WiFi (and wired) Network Security

Security at public Hotspots >>>
How to share your Internet connection safely >>>
WiFi for Dummies ;-)

Suppliers of WiFi gear, like routers, purposely let unsuspecting users set up insecure WiFi networks. They want to make it as easy as possible for anyone, including "dummies", to get WiFi going. They know that if they required secure settings, many people would give up and return the gear. They would also get way too many support calls. :^) [more] [another pitfall]

The result is, you don't have to do much more than plug a modern WiFi router in to start using it, and most people don't. Fortunately, you can have robust security if you set your WiFi network up right. We're not dummies, so we're going to learn how to be secure. :-)

Configuring secure wireless networks
  • Your job is to think of everything. The attacker's job is easy. If you forget one thing the attacker wins. :-(
  • The purpose of this page is to pull everything about secure WiFi networks together in one place.
  • As you put your network in place, use what follows as a check list.
  • Don't pay any heed to the persistent but harmful myths about SSID beacons and MAC filtering.
  • See Security at WiFi Hotspots to learn about the other half of WiFi security.

Use your browser's "web access" administrative interface to change your router's settings. The browser address that you use to reach it's web-style utility is usually 192.168.1.1 or 192.168.1.0, but it can be something like 10.0.0.1.

Keys to a secure WiFi network.
  1. Never configure your router or change its settings via a WiFi connection. Always use a direct, wired (Ethernet) connection. Your router password is not encrypted before it is sent, and a hacker could easily sniff it for a future attack.
  2. Each computer that will be connected to the network needs sound security to start with: It should have a firewall, up-to-date software, protection against malware, etc. If one of them becomes infected, it can easily compromise the others, because the router does not protect computers on the local (internal) network from each other. [security plans]
  3. Pick a router that includes a stateful inspection firewall and be sure to turn the firewall on. The added layer of security that this "hardware firewall" adds is good to have even if you don't use the network.
  4. Enable WPA2 encryption and use a strong shared key: Never rely on WEP. It's also better to upgrade any devices that doesn't support WPA2 than it is to accept WPA. [more on encryption]
  5. Replace your router's default administrative username and password with a strong ones. [see below]
  6. Turn off UPnP on your router when it's not needed: (You only need it on when you're adding new UPnP enabled devices to your network.) UPnP (universal plug and play) lets devices self-configure on your network. An attacker can use UPnP to redirect your browser to malicious sites or open a hole in your router’s firewall.
  7. Use OpenDNS as a pre-emptive measure to guard against DNS poisoning. [instructions] [tests] [video]
    Update: Some trouble using OpenDNS on some VPNs (virtual private networks) has been reported.
    OpenDNS will also improve your computer's Internet connection performance, and provide other safeguards.
  8. Don't turn off the SSID beacon or bother with MAC filtering. These security measures have little or negative value against modestly skilled WiFi hackers, even though there are persistent but harmful myths that they add real security.

One last critical note: Windows grants "trusted" status to all the computers that are connected to the same router. If any one of them is infected with malware, the rest of them are likely to be infected too. That's because the defenses that Windows maintains against intrusion from the Internet are dropped for computers on the local area network (LAN). It's important to provide independent protection for each computer connected to the LAN by installing an effective security system on each one of them.

Administrative username and password

Securing your router is not just important to protect your network against attack. You could also be held accountable for the illegal activity of someone who piggybacks on your Internet connection, since it's your IP address that will be identified.

The username and password that you use to log in to your router to make configuration changes need to be strong. It's easy for a hacker to quickly break a weak one and redirect all your computers to his own evil website. Worse yet, if you don't change them from the default ones they can just waltz right in. Update: Now cyber-criminals are using malware to change router settings

If a hacker gets in to your router's administrative function, he can do anything from directing you to malicious sites to intercepting everything that goes to and from the Internet.

A strong username or password has 14 or more random characters. You can also use a more easily remembered passphrase. A strong passphrase has 5 or more randomly chosen words.

Don't confuse your administrative password with the shared key that is used for encryption. The shared key needs to be much stronger than the password.

You will find more on changing your router's password here.

Security at public Hotspots >>>
How to share your Internet connection safely >>>
More on WiFi security