YOU ARE HERE:
Help - Broadband > Internet Security >
Wi-Fi Security
The term Wi-Fi is short for wireless fidelity. It is a term that refers specifically to wireless local area networks (WLAN's) utilizing the standards spelled out in the IEEE 802.11 specification. What all this means is that any wireless device that meets 802.11 specifications can connect to your wireless network if unsecured. Once on your network this device could use your connection to surf, e-mail, download, spread viruses, attack others, and worse yet access your own computers and personal data if not properly protected.
You may think that there is nothing of importance on your network, but you would be surprised. A person who is wardriving (the act of driving around and accessing wireless networks) is similar to a regular hacker. They are looking to use your connection and resources. They may also look for personal information, financial info, or just cause havoc with you and your connection. The major difference is the wardriver is much less likely to get caught. Where a hacker leaves a path of computer connections and footprints, a connection to your wireless leaves little other than the connecting devices supposed mac address. This person would have to be in range of your wireless access point, but depending on make, model, and surroundings this distance could be huge.
Ten steps you can take to secure your home Wi-Fi network:
1. Change your router's access name and password.
It's easy for attackers to find out what the default name and password are for various manufacturers. Many also default to using the standard 192.168.0 subnet internally and give the router itself the IP address of 192.168.0.1. You should make sure you rename the router, assign a strong password for accessing the router configuration software, and consider changing the IP addressing to a different internal subnet like 192.168.12 or 192.168.83 (you can use any number from 1 to 254 in most cases).
2. Don't let users piggyback onto your Wi-Fi net -- turn off peer-to-peer connections.
Disable the "ad-hoc" mode, which lets clients set up peer-to-peer networks and could allow rogue users to connect to your network through a legitimate wireless client.
3. Stop broadcasting your router's network ID.
Next, disable broadcast of the SSID (Service Set Identifier). The SSID is like the network name for the wireless portion. In order for wireless clients to connect they first must know the SSID. A wireless access point (AP) or router in open network mode will periodically broadcast a beacon signal (usually about 10 times each second) which announces to the world that the network is live and ready to go. The beacon also includes data such as the signal strength and functional capabilities of the AP as well as the SSID.
4. Approve all wireless network users in advance.
Taking the closed network concept a step further, turn on the MAC addressing filter in your wireless router. Most Wi-Fi gateways let you restrict access to known MAC (Media Access Control) addresses. Each network device (such as a computer, Wi-Fi card, or printer) has a unique MAC address, and by allowing access only to pre-defined MAC addresses you greatly reduce the risk of rogue clients connecting with or perusing your network resources.
5. Turn on wireless data encryption.
The next step on the wireless security ladder is to enable WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) encryption. WEP is the original Wi-Fi encryption scheme, and comes in several flavors -- 40-, 64-, and 128-bit. WPA builds on WEP encryption by scrambling the key and integrity-checking it to ensure it hasn't been tampered with. Additionally, it allows authentication using public key infrastructure (PKI) encryption, rather than relying on MAC address filtering.
6. Periodically check router logs for rogue users.
Check frequently for rogue access points or clients attached to the network. Most Wi-Fi gateways have a status screen that shows the MAC addresses of all clients currently connected to the network, and some have logging capabilities that will keep track of wireless connections. If you spot unknown clients attached for lengths of time (not just passing by), change your WEP or WPA code, and scout around for where they might be located.
7. Use a strong firewall.
Most home networking routers come with built-in firewall capabilities. The firewall is usually a basic port-blocking or packet-filtering firewall which lets you permit or deny incoming traffic on certain ports. The best way to protect internal computers behind your accesspoint is a software firewall. A software firewall has much stronger controlls and features over the firewall built into most access points.
8. Password-protect your computers and files.
Often overlooked in a home environment, passwords provide another level of security for your private data. You can generally password-protect and/or encrypt your computer, certain folders, or even specific files. Make sure your passwords are not easily guessed or written on a sticky note on the front of your monitor.
9. Put your wireless network on its own subnet (This step is mainly for small business and commercial accounts).
If you're a network pro and have a small office network, consider doing a couple more things: change the default community names that ship with network management tools like SNMP so they can't be easily guessed; and put wireless access points on separate subnets with firewalls between them and the main network.
10. Turn off wireless cards and routers when not in use.
The final word of advice for your home wireless network is "Turn it off!" While it may seem like a pain, you'll sleep easier knowing that since your gateway, computer, laptop etc. are not turned on, no one can access them. Use a power strip to plug in all your devices, and just flip one switch when you get to work. In multiple-user households, you'll probably want to leave the broadband gateway on 24/7, but you can still turn off your own personal computer. A computer that isn't connected can't be hacked or compromised from the network.
