How to Create a Secure Wireless Router Setup
We live at a time when the “Internet of Things” is starting to gain traction in our life. It seems every new product sold today can easily connect to the Internet through a wireless connection, which is usually a wireless router. Of course, as with most things created, it may seem like a good idea to be able to get access to your devices remotely, it also means that malicious users may also be able to gain access to your devices.
I have many devices in my home that connect to my wireless router, and while I am always conscious about security, I am confident in my devices being protected when connected to the Internet. While nothing is ever 100% secured, there are several steps you can take to make sure you do a proper wireless router setup. Ensuring the security of your wireless devices starts with your wireless router.
Proper Wireless Router Setup
Wireless security can seem daunting for many people, especially with more devices and common household items being able to connect to the Internet through a wireless connection. If your wireless router isn’t secured, then a malicious user can compromise not only your router, but your home network and any devices connected to your home network.
Wireless routers that are available on the market today have made it easier to secure a wireless network. Many of the new wireless routers include detail instructions for securing your wireless network, and may also include a free tool that will step you through the process. Regardless of how you can secure your wireless network, there are a few points that you should make sure you cover off during your wireless router setup.
1. Change Administrator Account and Password
With wireless routers that are actually two different passwords you need to set up – one for the administrator account that you use to log into your router to change the settings, and the other to connect to your wireless network. The two passwords are not the same, and they should never be the same.
To access the settings of your router, you, or the router’s software, would need to first log into your router with an administrator account. The default values for this account are usually public knowledge that is published online and in documentation provided by the router’s manufacturer.
since the administrator credentials are public, it is important that you first change the administrator user ID, if possible, and the password. Ensure that you create a good, strong, long password to prevent malicious users from trying to brute-force your password.
As I mentioned, there is also a second password that you need to set, which is discussed in the next point.
2. Setup WPA2 with Strong Passphrase
When securing your wireless network, there is nothing more important than setting the security mode. For security mode you should select WPA2.All routers created in the past 5 years give the option to select WPA2 as the security mode, which is the standard for securing a home wireless network.
After you select WPA2, you will be required to enter a passphrase/shared key value. This value is needed to connect to your home wireless network by every device that wishes to connect. Since it is needed to connect to your wireless network, you should make sure the passphrase is long and strong to prevent malicious users from attempting to brute-force passphrase.
By using the WPA2 security mode with a string passphrase, you have created a secure wireless network.
3. Setup a Guest Network
A relatively new feature than many of the newer wireless routers has is the ability to set up a guest network. Not all routers support this feature, but if your router does, then you may want to look into setting up a guest network.
A guest network is a second wireless network managed by your router that is separate from your normal home wireless network. The main reason for a guest network is to allow other devices, such as those that are visiting, to gain access to the Internet without getting access to any of your devices connected to your wireless network. The guest network protects your devices from visitor’s devices.
When a guest network is set up, it will appear as a second wireless network in the list of wireless network detected by your devices. Much like your main wireless network, you secure your guest network in the same way – using WPA2 with a passphrase (different from your main network passphrase).
When you have someone visiting, and they would like to use your Internet connection, you can just give them access to your guest network, and all your devices are protected from their device. This is great because if your visitor has malware installed on their device, it won’t impact your devices.
Another benefit of using a guest network has to do with the “Internet of Things” and keeping your devices safe. With more different common household items connecting to the Internet, such a thermostats, security standards may be lacking. In order to make sure any security vulnerabilities in a specific item doesn’t affect your wireless devices, you should connect non-computer items to your guest network instead of your main network.
The security benefit of using a guest network is tremendous as it can allow other devices that you don’t control or trust to use your Internet connection, without sacrificing the security of your home wireless network.
4. Restrict the Number of IP Address
Most wireless routers, if not all routers, give the option to limit the number of IP addresses that it assigns to devices. Since each device needs an IP address assigned by the router, limiting the number of IP addresses limits the number of devices that can connect to your router.
By default, routers tend to offer the most number of IP address it can give. This can be both a curse and blessing. The blessing is that you can connect any number of devices you have to your router without worry about disconnects. The curse is so can malicious users.
By limiting the number of IP addresses to around the same number of devices you wish to connect, you reduce the chances that a malicious user can connect to your router and network because there aren’t any available IP addresses.
5. Disable WPS
Wireless router manufacturers have always tried to make securing wireless router and connecting devices to the wireless network as easy as possible. To facilitate the usability of a wireless router and network, the WiFi Alliance create WiFi Protected Setup (WPS). WPS allows a user to simply press a button, enter a PIN (usually about 8 digits) and connect a device to the wireless network. Unfortunately, while WPS makes it easy for someone to connect a device to a wireless network, WPS has been proven to be insecure.
While you may like the usability of WPS, security should always be a priority over usability when it comes to wireless networks. With that in mind, if you router allows you to disable WPS, then you should disable WPS. In light of the news about WPS being insecure, wireless router manufacturers have started to provide the ability to disable WPS.
If you are using an older router, there may be a firmware update that allows you to disable WPS. Of course, if your router firmware doesn’t include the option, then you may have no choice but to leave WPS enabled.
6. Disable UPnP
When certain devices attempt to connect to the Internet through the wireless router, those devices may need to access the Internet through a specific port. This usually requires you to log into your router and forward the port to the IP address of the device that needs access to the port.
To make it easier for devices to open ports for communicating with the Internet, a technology called UPnP was created. This technology allows a device to talk to your router to open specific ports so the device can communicate with the Internet.
Unfortunately, as with many good intentions in technology, there is an issue with UPnP. In theory, only devices on your local area network should be able to request ports to be opened for communication. In reality, however, UPnP allows devices on the Internet to also open ports, which makes UPnP a security issue. Imagine what could happen if a malicious user using a device online was able to open a port on your router. They would gain access to your home network and the devices that are connected to your home network.
For this reason I recommend you disable UPnP and manually open ports for each device that needs to communicate with the Internet through a specific port. The router’s documentation will talk about port forwarding, and once you enable port forwarding for one device, it is the same for all devices.
Settings I Don’t Change
There are always opinions on what you should or shouldn’t change to secure a wireless network. There are two that have been discussed in great detail, one that does have some merit while another is, in my opinion, completely useless.
1. MAC Address Filtering
The most common security suggestion is to limit access to the wireless network using the MAC address of the device. This sounds like a great way to protect your wireless network, and it can be, but there are two reasons I don’t use MAC filtering on my wireless router:
- Managing MAC address can be a pain. I have many devices – desktops, laptops, tablets, smartphones, HDTV, blu-ray player, game console – that connect to my wireless router. I would find it a pain to have to find the MAC address for each device if I want it to connect, and if I change devices, I would have to look up the MAC address and then connect it. With WPA2 enabled, and IP address limits, I don’t feel managing MAC addresses to be worth the time to manage.
- MAC address can be spoofed. Experienced malicious users usually have the ability to spoof a MAC address, making MAC address filtering pointless. While MAC filtering does offer another obstacle for a hacker, using WPA2 with a strong passphrase is much more effective.
2. Disable SSID Broadcast
A common setting that has been around since the beginning of wireless networks is that ability to disable the broadcasting of the SSID. This means that the SSID won’t show up in the list of available wireless networks.
Some think that by hiding the SSID, malicious users won’t know the wireless network exists. Unfortunately, experienced malicious users have use tools that see both broadcasted and non-broadcasted SSIDs, so not broadcasting a SSID does nothing to deter malicious users.
On top of that, I have also seen devices have trouble communicating with wireless networks that don’t broadcast the SSID. Since trying to hide your wireless network doesn’t deter malicious users, I suggest you just leave the broadcast setting enabled.
The above points list a few options that you should set to secure your wireless router, as well as two options you may not need to configure. If you manage a wireless network, which security options would you add to the above lists?