5-Minute Wireless Network Security for your Home

Everyone agrees that security is important, no one agrees on how much effort should go into securing your home wireless LAN. The good news is that there are some basic steps you can take that require just 5 minutes of your time. In this article I will show you how to add various layers of security to your home wireless LAN. The specific wireless router I will be using is a Linksys WRT54G, a popular 802.11g (54 Mbps) device. Most wireless routers use similar terminology so you will likely be able to find some useful information in this article even if you don’t have this specific Linksys router.

UPDATE July 13, 2006: Linksys has revised the WRT54G to include a new OS and reduced the onboard hardware. I am no longer recommending this router. Read this WRT54G article for details. HOWEVER, the security steps here still apply for all brands of routers. Linksys may have changed menu options, but the methods listed here will still secure your wireless network.

If you have not yet purchased a wireless router and plan to, I recommend this router over all other current “B” and “G” devices. “G” networks have a theoretical maximum transmission rate between devices or between a device and the router of 54 megabits per second (Mbps), while “B” routers are slower at 11Mbps. I’ve had direct experience with the Belkin 54g, D-Link DI-514, and Netgear MR814, and this router is by the most reliable, easiest to set-up, and most feature-rich (albeit the most expensive). However either a B or a G router, although they operate at half-duplex (half their claimed throughput), will provide more than enough bandwidth for the typical consumer residential broadband connection (Comcast Cable, SBC DSL, etc.).

There is a trade off between security and convenience. Most wireless routers are setup by default to “broadcast” their settings to any devices within range. This configuration is convenient but unfortunately very insecure. By changing certain settings to values other than their default, you will spend more time setting up your wireless network initially, but it will be more secure. Despite knowing that a neighbor might steal my WiFi or that a teenager might be watching my packet flow outside my house, I did not get around to adding any security to our wireless router and instead had left it “open” because that was just easier. Unfortunately wireless routers arrive from the manufacturer as very insecure devices and don’t require a lot of effort to “hack” or otherwise use maliciously. Even more alarming is that if you don’t encrypt (scramble) the data that you send back and forth, a person within range could use a packet sniffer to watch all the websites you go to, the email you send and receive, or passwords that you send (in clear text) when you log-in to various websites.

I wanted to write this article to show you how to setup your home network and implement some basic security layers that will get you up and running. In an office environment however, or if you live in a densely-populated area where there is a lot of wireless traffic (like a townhouse, apartment, university dorm), you should be encrypting your traffic with WEP, or much better WPA. WPA is available on most recent wireless routers and is a much better protocol than WEP encryption. For more on encryption, please read the last section of this article.

How quickly can I make my router secure?

I have broken down the article into three sections. The sections are based on how much time they will require. The first section is just a few tips, but in the next two sections you will modify settings on the wireless router itself.

1. Less than 5 minutes, no settings to modify on your router
2. Security in 5 minutes, settings to modify on your router
3. More than 5 minutes, advanced settings and Encryption!

Less than 5 minutes, no settings to modify on your router

Position your router in your home so that it is only strong enough to reach the wireless devices you want to connect. If you put your wireless router in your basement, it is unlikely that your neighbor or someone trying to connect outside your home will be within range unless they have some fancy signal-boosting antenna. Do some testing of distances and plan for future usage, like adding a deck to your home and connecting outside.

Note: You could also disable wireless administration, meaning you will have to physically connect to the router to make changes with an Ethernet cable. However, in many home wireless networks there are only wirelessly-connected devices. If that is the case you will want to keep wireless administration turned on so that you can make changes, but keep in mind that if you can connect to your router to make changes physically, wireless administration is not necessary and should be disabled if possible.

For those that are really paranoid, there is also some “WiFi-reducing wallpaper” available that supposedly blocks WiFi signals but not other wireless transmissions like cellular. Try some searching online if you are interested in this. Perhaps this could be useful and cost-effective in an enterprise installation if it was installed when the building was constructed.

5 minutes, settings to modify on the router only

The sections below are ranked in order from easiest to most difficult. The steps below will not encrypt your wireless activity, but will make it far less likely, or impossible, that someone will “see” your network and be able to connect to it.

1. Change the default password
2. Disable unnecessary remote administration options
3. Change the default SSID
4. Disable SSID broadcast. The SSID is the name of your wireless network.
5. Disable unnecessary remote administration options

Log-in to your wireless router
The default IP address is shown below. Simply open any web browser and enter the default IP address or whatever you change the address to be.

Change default password and disable unnecessary remote administration options (see screenshot below)

Remote management (making changes over the Internet) is disabled by default. Secure access (within your home network) via HTTPS is not enabled, Wireless Web Access is enabled, and UPnP (Universal Plug and Play) are all enabled out of the box. At a minimum you should keep remote management disabled and disable UPnP. Checking HTTPS access only would be a good idea to take advantage of the security it offers over the HTTP protocol, but make sure that you remember that you will need to type https:// to access your router in the future. If you think you might not remember this, then keep HTTP checked, but be aware that your password will be transmitted as plain text when signing-on to the router.

If you choose to disable “Wireless Access Web,” you will not be able to administer the router wirelessly. As mentioned above, if you do not have a wired connection to your router, like if it is in a room with a cable jack where there is no computer, you will either have to leave Wireless Web Access enabled, or you will have to access the router with a wired connection from your laptop. If you don’t have a laptop, you could run a very long Ethernet cable from your desktop to the router.

From the basic setup screen, you can change the local IP address of the router and define a starting range for your devices that connect via DHCP. DHCP is a protocol that automatically assigns an IP address to devices connecting to the router. These settings are mainly for your own personal inventory, although changing the default IP address of the wireless router is not a bad idea, you just have to remember what you change it to.

Write this information down (your settings from above) and store it somewhere safe. Probably the biggest drawback of changing your default information is that now you actually have to remember what you changed it to! The easiest way is to write down your settings and store them somewhere near your router or in a safe location.

Change the default SSID, wireless channel, and disable SSID broadcast
These settings will take just a few seconds to complete, but are very valuable from a security point of view. If you are connecting only 802.11g devices, select “G-Only” from the “Wireless Network Mode” menu. Likewise, choose “B-Only” for 802.11b devices.

Choose a new default SSID name, a new wireless channel, and disable “Wireless SSID Broadcast.” This article shows default passwords for thousands of wireless devices which means that someone passing by your home with a laptop could receive your SSID broadcast and connect to your network, then log-in to your router and begin changing settings (if you leave the username and password as the default). When you disable the SSID broadcast, you have to manually type in the SSID on each machine that wishes to connect to the network. Disabling the default channel is another way to make your device more difficult to find for someone attempting to use it maliciously. These are very easy settings to modify and should be done at a minimum to secure your wireless network.

More than 5 minutes, settings to modify on the router and on your connecting devices

Although MAC address filtering will take more than a few minutes (since you need to manually collect all the MAC addresses for the devices you wish to connect), this is a very common and easy way to implement a layer of security that makes it “very difficult” for someone to connect to your network. By creating a “whitelist” of MAC addresses that are approved to connect, any MAC addresses that attempt to connect that do not fall within this whitelist will not be given an IP address by DHCP. Although the possibility of “spoofing” a MAC address exists, this requires a fair amount of time and energy from a would-be hacker trying to connect to your wireless network, so I leave it up to you to determine how likely this would be in your wireless network’s location.

First you will need to discover your MAC address. If you are on Windows, the easiest way to do this is to click Start then Run and type cmd and then press ENTER. By typing ipconfig /all you will see a number of settings for any networking devices you have in your computer. Make sure you browse to a device that says something like “wireless adapter” so that you don’t accidently get the MAC address of your wired network interface card (NIC). Click here to find out how to discover your MAC address on other operating systems. Write down the MAC Address of your wireless adapter so that you can put it into your router whitelist later.

The screenshot below shows the output of ipconfig /all which is one way of finding your MAC address on Windows XP. The “Physical Address” is the same as the MAC address. In this example it is 00-0F-EA-F6-A5-7E.

Now that you have your MAC address(es), you will need to open up the “Wireless MAC Filter” section under “Wireless” on your Linksys router. Here you will want to enable Wireless MAC filter and choose “Permit only PCs listed to access the wireless network.” Now you will create your whitelist by entering in the MAC address(es) you’ve collected.

A pop-up window will let you put up to 40 MAC addresses in. Make sure to enter the MAC addresses without hyphens, and save your settings when you are finished. You will probably need to restart your wireless router and your computers that you trying to connect so that they can receive an IP from DHCP at boot time.

More than 5 minutes, advanced settings and Encryption!

Some additional settings that you might find useful are to change the default radio channel that the router operates on. If you do this, wireless devices like notebooks will not be able to connect to the router in their default configuration. The drawback to changing this or any of the “broadcast settings” from default is that it will take more work to manage your connecting devices. In this case you will have to manually change the channel on your wireless device you wish to connect.

Disable Wireless Zero Configuration on Windows XP
If you are on Windows XP, I highly recommend that you disable the “Wireless Zero Configuration” service as well. By disabling this service, I noticed a huge improvement in the short “drops” of wireless connectivity I was getting with the service enabled. With this service disabled, I can have an active FTP session (or any other connection-oriented session running) overnight where previously the connection would drop periodically. For complete documentation on how to disable this service, visit this Pain in the Tech article.

Encrypt your wireless transmissions
WEP encryption is an old standard and should not be used unless it is the only encryption option your wireless router offers. If your router offers WPA encryption, this is a newer standard that is much improved over WEP. You will have two options for WPA on this Linksys router: “WPA Pre-Shared Key” or “WPA Radius.” My understanding of the “RADIUS” version is that you need a “Radius server” to hand out keys per user session, so you will want to stick with the “Pre-Shared Key” option at home. Refer to the user’s manual for complete documentation.

You will also be presented with two WPA modes: TKIP and AES. These are both different security algorithms, but it appears that AES has lower overhead and is thus preferred. Refer to technical documentation on Tom’s Networking or elsewhere if you would like to read more about these WPA implementations.

Once you choose WPA Pre-Shared Key and AES mode, make sure to save your settings. If you have Wireless Zero Configuration disabled for Windows XP you will need to re-enable the service to connect to your encrypted network. Once you have re-enabled this service, browse to your network control panel and double click your wireless network (I’m assuming you have SSID broadcasting turned on for this step). The only difference now is that you will be prompted to put in the same password or passphrase you did when you enabled WPA. Once you are connected, you should not noticed a difference between browsing with encryption and browsing without encryption.

In OS X, you simply connect to the network as you normally would and enter your password. I had no trouble in Windows XP or OS X in getting an IP address and connecting to the Internet immediately. I have also noted no difference in download or browsing speed when encryption is turned on.

As I indicated earlier, there is no “one size fits all” for wireless networking in the home. As a security proponent, of course I must recommend that you always encrypt your traffic, disable broadcasts, etc., but most people will find that this takes too much time and energy when the fact is that they can bring their router home and it “just works.” Nevertheless, it is important that you understand the security risks by browsing on an unencrypted network. With packet sniffing software, anyone within range can view your non-secure traffic (all your emails, web sites you visit, passwords or credit card numbers you enter), so you must be careful what you do and decide for yourself based on the factors above, “how secure” you want to make your network.

Additional Resources

Open WRT
Information from their website:

OpenWrt is a Linux distribution for the Linksys WRT54G. Instead of trying to cram every possible feature into one firmware, OpenWrt provides only a minimal firmware with support for add-on packages.

Official Linksys Firmware
Firmware is the software that runs the Linksys router. You will want to check this page periodically to see if a firmware upgrade has been made available for your router. Firmware upgrades usually fix security issues or incompatibilities with new devices you might have added to your network.