How To Secure a WiFi Router for the Best Wireless Security

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

1. Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
   
2. Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
3. Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
   
4. Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
5. Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

1. Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
   
2. If possible, turn off the option to broadcast the SSID.
3. Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.
   

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

1. Select WPA as your security/encryption mode (also WPA2-Personal PSK)
2. I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
3. Set an fearsomely strong password.
4. Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

• Turn off remote management. If you turn this on, chances are that you will be owned eventually.
  
• Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.
  

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Secure Email on the Road

If you use a laptop and you need to check your email on the road -- in other words, using a network or a computer that you can't be sure is safe -- you need to establish a secure point-to-point connection to your server for both sending and receiving email. In an earlier post, I described the safest way to connect to Gmail on a public network; this post describes a similar approach for email at your domain.

There are several ways to check your email over a secure connection:

• Use your email provider's web interface, and connect to the web mail page using SSL (https, not http).
  
• Use SSL to connect your email client (Outlook, Thunderbird, etc.) to your mail server.

Note that either option requires that your email provider supports these secure connections. For my company (Cadent), I use DNS Made Easy's IMAP and SMTP services. I haven't found better pricing anywhere else, and their service has been tremendously reliable.

How To Send Email Securely

The approach I describe here will work on any wireless network, or any insecure wired network, to protect your email login and downloads. Otherwise, your email transactions, especially your login, are transmitted in clear text, which means anyone who's watching can see your user name and password.

That's right, the default setup for most email programs is to transmit everything, including your login, unprotected in the clear! To protect your email accounts, you only need to configure your email client once to use a secure connection, and then you will be safe every time you use that email client software.

Web Mail

If your email provider offers a web mail page, use it, with SSL. Our company's email provider, DNS Made Easy, offers webmail in two flavors: SquirrelMail and and some email services even build their own

This approach works quickly and easily. Just use SSL by adding an "s" after the "http" like this:

https://webmail.mydomain.com

That's right, substitute your domain. This approach works exactly the same way as the safest way to connect to Gmail on a public network, so see that post for details.

Secure IMAP with SSL

Your communications with your incoming email server need to be protected so an eavesdropper can't steal your password and read all your email. I'm a big fan of using the IMAP protocol for my incoming email, instead of POP. That's really a separate discussion, but for now you should know that IMAP is really the way to go if you check your mail from more than one computer.

Here's how to encrypt the traffic between your email program and your incoming IMAP email server:

1. Use a provider (such as DNS Made Easy) that supports an IMAP SSL connection; or, for a corporate email system, ask your IT guy to set it up (he really should, anyway).
2. In your current email client (Outlook, Thunderbird, etc.) open the account settings dialog box. Usually, this opens a tabbed or many-sectioned dialog box. Select the tab for your incoming or receiving email server.
3. Check or select the "SSL" encryption option. Note: this may be hidden under "Advanced" or some similar secret place -- one of the reasons why most people don't do this.
4. Enter your
   

That's it! Now, click [OK] to save your changes, and now try checking your email. Even better, send yourself an email from another account, like Gmail, and make sure it comes in correctly.

Here are some links to step-by-step instructions for different mail clients:

• Outlook 2000
• Thunderbird for Windows
• Mac Mail

Check your mail client's online help for current details.

Secure SMTP

You need to protect your connection with your outgoing (SMTP) server so spammers don't hijack your user name and password to use your account to send spam. Because of this problem, many ISPs don't allow you to use their SMTP servers unless you are connected through their network, even if you need to authenticate with a username and password. One of our ISPs, Verizon, is an example of this approach. So, even though I need a user name and password to send email via Verizon, I usually can't do this when I'm on the road, unless I'm at a client's that uses Verizon, too.

So, here's what I did:

1. Set up a secure SMTP server at DNS Made Easy.
2. In my mail client, I opened the account settings dialog box, and went to the outgoing (SMTP) server settings.
3. I selected the "SSL" option for encryption.
4. I typed in my username and password.
5. Just to be safe, I changed the SMTP port to a port that only accepts SSL, in my case, port 465 -- this may be different for your SMTP server.
6. I clicked [OK] to save my changes.

I sent a test message to confirm everything worked and I typed my strong password correctly. All set! I'm ready to take this show on the road.

Essential Security Tools

In addition to tools dedicated to wireless security, we also use other essential network analysis tools.

From the O'Reilly LinuxDevCenter article, Essential Security Tools for Linux:

there are open source, Linux-based solutions that can give you all of the benefits of a commercial product (along with the ability to extend the software) at a fraction of the price.

Two packages that make network diagnostics and troubleshooting easier are Ethereal and Netwatch.

Download your copies today!

• The original Ethereal is now supplanted by Wireshark, which you should use instead.
  

Safest Way to Connect To Gmail in Public

If you connect to your Gmail account out on the road, use SSL encryption when you connect, the safest way to log in on a public network:

https://mail.google.com/

Use the "https://" (SSL) secure and encrypted protocol, instead of plain "http://" every time when you connect to your web mail on a public network. This also applies to any account where you have to log in with a user name and a password.

Web mail accounts include:

• Google
• Yahoo!
• MSN
• Your ISP's web mail pages.

Public networks include any Wi-Fi or wireless network that allows open access, even if you have to pay to get on. This includes places like:

• The airport (best to avoid at all costs -- prime snooping grounds for the black hats).
• Your hotel.
• Your favorite cafe, donut or sandwich shop that offers Wi-Fi access.
• The library.
• Your neighbor's unsecured or WEP secured network that you hacked into (if you can do it, so can someone else!)
• And so on...

Any place that offers open (not just free) access also offers that same convenient access to password snoopers, key loggers, and other malicious programs and black hatted hackers.

The Solution for Safe Surfing

To keep your accounts safe when using public networks, select either option:

1. Don't log into your accounts using a public network. Best yet, don't even fire up your laptop unless you are sure you are safe. (Yeah, right!)
   
2. Or, in the real world, always use a secure protocol to log in to any Internet accessible account. This means 100% of the time.
   

These secure protocols include:

• Web: SSL ("https://")
• Email: encrypted IMAP or POP
• Shell: SSH
• FTP: SFTP

For a moderately skilled bad guy, it's easy to capture Google log-in credentials over an open Wi-Fi network, by reading the cookies your browser sends to Google to authenticate your account.

So, you need to protect your log-in transaction, and encrypt (or scramble) the authentication cookie Google gives you after you log in.

SSL to the Rescue

Using a SSL connection protects all the traffic between your browser and the secure server. For example, to log into Google Mail, a web URL, using SSL, go here:

https://mail.google.com/

This way, all communication between your web browser and Google is encrypted using the excellent SSL encryption protocol. That's right, all you have to do is type in that "s" right between "http" and "://" -- how easy is that? It works with any web site that supports SSL. If your favorite web mail doesn't support SSL connections, it's time to find a new web mail solution.

When you connect using https, notice how your browser's address bar turns bright yellow, or that little lock icon appears in the lower right corner -- whatever your browser does, you should see a clear indication that you are using a secure SSL connection ... and also see when the web site you are visiting drops you back into regular "http" unencrypted traffic.

SSL won't protect your FTP transfers, or your Outlook or Thunderbird log-ins, either, but it does a great job protecting everything your browser sends and receives. Always use SSL when you need to log on to a public network.

Or just wait until you can plug in to log in. Most wired networks, even "open" wired networks at a hotel, for example, are much more secure than an equivalent Wi-Fi (wireless network). If you aren't sure if your wired network is secure, you can use HTTPS on that, too.

Surf safe,

Neil

Wireless (Wi-Fi) Networks Increase the Challenges of Internet Security

Like so many technologies before it, wireless TCP/IP networks (especially WiFi/802.11 networks) were implemented and marketed without much consideration for the increased computer security risks that broadcasting your network traffic to the world might entail.

As any code-breaker knows, one of the best ways to reverse engineer coded messages is to compare lots of these messages to find common patterns. Early WiFi security, specifically WEP encryption, fell to this well known technique, because it re-used encryption keys. As any spy worth his martini and Aston Martin knows, you should never reuse your encryption keys if you want to keep your secrets safe.

Yet, WEP did exactly this, so a patient hacker needs only to listen in on your WEP traffic long enough to discover the (reused) encryption keys. At least WEP prevents casual computer users with no expertise from logging into your network by simply posting up close enough to your base station to detect your WiFi signal. Just add a Pringles potato chip can to your setup, and you can detect Wifi signals hundreds of meters from the source. That's not a problem in any urban (and most suburban) areas.

In short, wireless networks have only increased the challenges of internet security by introducing a huge "back door" into your network. No longer do hackers need physical access to your network to steal your secrets. Nor do they have to defeat a well-secured firewall. Now, they can simply eavesdrop on network traffic beamed out into the ether by your new unsecured WiFi base station.

Over the next few weeks, we'll look closely at the different ways you can reduce computer security risks by implementing basic wireless internet security techniques. Stay tuned, or grab our RSS feed.

Wireless Router and Internet Security: Simple steps for privacy and security

As this article on wireless internet security recommends,

If you are using a wireless router for broadband internet, you MUST secure your connection.

The article, at JustText.com, also offers great tips on:

• Routers
• Firewalls
• Encryption
• Remote Access
• Wireless Internet Security
  

Welcome to the Secure My Wireless blog

We post best practices for securing wireless (typically, WiFi or 802.11) networks, and tips on how to stay safe.