How To Secure a WiFi Router for the Best Wireless Security

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

1. Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
   
2. Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
3. Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
   
4. Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
5. Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

1. Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
   
2. If possible, turn off the option to broadcast the SSID.
3. Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.
   

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

1. Select WPA as your security/encryption mode (also WPA2-Personal PSK)
2. I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
3. Set an fearsomely strong password.
4. Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

• Turn off remote management. If you turn this on, chances are that you will be owned eventually.
  
• Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.
  

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Essential Security Tools

In addition to tools dedicated to wireless security, we also use other essential network analysis tools.

From the O'Reilly LinuxDevCenter article, Essential Security Tools for Linux:

there are open source, Linux-based solutions that can give you all of the benefits of a commercial product (along with the ability to extend the software) at a fraction of the price.

Two packages that make network diagnostics and troubleshooting easier are Ethereal and Netwatch.

Download your copies today!

• The original Ethereal is now supplanted by Wireshark, which you should use instead.
  

Favorite Security Tools for Wireless Security

Fyodor, a well-known white hat and author of the port-scanner nmap has for several years taken a poll of the best network security tools. He lists the top 100 on his site SecTools.org. Some are free and some are commercial. They deal with all aspects of computer security.

Here is his site's list of the best tools in the wireless network security category.

1. Kismet (& Kismac for Mac's): Kismet identifies networks by passively watching wireless network traffic. It will even identify hidden networks.
2. NetStumbler: NetStumbler finds open wireless access points. There is also a WinCE version for PDAs named Ministumbler. It is similar to Kismet but is a more active tool.
3. AirCrack: Aircrack is a suite of tools for WEP and WPA cracking. The suite includes Airodump (an 802.11 packet capture program), Aireplay (an 802.11 packet injection program), Aircrack (static WEP and WPA-PSK cracking), and Airdecap (decrypts WEP/WPA capture files). The real meat of this suite is the ability to crack passwords.
4. AirSnort: AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It passively monitors transmissions, and computes wireless encryption keys when enough packets have been captured.

We'll cover our recommendations to build your own security tool kit using these as well as other free computer security software, in a later update.

Remember that hackers are already using these tools, so you'd be wise to use them against your own network before someone else does. They may not have your best interests in mind.