Securing your Wireless Network

One of the dangers with Wireless Networks is that setting them up can be so simple that it's easy to forget to check how secure they are. For ease of setup and configuration, most manufacturers ship wireless routers with all security disabled. This is not a good thing! If you do not take steps to secure your network, and many people don’t, then your files may be accessible to anyone within range. The good news is that it isn't too hard to secure your wireless network.

Below are a few basic steps along with a some things that you might be advised to do, but which don't really work. Of all the steps below, Step 4 - Add Strong Encryption is the "must do" thing on your wireless network. Without it you are open to anyone accessing your private information.

Need help with the terminology of Wireless Networks? Then visit our Wireless Network Glossary

Step1. Password protect your router

This step, along with Step 2 applies as much to non-wireless networks as to wireless ones. If you have a wireless or broadband router then it should allow you to access its config via a Web browser. To access your router’s setup, open a browser and enter the router's URL. The URL will be the same as your wireless network's gateway address and popular values for this are http://192.168.0.1, http://192.168.1.1 and http://10.0.0.1. The URL will be specified in the manual that came with the router.

The manual will also specify the default login details for your router. The problem here is that this means everyone knows what the default is so you need to change it. Once logged in it's usually pretty easy to find the link in the config to change the password.

If for any reason you don't have the manual for your router then you can search on the Internet using the term “default login for x”. Don’t be surprised to find quite a number of pages listing default login parameters for many different routers, even uncommon ones (scary, eh?).

Step 2 - Disable router access from the Internet

If your router has the option then disable access to the router's configuration from the Internet. This will mean that you can still log in to the router to change the configuration from your internal network, but nobody from the Internet will be able to log in. Needless to say, this is no use if your internal network is not secure so you need to take care of that too!

Step 3 - Care with choosing your SSID (Service Set IDentifier)

The SSID is the name of a WLAN (Wireless Local Area Network). All wireless devices on a WLAN use SSIDs to communicate with each other. Routers ship with standard default SSIDs. For example, the default SSID for Linksys routers is, not unsurprisingly, “Linksys”. If you don’t change the default SSID of your router and someone buys the same kit then things will start to go wrong.

Click here to see the latest Wireless Network deals on ebay.com
or click here to see Wireless Network items on ebay.co.uk

Care needs to be taken when choosing a new name. Don't use an SSID that gives away too much about you. Use as undescriptive a name as you can think of.

Many articles you read will tell you at this point to turn off SSID broadcast. See "Things That Don't really work" below to see why I don't think there's any point.

Step 4. Add strong encryption

You need to encrypt your wireless network...really. Read that first sentence again if you like, it's important. Beyond that, it's pretty important to use WPA encryption rather than WEP. WEP is better than no encryption at all, but it can be cracked in only a few minutes and the tools to do this are readily available.

If you've got Windows XP (you need to apply the free update to SP2 if you haven't already) and a newish router or access point then you should have WPA available. Use as long a key as you can stand to use and make it difficult to guess. A random combination of hexadecimal characters (numbers 0-9 and letters A-F) is best.

For more on configuring encryption refer to our Wireless Network Setup section and consult your router or access point manual.

Businesses should consider using WPA2 in combination with a strong authentication method such as RADIUS (Remote Authentication Dial In User Service), but this isn't available on current home kit.

Things That Don't really Work

What follows are a few things that are popularly touted as security measures, but which have little or no benefit and will just make your life harder. Do yourself a favour and DON'T do any of the following:

Turning off SSID broadcast: This is often misleadingly referred to as "SSID hiding", but there's no such thing. It turns off SSID beaconing on the Access Point, but there are other mechanisms that also broadcast the SSID over the wireless network and so you're disabling only 1 of many. Turning off SSID broadcast makes your network a lot less user friendly and won't do much for network security.

MAC filtering: This is often cited as a security mechanism and it can be used to keep leaching neighbours from using your broadband, but then again encryption is a better way to achieve that and more. The problem with MAC filtering is that it can be hard to set up and maintain and the MAC address of your wireless card can be seen in the header of all wireless packets to and from your PC by anyone with a "sniffer" (or protocol analyser). It's then pretty easy to spoof the MAC address and gain access. It's really not worth the trouble to configure it.

Disable DHCP: Another big waste of time. DHCP allows the automatic assignment of IP addresses and other configurations. Many articles advise disabling DHCP and configuring static IP addresses to "increase security". It'll take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Just as with turning off SSID broadcast you're making your life harder for no gain. Anyone who tells you that this is a way to secure your wireless network doesn't know what they're talking about.

The UKITbits editorial team 2006