5 Steps to Home Wireless Security
Feb 26, 2002 12:00 PM, Bobby Malik
One of my friends recently bought a wireless router for his home. After he bought the router, he asked me about what he should do—at a minimum—to secure the router. He had the following simple requirements: First, secure the router so that no one except him could change its settings, and second, prevent any unauthorized users from connecting to the router or gaining access to the network.
As most people do, my friend initially set up his router using the product’s installation and setup wizard. Using this wizard, he was able to secure the router by changing the administrator password. However, although using a router’s setup software to set an administrative password is a good start, it provides only basic security. And in my friend’s case, it met only his first requirement.
Chances are, if you’re like my friend, your wireless network remains wide open: Anyone in your wireless router’s range can connect to your network to access the Internet—and your home PC. If you’re in this situation, you have some work to do. Here are five steps that you can follow to secure your home wireless network:
Step 1: Change the Router’s Default Administrator PasswordOut of the box, most routers contain a default user ID and password. Because this password is well known (i.e., printed in documentation included with the router), you must change the default password. You can easily make this change by running the router’s installation and setup wizard.
If you have a router that doesn’t provide such a wizard, you can connect to the router through an Internet browser and change the password. For example, to connect to a Linksys router, after powering up the router and connecting the Ethernet cable to the router, open a Web browser and type 192.168.1.1. Use the default user ID and password to log on to the router, then change the default password.
Step 2: Change the Default SSID and Disable SSID BroadcastAll routers are shipped with a Service Set Identifier (SSID) that’s set by the manufacturer. An SSID is a sequence of as many as 32 letters or numbers that comprise a wireless LAN’s (WLAN’s) ID or name. For example, the Linksys router’s default SSID name is Linksys. Default SSIDs are well known and published. Therefore, wireless-router manufacturers advise that you change the default SSID so that it’s unique. Moreover, router manufacturers suggest that you change SSIDs as often as possible: Hackers know that, in order to join a wireless network, wireless networking products first listen for “beacon messages,” which are transmitted unencrypted. These messages contain network information, such as the network’s SSID and the IP address of the network PC or Access Point (AP).
Also by default, a router broadcasts the router's SSID. You should disable this behavior. Although doing so won't provide tight security—a commonly available tool such as NetStumbler can detect hidden SSIDs—disabling the SSID broadcast lets you add one more layer of security against casual eavesdroppers. However, exercise caution if you disable SSID broadcast: Some devices, such as HP Palmtops, might not be able to connect or might drop connections intermittently if the SSID isn't broadcast.
Step 3: Change the IP Address SettingRouter manufacturers set every router with an IP address. Linksys routers, for example, come configured with an IP address of 192.168.1.1. These address settings are well known and published, and thus malicious users can easily discover your IP address if they know the router manufacturer and type. Therefore, you should change the IP address as a part of the setup process. Continuing with the Linksys example, you can change the default 192.168.1.1 IP address to 192.168.10.1. Although changing the IP address doesn't secure the router, it does leave the eavesdropper guessing for the IP address.
DHCP is also enabled by default on every router. DHCP provides IP address information to client machines. By default, the DHCP server hands out IP addresses in the 2-to-254 range. Therefore, 253 client machines can get an IP address from the router. You probably don't have that many systems at home, so it's best to reduce the DHCP range to the number of machines that you expect to have in your network. As a rule of thumb, I set the router to hand out addresses for the number of machines in my network, plus an additional two for visiting friends and family.
Acceptable Use Policy blog comments powered by Disqus