<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Securing a Home Router (Wireless)

Published on
17,603 Points
10,703 Views
9 Endorsements
Last Modified:
Approved
Community Pick
In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you strengthen the  out of the box  default mode that was set by the manufacturer.

Wi-Fi or 802.11 networking uses radio waves to transmit data.  Most wireless routers provide a range of up to 300 feet in all directions and if you do not secure your network then just about anybody will be able to peruse your files!  For minimum security levels you will at least want to set up a Wired Equivalency Privacy (WEP) key.

You might be surprised to know that spammers and malware users could be "Wardriving" in your neighborhood with their laptops and Wi-Fi detectors seeking a wireless connection to tap into.  These hackers know default router passwords and often will find an open portal where NOTHING can be traced back to them. Unfortunately, every nasty act that they perform on an unsecured and open wireless network will be traced back to you.

Since your router is connected to the internet and stands in front of your computer -- there is no firewall that will warn you about this type of intrusion.  The router firewall can block users from the internet from accessing your computer but this same firewall will not stop people in range of your local Wi-Fi signal from getting into your network. Local traffic can slow down your internet performance, browse your file system, drop dangerous malware on your system, read your email, intercept your user name and password, send you spam, surf porn, and perform myriad illegal activities with your internet connection.

Always read the instructions that come with your wireless router.  Since you are using this technology it is up to you to secure it as best you can.

How to secure your wireless router:
Linksys
Go to http://192.168.1.1 and Change the I.P. address of your router to a valid private address like 192.168.3.1 -- You will always be able to get to the web interface by typing the IP address of your router (default gateway into the browser navigation toolbar): http://192.168.3.1/ 
Always change the default settings on your router. The first thing you should do is to change the default administrative login and password.  This should never be a word that you find in your dictionary!
Wireless Network Mode = mixed.
Turn on the router hardware firewall - Block Anonymous Internet Requests, Filter IDENT at Port 113, and filter multicast. Editor's note: Check your specific routers manual for how to enable its firewall as this can be brand specific.
Set your Service Set Identifier (SSID) wireless network name to something unique that will not be confused with your neighbor's name.
To protect your router DNS settings from being hijacked you should install EZDNSWatch.  (This application is totally free for personal use).
Set a different default channel (default is channel 6.) Use channel 1 or channel 11.
Disable remote administration.
USE DATA ENCRYPTION.  Try to use Wi-Fi Protected Access (WPA) encryption instead of WEP.  WEP can be easily compromised.  For WPA Algorithms, use TKIP. To create a strong password for WPA -- use Steve Gibson's strong password generator.
DO NOT USE MAC FILTERING!  A MAC address is a 12 digit long HEX number that can be easily sniffed by a hacker.
DO NOT Auto-Connect to Open Wi-Fi Networks.
DHCP -- Eliminate or reduce the allocation of IP addresses.  Give your nodes static addresses or reduce the size of the address pool.  Limit the amount of DHCP addresses to the amount of devices on your network that will require DHCP.
Make sure that your router has the latest firmware installed. Your router manufacturer will periodically issue firmware updates so you should check the manufacturer website for updates on a quarterly basis.

9
Author:GUEEN
8 Comments
LVL 54

Expert Comment

by:b0lsc0tt
Good article!  Lots of great advise.

One point I'd like clarified.  In item 6 in the list is the DNS setting you refer to the one on the computer or the router?  The computer makes more sense but it wasn't real clear in the article as I read it.  This would mean you suggest the computer's network adapter does not obtain DNS server info from the router but the server address (actually usually 2 addresses) is entered in the network adapter's properties?

I don't disagree but curious to hear a reason why that is better in your opinion or a recommended best practice.

One last thing ... is there a disadvantage to setting up MAC filtering in your opinion?  Good reasons on why it isn't as secure or safe as some may feel but is there a disadvantage?  I see one benefit is an extra level of control against the casual "hacker" but am interested to hear if there is a negative.
0
LVL 16

Author Comment

by:GUEEN
Hi b0lsc0tt- this was an old rough draft  - the correct version at my blog lists as:

6-    To protect your router DNS settings from being hijacked you should install EZDNSWatch.  (This application is totally free for personal use).

MAC filtering is too easily spoofed and an open door to spammers, scammers, and such.

0
LVL 54

Expert Comment

by:b0lsc0tt
Thanks for the suggestion of the program.  VERY INTERESTING!  Do you have a comment on the OpenDNS service they seem to support?  I recently saw it mentioned very positively and have been looking in to it.  Interesting coincidence that the program you suggest would mention them too. :)
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Administrative Comment

by:jonathan_hoekman
This article has been updated so that the last line was removed and the zone was changed to Networking Routers.  If you have any objections, or would prefer for this to get deleted, please let me know.

Thanks shekerra!
0
LVL 22

Expert Comment

by:Eric Fletcher
There are a couple of editorial items to be addressed in this article...

1. Check your acronyms: in step 9 you state "WPA (Wired Equivalency Privacy) encryption instead of WEP (Wi-Fi Protected Access)" but the acronyms are inconsistent with the words (are they reversed?). You do the same in the 2nd paragraph.

2. A number of odd characters appear: a bit further on in step 9, "WPA  use Steve Gibsons  strong" has a box with 00 and 13 stacked after WPA, and a box with 00 and 19 stacked where the apostrophe should be in Gibson's. This can happen if you prepare the copy in a word processor and then paste it into the article. To get around it, try going through a basic editor like Notepad (copy, then paste to Notepad, select all, copy, then paste into the EE dialog).

However, I have a more serious problem with this article, and I hope you don't mind my constructive criticism.

What is your assumed audience for this? From the lead in, I assume you are aiming it at novices, but if so, you need to assume a MUCH more basic knowledge level and include more information.

For example, in step 1, "something like" is too vague: would it be okay to use "123.456.7.8" or "my personal router"? No, I know it wouldn't be, but are you sure your reader would know? Be specific.

And in step 4, if the user has no idea about how to "turn on the router hardware firewall" they will not be able to "Block Anonymous Internet Requests, Filter IDENT at Port 113, and filter multicast". If you provide the instruction, you should let them know what these items are, even if you just provide links. I wouldn't classify myself as a novice, but I know I would need to look these up to understand what they do.

Sorry, but while I was attracted by the topic title, I did not find anything in this article beyond what I would expect to find in a manufacturer's manual. These articles will be found by people using online searches for information about a topic. If they are to be useful, they will need to provide more than what is generally available elsewhere. Unfortunately, I don't think this is the case for this article.
0

Expert Comment

by:winhtethan
Yes , Accept it..

But For more secure, Change the router firmware with open-source linux firmware like DD-wrt, and then build the Radius server and use the router with Radius Authentication..
0
LVL 1

Expert Comment

by:mateojaime07
Also wasn't there an exploit of the WPS functionality in some of the newer routers? just as a be aware for those who use that to setup their pc to communicate with their router.

Thanks,
http://mjddesign.wordpress.com
0
LVL 9

Expert Comment

by:Christopher Jay Wolff
This article was helpful to me.  I cannot get a manual for my Pace router and have not easily found what I want with search engines.  I have been working hack issues for a while and most recently have the neighbor's satellite router listed as my Network Infrastructure in FE.  I'm new with all this and am trying to lock things up.  My router stuff is here...

http://www.experts-exchange.com/questions/28864339/I'm-supposed-to-be-on-a-Pace-router-not-a-Cisco-router-and-not-dish-satellite.html

The follow-up comments are helpful also.  Thank you all.
0

Featured Post

Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month