost-effective in an enterprise installation if it was installed when the building was constructed.

5 minutes, settings to modify on the router only

The sections below are ranked in order from easiest to most difficult. The steps below will not encrypt your wireless activity, but will make it far less likely, or impossible, that someone will "see" your network and be able to connect to it.

1. Change the default password
2. Disable unnecessary remote administration options
3. Change the default SSID
4. Disable SSID broadcast. The SSID is the name of your wireless network.
5. Disable unnecessary remote administration options

Log-in to your wireless router
The default IP address is shown below. Simply open any web browser and enter the default IP address or whatever you change the address to be.

Change default password and disable unnecessary remote administration options (see screenshot below)

Remote management (making changes over the Internet) is disabled by default. Secure access (within your home network) via HTTPS is not enabled, Wireless Web Access is enabled, and UPnP (Universal Plug and Play) are all enabled out of the box. At a minimum you should keep remote management disabled and disable UPnP. Checking HTTPS access only would be a good idea to take advantage of the security it offers over the HTTP protocol, but make sure that you remember that you will need to type https:// to access your router in the future. If you think you might not remember this, then keep HTTP checked, but be aware that your password will be transmitted as plain text when signing-on to the router.

If you choose to disable "Wireless Access Web," you will not be able to administer the router wirelessly. As mentioned above, if you do not have a wired connection to your router, like if it is in a room with a cable jack where there is no computer, you will either have to leave Wireless Web Access enabled, or you will have to access the router with a wired connection from your laptop. If you don't have a laptop, you could run a very long Ethernet cable from your desktop to the router.

From the basic setup screen, you can change the local IP address of the router and define a starting range for your devices that connect via DHCP. DHCP is a protocol that automatically assigns an IP address to devices connecting to the router. These settings are mainly for your own personal inventory, although changing the default IP address of the wireless router is not a bad idea, you just have to remember what you change it to.

Write this information down (your settings from above) and store it somewhere safe. Probably the biggest drawback of changing your default information is that now you actually have to remember what you changed it to! The easiest way is to write down your settings and store them somewhere near your router or in a safe location.

Change the default SSID, wireless channel, and disable SSID broadcast
These settings will take just a few seconds to complete, but are very valuable from a security point of view. If you are connecting only 802.11g devices, select "G-Only" from the "Wireless Network Mode" menu. Likewise, choose "B-Only" for 802.11b devices.

Choose a new default SSID name, a new wireless channel, and disable "Wireless SSID Broadcast." This article shows default passwords for thousands of wireless devices which means that someone passing by your home with a laptop could receive your SSID broadcast and connect to your network, then log-in to your router and begin changing settings (if you leave the username and password as the default). When you disable the SSID broadcast, you have to manually type in the SSID on each machine that wishes to connect to the network. Disabling the default channel is another way to make your device more difficult to find for someone attempting to use it maliciously. These are very easy settings to modify and should be done at a minimum to secure your wireless network.

More than 5 minutes, settings to modify on the router and on your connecting devices

Although MAC address filtering will take more than a few minutes (since you need to manually collect all the MAC addresses for the devices you wish to connect), this is a very common and easy way to implement a layer of security that makes it "very difficult" for someone to connect to your network. By creating a "whitelist" of MAC addresses that are approved to connect, any MAC addresses that attempt to connect that do not fall within this whitelist will not be given an IP address by DHCP. Although the possibility of "spoofing" a MAC address exists, this requires a fair amount of time and energy from a would-be hacker trying to connect to your wireless network, so I leave it up to you to determine how likely this would be in your wireless network's location.

First you will need to discover your MAC address. If you are on Windows, the easiest way to do this is to click Start then Run and type cmd and then press ENTER. By typing ipconfig /all you will see a number of settings for any networking devices you have in your computer. Make sure you browse to a device that says something like "wireless adapter" so that you don't accidently get the MAC address of your wired network interface card (NIC). Click here to find out how to discover your MAC address on other operating systems. Write down the MAC Address of your wireless adapter so that you can put it into your router whitelist later.

The screenshot below shows the output of ipconfig /all which is one way of finding your MAC address on Windows XP. The "Physical Address" is the same as the MAC address. In this example it is 00-0F-EA-F6-A5-7E.

Now that you have your MAC address(es), you will need to open up the "Wireless MAC Filter" section under "Wireless" on your Linksys router. Here you will want to enable Wireless MAC filter and choose "Permit only PCs listed to access the wireless network." Now you will create your whitelist by entering in the MAC address(es) you've collected.

A pop-up window will let you put up to 40 MAC addresses in. Make sure to enter the MAC addresses without hyphens, and save your settings when you are finished. You will probably need to restart your wireless router and your computers that you trying to connect so that they can receive an IP from DHCP at boot time.

More than 5 minutes, advanced settings and Encryption!

Some additional settings that you might find useful are to change the default radio channel that the router operates on. If you do this, wireless devices like notebooks will not be able to connect to the router in their default configuration. The drawback to changing this or any of the "broadcast settings" from default is that it will take more work to manage your connecting devices. In this case you will have to manually change the channel on your wireless device you wish to connect.

Disable Wireless Zero Configuration on Windows XP
If you are on Windows XP, I highly recommend that you disable the "Wireless Zero Configuration" service as well. By disabling this service, I noticed a huge improvement in the short "drops" of wireless connectivity I was getting with the service enabled. With this service disabled, I can have an active FTP session (or any other connection-oriented session running) overnight where previously the connection would drop periodically. For complete documentation on how to disable this service, visit this Pain in the Tech article.

Encrypt your wireless transmissions
WEP encryption is an old standard and should not be used unless it is the only encryption option your wireless router offers. If your router offers WPA encryption, this is a newer standard that is much improved over WEP. You will have two options for WPA on this Linksys router: "WPA Pre-Shared Key" or "WPA Radius." My understanding of the "RADIUS" version is that you need a "Radius server" to hand out keys per user session, so you will want to stick with the "Pre-Shared Key" option at home. Refer to the user's manual for complete documentation.

You will also be presented with two WPA modes: TKIP and AES. These are both different security algorithms, but it appears that AES has lower overhead and is thus preferred. Refer to technical documentation on Tom's Networking or elsewhere if you would like to read more about these WPA implementations.

Once you choose WPA Pre-Shared Key and AES mode, make sure to save your settings. If you have Wireless Zero Configuration disabled for Windows XP you will need to re-enable the service to connect to your encrypted network. Once you have re-enabled this service, browse to your network control panel and double click your wireless network (I'm assuming you have SSID broadcasting turned on for this step). The only difference now is that you will be prompted to put in the same password or passphrase you did when you enabled WPA. Once you are connected, you should not noticed a difference between browsing with encryption and browsing without encryption.

In OS X, you simply connect to the network as you normally would and enter your password. I had no trouble in Windows XP or OS X in getting an IP address and connecting to the Internet immediately. I have also noted no difference in download or browsing speed when encryption is turned on.

As I indicated earlier, there is no "one size fits all" for wireless networking in the home. As a security proponent, of course I must recommend that you always encrypt your traffic, disable broadcasts, etc., but most people will find that this takes too much time and energy when the fact is that they can bring their router home and it "just works." Nevertheless, it is important that you understand the security risks by browsing on an unencrypted network. With packet sniffing software, anyone within range can view your non-secure traffic (all your emails, web sites you visit, passwords or credit card numbers you enter), so you must be careful what you do and decide for yourself based on the factors above, "how secure" you want to make your network.

Additional Resources

Open WRT
Information from their website:

OpenWrt is a Linux distribution for the Linksys WRT54G. Instead of trying to cram every possible feature into one firmware, OpenWrt provides only a minimal firmware with support for add-on packages.

Official Linksys Firmware
Firmware is the software that runs the Linksys router. You will want to check this page periodically to see if a firmware upgrade has been made available for your router. Firmware upgrades usually fix security issues or incompatibilities with new devices you might have added to your network.

About the author(s)

Andy started Pain in the Tech in 2005 as a way to share tips and tutorials with friends and family, and evangelize great products and services. By 2008, Pain in the Tech had 7 contributors, thousands of daily page views. Site ownership was transitioned to Matt Thommes in 2008.

Comments

# Coen at 7/29/2006 7:29 am cst

Andy, You've updated the article because Linksys changed it's router product range. I recomment looking at the WRT54GL router. This is the old router with new (linux) firmware.

Quick Link to this comment: http://TTIP.me/c4066

# Tom at 10/29/2006 5:11 pm cst

I run 2 desktops and 1 laptop. the laptop is wireless. I have someone leaching on my internet connection. I know this cause my wan is still very active when all computers are shut down. How can I password my connection so that only my systems are using it. I have a linksys wireless-G. model: WRT54GS. I hope someone can help me config the router to block unwanted leachers. Thank You in advance. Tom

Quick Link to this comment: http://TTIP.me/c4185

# Ray at 11/21/2006 8:32 pm cst

GREAT INFO on SECURING LINKSYS ROUTERS--THANKS!!!

Quick Link to this comment: http://TTIP.me/c4226

# sajith at 12/24/2006 10:17 pm cst

I run 2 desktops and 1 laptop. the laptop is wireless. I have someone leaching on my internet connection. I know this cause my wan is still very active when all computers are shut down. How can I password my connection so that only my systems are using it. I have a D-LINK Wireless G ADSL 2/2+ router model: DSL-G624T. I hope someone can help me config the router to block unwanted leachers. Thank You in advance. sajith

Quick Link to this comment: http://TTIP.me/c4278

# Nan at 1/7/2007 10:05 pm cst

I am trying to use my work computer's wireless network connection at home, yet my husband set-up security on our Linksys wireless router. I have the key code I used for my personal laptop; however, I keep getting error messages that say that it must be 26 characters. I have retyped it and retyped it ad nauseum and it says the same thing. Also, the confirmation line automatically enters what I'm typing, yet does not complete it nor does it allow my to type over it with the complete line of keycode characters. Please advise on what might be the problem. This is the only setting that I'm changing and do not want to mess anything up that may affect my connections at work or on the road. Thanks, Nan

Quick Link to this comment: http://TTIP.me/c4304

# Student from Malaysia at 1/12/2007 8:21 pm cst

Hi, I followed your guidelines to secure my wireless network with MAC filters and it worked beautifully. Thanks for taking the time to share this nugget of wisdom! Do keep up the good work and all the best in your career undertakings!

Quick Link to this comment: http://TTIP.me/c4320

# Chance at 1/18/2007 9:30 am cst

The new versions of the wrt54g routers continue to run VxWorks, but a few clever hackers have changed that for the good of all humanity. There are multiple threads on the www.dd-wrt.com forum that indicate how you can remove the VxWorks OS and implant a custom Linux environment. This is not for the faint of heart, and does void the manufacturers warranty. I have personally noticed a huge boost in performance, and stability in this firmware over the VxWorks original. Thanks, Chance

Quick Link to this comment: http://TTIP.me/c4331

# Anonymous at 1/27/2007 8:06 pm cst

Could someone help how I can connect to Linksys router...please? I've installed wireless router and am using the wireless network from the laptop.But when I view/refresh teh network connection in 'Zone Alam' it says connection as insecured open connection. How can I protect my network? In the first point how can I access my router without connecting to 192.168.1.1. Thanks very much.

Quick Link to this comment: http://TTIP.me/c4385

# Jessie at 3/10/2007 6:06 pm cst

I had no idea how to secure my network. All the instructions on the Disk were Greek to me. Thank you for this article or all kinds of peple would have been on my network.

Quick Link to this comment: http://TTIP.me/c4442

# bekrain at 4/3/2007 4:42 am cst

Hi, don't know if I explained that right. We have a computer that we just hooked up to a wireless router. The internet works fine on this computer. We have a imac downstairs that we are trying to connect wirelessly. And can't see to do it. Mac wants us to pay them so they can answer our question. And they said it will take 7-9 days to do this. Help. We are using bell sympatico internet. They have set it up on the mac as far as they can. It idoes have an airport, or wireless card in it. Do you know how we might get it up and running? It is a new computer, bought it in Dec. and it hasn't been hooked up to internet yet. Thank you.

Quick Link to this comment: http://TTIP.me/c4465

# niyi at 5/29/2007 7:29 am cst

I have Linksys Router and My Lan is made up of 60 system and I want to secure my network using MAC address filter. Now since my router has 40 slot where I can entered the MAC address what I my going to do to accomodate the rest 20pcs? Also how am I going to block illecit website from my website?

Quick Link to this comment: http://TTIP.me/c4523

# kas at 1/5/2008 8:25 am cst

There is a faster and easier way if you do have the Linsys router to make a secure wireless network, but you need a thumbdrive for this.

A: Hardwire one of your computers into the router using the cat-5.

B: Go to http://www.linksys.com 1: under support click [Technical Support] 2: now click on the EASYLINK CONNECT link and follow the directions. C: Once you follow the simple step by steps you have the choice to save the information on a removable media 1: all you have to do now is take your thumb drive to any computer you want wireless plug it in and run the saved program... walahh simple wireless without the headache.

or you can simply use this link to their easy link program... and then follow the directions included.

http://www.linksysfix.com/check/netset/install/EasyLink_Connect.exe

Quick Link to this comment: http://TTIP.me/c4664

Hide right column -»

• Previous: Disable Wireless Zero Configuration in Windows XP
• Next: Remote Desktop over the Internet from Windows or OS X

Quick Link to this post

TTIP.me/1954