Tips: WiFi Security for Home Networks
Introduction
Security is a huge concern for anyone setting up a WiFi network, as anyone who is close enough to the hotspot can break into your system and access the information. Therefore it is important that suitable security measures are adopted along with setting up a WiFi network, whether at home or workplace.
Here are a few tips that can help you establish reasonably good security measures for your home or small office WiFi network, with a standard wireless router and one or more roaming access points.
Change the router’s default name and password
This is the most fundamental step, as intruders can easily find out the default name and password of the manufacturer. In fact most of the manufacturers stick to the IP addresses 192.168.1.1 or 192.16.2.1. Therefore ensure to rename the router and have a strong password to access the router configuration software. You may even consider changing the IP addressing.
Disable Peer-to-Peer Networks
Go for the infrastructure mode on all access points and do not allow the ad-hoc mode that would permit intruders to enter your network through a legitimate user of your network.
Do not broadcast your router’s network ID
In technical terms, this is called disabling SSID (Service Set Identifier) broadcast. A wireless hotspot access point will regularly – as often as ten times per second- broadcast a beacon signal that announces its presence. It is possible to find information such as strength of the signal, the access point’s functional capabilities and the SSID from the beacon. Therefore it is advisable for any private WiFi hotspot to disable this beacon. This way, only those who already know the SSID can connect with the hotspot.
This method is not completely foolproof, as it is still possible for seasoned hackers to detect such closed networks. However this way you will at least be doing what best you can do.
Identify and approve all your authorized users in advance
This is made possible by turning on the Media Access Control (MAC) addressing filter in your router. This is a standard procedure with most WiFi gateways. Each connectible device (laptops, PDAs, computers, Wi-Fi cards etc) has a unique MAC address. By pre-defining which MAC addresses can access your network, you can prevent intruders from connecting with your resources.
This again is not foolproof, as it is still possible for hackers to intercept the wireless data packets as they travel from your network to an authorized user. And with these data packets, the hacker also gets the SSID and the MAC address of the authorized user. The hacker can then easily use this MAC address to help his system look like an accepted user.
Use wireless data encryption
Use either WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) encryption. It has been found that WEP is relatively easy to crack however some protection is still better than none at all. WPA and its more recent version WPA2 are safer bets, as they require all the devices including the source as well as the clients be set to its code.
Regardless of which encryption you use, it is more important to change your encryption as often as possible.
Check router logs regularly for unauthorized users
Wi-Fi gateways usually show the MAC addresses of current users on a status screen. Many gateways can also keep a log of the users. Scout around regularly for anything that looks suspicious, like an unauthorized user staying connected for long- and not connected because he happens to pass by. Change the encryption if you spot anything that maybe suspicious.
You can also install a packet sniffer like Ethereal that not only shows if unauthorized users are accessing your information but also shows what information they are getting.
Set up a strong firewall
The steps we discussed so far can only prevent a wireless user from accessing the information in your network. In other words, WEP and WPA encryption protect only data in the air. They do not take care of a hacker breaking into your hotspot from the wired end.
Standard home networking routers have built-in firewalls and they usually monitor incoming traffic. Typically, they block all incoming ports. There are also Stateful Packet Inspection (SPI) firewalls that can report attacks, intrusions and all suspicious activities.
The standard firewalls can take care of your requirements in most cases. However if you are part of peer-to-peer file sharing networks, you need to take special precautions. TCP ports 135, 137, 138, 139 and 445 are best blocked from external access. You would also do well to disable NetBIOS over TCP/IP. Personal firewalls are also worth considering.
Use passwords for your computers and files
This aspect is typically ignored in home networks, but can easily add more security. You may choose to password to your computer or special files or areas. It makes sense to choose passwords that are not easy to guess.
Make sure to preserve sensitive or confidential files in folders that are set to authorized access. All the new operating systems like Windows 2000, Windows XP and Mac OS X have built-in password capability.
Segment the wired and wireless networks
Designate your wireless access points as separate subnets with firewalls in between them and the main network. Also make sure that your community names are not easy to guess, as these get broadcasted with network management tools like SNMP>
Switch off your connectible devices when you are not using them 0
The logic is simple. No one can access your laptop or computer when it is switched off. If you have multiple users to your network, you may need to leave the wired connection on even when you are not using them. But you can still switch off your own PC or laptop.