|Peter Bowditch's Web Site|
|Home | Interests | Writing | Speaking | Videos and Photos | Books | Podcast|
Securing your wireless network
June 26, 2012
You've got a wireless network in your home or office. How do you make sure that the information you have on the network is safe from people who should not have access to it and that others can't use your network for purposes that you might not like?
These are two different problems and have different solutions.
The first one is actually the easier to manage. Make sure that all the computers on the network have secure passwords on all user accounts, allow files to be shared only with known users, and turn off file sharing on all computers that don't need to share anything with other machines. These are not just rules for wireless networks – you should do all of these even if all the machines are connected by cables.
The second problem is a bit more complicated to fix, but once it's fixed it stays fixed. I should also note that the suggestions below for securing the network solve the first problem too, but you should still do everything mentioned above.
Why should you worry if you have all the sharing locked down and nobody can get access to your data? Two important reasons – with an unsecured network intruders can use your data allowance to download files or play online games, leaving you with a large monthly bill or slowed access for exceeding your monthly gigabytes (and if they download illegal material it will be your IP address that gets identified), and they can use your network to send data out, again identifying your IP address as a possible source of illegal material. There is also the possibility that someone could monitor the wireless traffic to see what is being transmitted, but this requires a level of sophistication which is beyond the average person who might want to spy on a home of small business network. Even so, it is easy enough to prevent.
So here are the steps you need to take to secure your network. (I use Netgear routers, but whichever brand you have the principles are the same and you should be able to do all of these things. Instructions will be in the manual, but if in doubt ask whoever you buy it from to explain its workings. If they can't do that, shop elsewhere.) The instructions that came with your router will tell you how to access its setup; in my case I use any web browser to connect to the IP address "192.168.0.1". (You can change this if you want to, but just remember to write down the new address or you will have to reset the router to factory specifications and start again.)
1. Change the SSID.
SSID (Service Set Identifier) is the network name that the router uses to tell the world it exists. Usually this will be the make and model of the router ("Netgear XC123", "Dlink ABCD", ...) or the name of the ISP that provided it ("Bigpond-99999"). Displaying the device name is an invitation to people to try to attack you (because factory default router login details are freely available) and who your ISP is is nobody's business but yours. The SSID can be anything you like but be aware that your neighbours will be able to see it so don't make it too offensive. You can ask the router to keep it a secret but then you have to remember it when you try to connect to it with any of your computers, phones, tablets etc.
2. Change the login password.
I shouldn't really need to say this, but I will. If you don't change the password, anyone who can identify your make and model of router can access it and make any changes they like. The password my router came with was "password". It is not that now.
3. Turn on encryption.
I've said that it's unlikely that anyone will monitor what goes over the airwaves on your network, but why leave the possibility open? Your router will offer various level of encryption, but you should choose at least WPA (WiFi-Protected Access) and preferably WPA2. Choose the highest level that the router offers, and then set your network card in your computer to the same. If your network card won't do WPA2 and you lose connection, reset the router to factory settings (there will probably be a button on the device to do that) and start again. You should then immediately plan to upgrade your network adapter to something more modern.
If in doubt, you might be able to set the router to work with both WPA and WPA2. You might have to do this if you have some older devices that can't use WPA2 and can't be upgraded. For example, my HTC smartphone is two years old and only works with WPA, but my Samsung Galaxy Tab is happy with WPA2.
4. Tell the router which devices can connect.
This is the way to get real security. Every network connector in the world has a unique identifier called a MAC address (Media Access Control). There are various ways of finding out what the MAC address is, but generally with a computer you can find somewhere in the network configuration that will tell you. For phones and games consoles there will be a menu item that leads you to it. If all else fails, read the manual.
For good security, tell your router the MAC addresses that are allowed to connect to it. How you get to this option varies between devices, but for my Netgear it goes through this button on the "Wireless Settings" page.
This is the list of devices that can connect to my router. As well as the three fixed computers and two portables that are around my home and office there are a couple of smartphones, some USB network adaptors, the Samsung Galaxy Tab, the network card in my digital camera and the Wii games console in the living room. Anything not in this list can see my network but can't connect to it, even if the user is lucky enough to guess my WPA2 encryption key.
Important warning, and I do mean important – set up the MAC address for the computer you are using to configure the router first and make sure you enter it correctly. If you get it wrong you will be disconnected from the router and it will be time for a factory reset and starting again.
5. Block UPnP
There is a system called "Universal Plug and Play" which allows networked devices to be discovered and used by other people on the network. If you expose this capability to the world you run the risk of people doing things you might not like, such as taking over printers or even computers. You don't need it, so you should not allow anyone to use it to access your network.
6. Back up the router settings
It would be a pity to go through all the above and then lose everything because something went wrong and you had to reset the router. Just remember to note where you save the backup file (and don't store it on a computer that you can't reach without a network connection).
When you've done all that you should be able to sleep well, knowing that if anyone wants to do bad things with your network they will have to work very hard indeed.
There are a lot more settings and ways of configuring your router, but this article is about security. The rest can be left for another time.
|Copyright © 1998- Peter Bowditch|
Logos and trademarks belong to whoever owns them