How to Protect your Wireless Network

Preston Gralla provides step-by-step instructions for Wi-Fi.

Bad guys don't target just big, corporate networks. If you have a Wi-Fi network at home or in a small office, intruders may be after you, such as casual "war drivers" who troll city streets, looking for unprotected wireless networks. (Want to know more? See "Why you need wireless protection.")

It may not just be malicious attackers who cause problems. If you don't change the defaults of your wireless network, a neighbor with the same router make and model might accidentally connect to your network, stealing your bandwidth or reconfiguring your router and network without your knowledge.

Fear not, though. There's plenty you can do to protect yourself. In this article, I'll show you how.

MORE ON CIO.com

A Dozen Downloads to Improve Your Wi-Fi Experience

How to Maximize Router Power

How to Secure Your Small Network

Change your administrator password

Before you do anything else, change the administrator password on your router. Every model of router comes preconfigured with a standard password, and hackers know this. So it's exceedingly easy for someone to hop onto your network, gain full control over its administrative rights and wreak havoc.

How you change your password varies from router to router, so I'll show the steps for a representative model: the Linksys WRT54GX4.

1. Log in to the setup screen by opening your browser and going to http://192.168.1.1. When the login screen appears, leave the username blank. In the password section type admin, and then press Enter.

2. Click the Administration link, then click Management. At the top of the page, you'll see the Router Password area. Type a password into the Router Password box, then retype it in the "Re-enter to confirm" box. From now on, when you log in, use that password instead of admin when you log in to your router.

Stop broadcasting your network's SSID—and change its name

Your service set identifier (SSID) is your network's name, and if people know what your SSID is, it's easier for them to find your network and connect to it. Your router broadcasts its SSID, and that broadcast tells passersby there's a network there. It also gives out the name.

So, if you turn off SSID broadcasting, you'll go partway toward keeping casual users from seeing your network. But doing that, by itself, won't necessarily solve the problem. Even if you stop broadcasting your network's name, people might still be able to connect to your network. That's because manufacturers generally ship their wireless routers with the same generic SSID; for example, Linksys routers all have the SSID Linksys by default. So, even if you stop broadcasting your SSID, intruders can easily guess your router's name and log on.

To solve the problem, first change your SSID's name, and then hide it. That way, passersby won't see it, and they won't be able to guess it either. How you do this varies from manufacturer to manufacturer, and even from model to model from the same manufacturer. But for many models of Linksys routers, including the WRT54GX4, here's what to do.

1. Log in to the setup screen, then click the Wireless tab and look for the Wireless Network Name (SSID) box. Enter the new name of your network.

2. On the same screen, look for the Wireless SSID Broadcast setting, and choose Disable. Then, click Save Settings.

3. If you are doing this from a wireless PC, you will immediately lose your connection to your network. So will every other wireless PC on your network. After you change your network name, reconnect each Wi-Fi computer to the network, using the new network name. You're now set.

Use encryption

If you take only one step to protect your home or small office network, it should be this: Use encryption. Wi-Fi networks are incredibly convenient—and incredibly easy to spy upon. All that data going out over the air among your PCs and between your PCs and the Internet can easily be snooped on by anyone nearby using simple, off-the-shelf software such as packet sniffers.

There are two encryption Wi-Fi standards --- Wireless Equivalent Protocol (WEP) and Wi-Fi Protected Access (WPA). Don't use WEP—it's not nearly as safe as WPA. In fact, the biggest security breach in history was caused because a store owned by TJX Companies Inc. that used WEP, which allowed hackers to break in to the network.

Here are the steps for the Linksys WRT54GX4 and many other Linksys models:

1. Go to the Setup screen and choose Wireless --> Wireless Security. In the Security Mode drop-down box, choose WPA/WPA2 Personal, then choose either WPA Personal or WPA2 Personal.WPA2 is a more secure method, but your hardware and software may not support it. Check your network adapter manufacturer's Web site to see if it supports WPA2 Personal. Windows Vista supports WPA2 Personal, but not all versions of Windows XP do.

To see if your version of XP supports WPA2 Personal, select Control Panel --> Add or Remove Programs. If the Show Updates check box is not selected, check it. Scroll to the Windows XP - Software Updates section and look for Windows XP Hot fix KB893357. If it's not there, your version of Windows XP won't support WPA2 Personal. You can, however, go to the Microsoft updates site, and download KB 893357 to turn on WPA2 functionality.

If you're not sure if your hardware and software supports WPA2 Personal, use WPA Personal.

2. From the Encryption Algorithms drop-down list, choose TKIP. In the Personal Key box, type a key between 8 and 63 characters in length. The longer it is and the more random the characters, the more secure it will be. Write down the key. You'll need to use this on each wireless PC on your network.

3. Leave the Group Key Renewal row at 3600. Click Save Settings. That applies the key to your network. Now, only PCs that use WPA encryption and the key you just generated will be able to get onto your network.

Next, configure each wireless computer on your network to use WPA and the key you just generated. (Wired PCs don't need to be configured.)

For each Windows XP PC:

1. Click the wireless connection icon in the system tray, then click Properties, click the Wireless Network tab, highlight your network, click Properties, and then click the Association tab.

2. In the Network Authentication drop-down box, select WPA-PSK. In the Data Encryption dialog box, choose TKIP.

3. When you do that, the box that reads "The key is provided for me automatically" is checked. Uncheck this box. Enter your WPA key in the "Network key" box, and type it again in the "Confirm network key" box.

4. Click OK and then OK again. Now the Windows XP PC can connect to your network using WPA encryption.

In Windows Vista:

1. Select Control Panel --> Network and Internet --> Network and Sharing Center --> View Status.

2. From the Security type drop-down box, select WPA-Personal or WPA2-Personal, depending on your encryption method.

3. From the Encryption type drop-down box, select TKIP. In the Network security key box, type in the security key you used on your router.

4. Click OK. Your Windows Vista PC can now connect using encryption.

If you've got a small or medium-size business, and are looking to encrypt your network, you might consider an outsourced solution, such as SecureMyWiFi from WiTopia. Prices for SecureMyWiFi vary according to your network size, and start at $99 per year for one wireless access point with 100 users.

Protect yourself using MAC addresses

There's another way to protect your wireless network: Tell it to allow only certain computers to connect, and ban all others. To do that, you'll filter by Media Access Control (MAC) addresses, which are in essence IDs for wireless adapters. Every piece of networking hardware has a unique MAC address. So you'll be able to tell your router to allow only specific MAC addresses onto the network and keep all others off.

First, you need to find out the MAC address of all of the wireless adapters on your PCs.

1. Open a command prompt on each computer, type ipconfig /all, and press Enter.

2. The screen that appears will display a good deal of information. Look for the numbers next to Physical Address, such as 00-08-A1-00-9F-32. That's the MAC address. Write all those MAC addresses on a piece of paper.

Now log back into your router, and configure MAC address filtering. On the Linksys WRT54GX4 router:

1. Click Wireless, and then click Wireless Network Access to get to the Wireless Network Access screen.

2. Select "Permit only," and type in the MAC addresses into the text boxes. Click "Save settings." Now, only computers you specify will be allowed onto your network.

Turn off your network when you're not using it

This simple precaution can go a very long way toward keeping you safe: Simply turn off your router when you're not using your network. If you're off at work all day and no one's home, why keep your router running? The same holds true for when you sleep, or are away from your house for another reason. The less time your wireless network is available, the less likely it is to get hacked.

Check for wireless intruders

You can never be too safe, and so even if you've taken all this advice, it's a good idea to check your network to see if intruders have made their way in. And if you haven't taken all this advice, that's all the more reason to check.

In the next part of this two-part article, I'll show you how you can check your network to see whether any intruders have managed to worm their way in.

Editor's note: Do wireless nets really pose that much of a security threat? Computerworld editors Preston Gralla and David Ramel take opposing views on this question in a Sound Off. Read Preston's "Why you need wireless protection" and David's "Why worry about wireless?" and then then weigh in on the issue with your comments and in our QuickPoll.

Preston Gralla is a contributing editor to Computerworld.com and the author of more than 35 books, including How the Internet Works, (Que, 2006).

This story, "How to Protect your Wireless Network" was originally published by Computerworld.

Related:

Copyright © 2007 IDG Communications, Inc.

7 secrets of successful remote IT teams