How To Secure a WiFi Router for the Best Wireless Security

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

1. Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
   
2. Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
3. Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
   
4. Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
5. Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

1. Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
   
2. If possible, turn off the option to broadcast the SSID.
3. Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.
   

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

1. Select WPA as your security/encryption mode (also WPA2-Personal PSK)
2. I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
3. Set an fearsomely strong password.
4. Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

• Turn off remote management. If you turn this on, chances are that you will be owned eventually.
  
• Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.
  

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Secure Email on the Road

If you use a laptop and you need to check your email on the road -- in other words, using a network or a computer that you can't be sure is safe -- you need to establish a secure point-to-point connection to your server for both sending and receiving email. In an earlier post, I described the safest way to connect to Gmail on a public network; this post describes a similar approach for email at your domain.

There are several ways to check your email over a secure connection:

• Use your email provider's web interface, and connect to the web mail page using SSL (https, not http).
  
• Use SSL to connect your email client (Outlook, Thunderbird, etc.) to your mail server.

Note that either option requires that your email provider supports these secure connections. For my company (Cadent), I use DNS Made Easy's IMAP and SMTP services. I haven't found better pricing anywhere else, and their service has been tremendously reliable.

How To Send Email Securely

The approach I describe here will work on any wireless network, or any insecure wired network, to protect your email login and downloads. Otherwise, your email transactions, especially your login, are transmitted in clear text, which means anyone who's watching can see your user name and password.

That's right, the default setup for most email programs is to transmit everything, including your login, unprotected in the clear! To protect your email accounts, you only need to configure your email client once to use a secure connection, and then you will be safe every time you use that email client software.

Web Mail

If your email provider offers a web mail page, use it, with SSL. Our company's email provider, DNS Made Easy, offers webmail in two flavors: SquirrelMail and and some email services even build their own

This approach works quickly and easily. Just use SSL by adding an "s" after the "http" like this:

https://webmail.mydomain.com

That's right, substitute your domain. This approach works exactly the same way as the safest way to connect to Gmail on a public network, so see that post for details.

Secure IMAP with SSL

Your communications with your incoming email server need to be protected so an eavesdropper can't steal your password and read all your email. I'm a big fan of using the IMAP protocol for my incoming email, instead of POP. That's really a separate discussion, but for now you should know that IMAP is really the way to go if you check your mail from more than one computer.

Here's how to encrypt the traffic between your email program and your incoming IMAP email server:

1. Use a provider (such as DNS Made Easy) that supports an IMAP SSL connection; or, for a corporate email system, ask your IT guy to set it up (he really should, anyway).
2. In your current email client (Outlook, Thunderbird, etc.) open the account settings dialog box. Usually, this opens a tabbed or many-sectioned dialog box. Select the tab for your incoming or receiving email server.
3. Check or select the "SSL" encryption option. Note: this may be hidden under "Advanced" or some similar secret place -- one of the reasons why most people don't do this.
4. Enter your
   

That's it! Now, click [OK] to save your changes, and now try checking your email. Even better, send yourself an email from another account, like Gmail, and make sure it comes in correctly.

Here are some links to step-by-step instructions for different mail clients:

• Outlook 2000
• Thunderbird for Windows
• Mac Mail

Check your mail client's online help for current details.

Secure SMTP

You need to protect your connection with your outgoing (SMTP) server so spammers don't hijack your user name and password to use your account to send spam. Because of this problem, many ISPs don't allow you to use their SMTP servers unless you are connected through their network, even if you need to authenticate with a username and password. One of our ISPs, Verizon, is an example of this approach. So, even though I need a user name and password to send email via Verizon, I usually can't do this when I'm on the road, unless I'm at a client's that uses Verizon, too.

So, here's what I did:

1. Set up a secure SMTP server at DNS Made Easy.
2. In my mail client, I opened the account settings dialog box, and went to the outgoing (SMTP) server settings.
3. I selected the "SSL" option for encryption.
4. I typed in my username and password.
5. Just to be safe, I changed the SMTP port to a port that only accepts SSL, in my case, port 465 -- this may be different for your SMTP server.
6. I clicked [OK] to save my changes.

I sent a test message to confirm everything worked and I typed my strong password correctly. All set! I'm ready to take this show on the road.