How to Secure your Wireless NetworkEnhance your home Wi-Fi network security
2017-05-15 (updated: 2019-06-29) by Philip
Tags: Wi-Fi, Wireless, cyber security
A home wireless network allows all your computers, laptops, and mobile devices to communicate with an Wireless Access Point, which is in turn connected to the internet. The access point can be a separate device, or, more commonly part of a Wireless NAT router connected with a network cable to your broadband modem. It can sometimes even be built into the gateway/modem you get from your internet provider.
In most cases, we find a place for a wireless router in our home and promptly forget about about it, as long as all our devices are online. It is important, however to consider that the Wireless/NAT router is one of the most important devices in our home, it is not only the gateway to our Internet access, but also prone to exploits by cybercriminals who can potentially sneak into our devices, get access to our system, and use it to steal information, install malware, even include the network in malicious attacks on other systems.
We live the age of Internet, with its data breaches, identity theft, ransomware attacks, botnets, malware and many other online threats. All this only makes it prudent to properly secure your home network and take all the necessary measures to improve your Wi-Fi network security beyond simply setting a password. Use the steps below as a guideline to enhance the security of your wireless network.
Connect to your Wireless router
Before you can change any settings, you have to be able to connect to your wireless router (or access point). Most of them come with a "Quick Install Guide" or a flyer giving you the necessary information. Most are administered through a web browser, by typing their IP address into the address bar. The most commonly used IPs for wireless routers are: 192.168.1.1 or 192.168.0.1 . If these do not work, you can check the default IP (and username/password) in our hardware database of over 4000 wireless routers, modems and access points. Googling can sometimes help as well.
Once you reach your wireless router in your web browser, you will be prompted for a username and password. Most common ones being admin/admin. It is also possible for the password to be printed on a label at the bottom of your device, or you can reference our broadband hardware database. Login, and familiarize yourself with the interface, look for a tab that deals with Wireless settings.
Secure the administrator access
The first step after logging in to your wireless router is to secure your administrator access. This process involves two simple steps:
Change the administrator password (and username, if possible) to a strong/secure one, it may be a good idea to write it down.
Disable remote access - in many devices, the administrator account is able to access the web administration from both the internal and external networks, this is a security risk. Find the setting and disable "Remote access" from outside of your network.
Depending on your needs and the clients allowed on your wireless network, you may even consider restricting administrator access from your LAN. Some devices allow for restricting administrator access to certain IP addresses, or to wired clients only, even though this may be a bit more involved and beyond the scope of basic security considerations for a home wireless network.
Change the name of your Wireless network
It is a bad idea to use the default name of the Wireless network provided by your ISP or router manufacturer, as it advertises the brand/name/model of your equipment. This information can be used by hackers to guess your router's manufacturer, and makes it possible to exploit any default passwords, vulnerabilities in firmware specific to that device, etc. The less potential attackers know about your network, the more time they would need to penetrate the system.
To change the name of the wireless network, look in the admin panel for "SSID", often located under the following menu:
Advanced Settings > Wireless Settings > Network Name (SSID)
Activate modern network encryption
While in the Wi-Fi settings of the admin interface, make sure to set your authentication method and encryption to WPA2-Personal (AES). If you have older wireless client devices, you may have to settle for an older encryption method, WPA is fine, however, WEP has been cracked for years and is no longer adequate. WEP can be cracked in a couple of hours easily with readily-available free software. This not only allows a potential hacker to use your internet connection, but would also make it easier to access computers and devices on your internal network.
Set a strong and unique wireless password
Once you set proper encryption method, you must also configure a strong password, a.k.a. WPA-PSK key. Other than using special characters, and making it of sufficient length, it is also a good idea to use non-dictionary words, as many WPA cracking methods involve dictionary attacks, and short passwords are vulnerable. WPA2 minimum password length is 8 characters, however, you should set 12+ characters passwords to prevent most brute force attacks.
Set a guest network
Most modern wireless routers/aps have either a "client insulation" mode, or a "guest network" mode that allows for isolating different devices and client computers on your network, so that they can all access the internet, however, they can't communicate with each other, and see each other's shared resources. Guest wireless networks should still have a password set, so that you can still control who uses your available monthly bandwidth - your network performance will likely suffer otherwise, as your neighbors' stream UHD video on your network.
The only downside of using the guest network and client insulation is that shared network resources will not be available. Those may include network printers, shared media and IoT devices, even Google Chromecast.
Separate your wireless from your wired network
Another method for client insulation and securing your wireless clients' access to your network resources is by configuring your Wi-Fi in a different subnet than your wired network. For example, you can have your main router at 192.168.1.*, and your wireless router/ap network at 192.168.2.*. The configuration of this is a bit more involved, however, it can allow you to separate all your wireless clients from your wired network shares. Some routers make this easy, by having a "wireless insulation" mode right in the configuration menus in the web admin panel. Keep in mind that insulation mode may only allow your Wi-Fi clients to connect to the internet, not to each other and may not be able to access shared resources, printers, etc.
Configure the router firewall
Most modern Wireless NAT Routers include a SPI (Stateful Packet Inspection) firewall, and some also include "DoS protection" in the firewall settings. It is a good idea to read through the available options and turn on at least some level of protection. Note that this should be enabled at the NAT router, which may, or may not be your wireless access point as well. Lower level of firewall protection are adequate for most home uses, as they provide security without straining the limited router hardware resources (CPU and RAM).
DoS (Denial of Service) protection can help in cases where you suspect you are under attack, or someone is scanning your network repeatedly. In this mode, the router will actively monitor for certain types of SYN and ACK packets, and drop them accordingly. If you are under attack, this may put additional strain on your router hardware, so an older device may become less responsive and latency may increase. You simply have to be aware of this trade-off in order to make an educated choice of enabling DoS protection.
Disable ICMP pings - many NAT routers allow users to disable ECHO requests, usually in the firewall settings menus. Pings can be disabled in most cases, especially if you feel your network is under attack. Note that ICMP pings are used by some networks an older online games to determine whether you are online at all, so you may have to keep this setting to on if you are experiencing problems with particular online software.
Update your router firmware
Periodically, security researchers and hackers discover new vulnerabilities in router firmware/software. Security protocols get broken into, web servers and administrator pages require upgrades. As those vulnerabilities are published online, with time it becomes easier to scale attacks that target those vulnerabilities. There are programs that automate such penetration testing, allowing potential attackers to scan for router vulnerabilities and exploit them at a large scale.
This makes it important to check for firmware updates for your router periodically. Many modern routers have a firmware check built-into the admin interface, making it easy to check for such updates. Asus routers, for example, have the check under: "Administration > Firmware Upgrade". Note that some firmware upgrades may require you to configure any custom settings again, this may even include the router's IP address, wireless network name, security, etc.
Keep your clients secure
Your network is only as secure as its weakest device. It is important to keep your wireless clients current with the latest security updates and patches. If one of them is infected with malware, it provides an easy attack vector to your entire network. Do not download applications from unknown sources, do not download email attachments from untrusted sources, do not install browser extensions, and use common sense to keep your devices secure. Scanning for malware periodically is also a good idea. If using Windows, the Microsoft anti-virus and software firewall provide adequate protection against most viruses, provided the antivirus definitions are up to date. If you suspect a program, there are online virus scanners that can be used to check it before you install it on your computer. If you suspect your machine could be infected, immediately scan it with anti-malware software (we recommend Malwarebytes Antimalware Free for Windows).
Other possible security measures
Turn off the wireless network when you are not at home for extended periods of time. Disconnecting a network will surely secure it ;)
Change the default IP address of the router - this can help, and it is sometimes necessary so it does not coincide with your modem/gateway. If you do it, make sure you know the new address, and use a static IP address outside of any DHCP ranges.
Disable SSID broadcast - this makes the Wi-Fi network invisible to the casual drive-by hacker, however it is not foolproof, the network can still be discovered by its traffic. This mode can make it hard for your local clients to find the wireless network as well, you'd have to enter its settings manually, so we feel the cost/benefit is questionable.
Enable MAC address access lists - this can help security by only allowing certain MAC addresses to connect to your network. Even though it somewhat toughens the network security, MACs can be spoofed, and it is hard to administer since you have to enter each device's MAC address, this can get tedious with many clients and mobile devices on the LAN.
Turn off DHCP functionality - theoretically, you can set every client on the network to use a static IP address, and disable DHCP. This will not prevent a potential attacker from setting their own static IP in your subnet, however, so we feel this is a bit over the top and not necessary for a home network.
Securing your wireless network is important to keep your data safe and private. It is not a question of whether you have anything to hide, it is also a question of whether you want your bandwidth abused, your devices hacked, used to spread malware, unsolicited mail, or even being locked for ransom. Many ISPs (Internet Service providers) hold you, as a customer responsible for anything that happens at your premises, this extends to your wireless network. That makes you responsible for anything a potential hacker can do using your network, such as using it for spreading malware and DDoS attacks.
Securing your network properly is a multi-layer approach, including using modern encryption, strong passwords, restricting unnecessary client access, teaching clients about proper netiquette and considering possible external and internal security threats.
Our lives depend on online resources more and more each year, use the above resources to harden your wireless network security and keep your information safe. Note that it is also important to teach your network users how to stay safe online, keep them aware of the dangers of downloading malware, malicious browser extensions, etc.