How to Secure a Wireless Router

So you just bought a wireless router. You bring it home, and plug it into the power source. You then take an ethernet cord and plug the router into your modem. Now on all your wireless devices, you see a connection for WiFi. That’s it, you’re all done, right?
 
Well, there’s actually a little more to it than that. See, if it was that easy for you to connect to your wireless, then it’s just that easy for someone else as well. What if your neighbors decide that they want to save money and mooch off your connection, consuming precious bandwidth that you could be using. Or say if a visitor is in your neighborhood one day and decides to find some free internet. This visitor may want to hack into your network in an attempt to retrieve vital information about you, commit a cyber-crime that is now linked to your IP address, or just do some harmless surfing. Either way, it’s your internet, and if someone uses it unbeknownst to you, it’s stealing.
 
Most wireless routers you buy today come with software that will take you through steps for setting up your router. But you still need to know what you are doing if you want your home network to be safe. Today I want to give you a few tips for securing a wireless network. So you will need to start by connecting a computer to your router via an Ethernet cord.
 
The first thing I do when setting up a router for the first time is change the default password. If a person gets access to your network, it’s possible for that person to log into your router and change the settings. Routers have a default IP address where you can log in. You can do a quick Google search and find the default IP for any router. If you don’t know the brand of the router, the most common five that I’ve seen are:
 
* 192.168.0.1
* 192.168.1.1
* 192.168.10.1
* 192.168.11.1
* 192.168.2.1
 
I’ve tested many home networks, and the IP was usually one of those five, with 192.168.1.1 being the most common of the five. You can also find this IP by typing “ipconfig” in Command Prompt (cmd). You’ll be looking for the Default Gateway.
 
Once you find the IP, type it in your browser address bar.
 
In addition to having a default IP, routers have a default user name and password as well. Which can also be found using a quick Google search. Here are some of the most common logins:
 
* U: admin P: admin
* U: admin P:password
* U: admin P:(blank)
* U: admin P:1234
* U: user P:user
* U:user P: (blank)
 
So if a person gets access to your home network, they can usually guess at different login combinations until they find one that works. So, let’s start by changing the login credentials. The firmware on each router is different, so your screen may not look exactly like mine but there will be similar options:
 
Access the Administration options, and change your router’s password. Make the password strong (lowercase, uppercase, numbers, and special characters) so that a person can not easily guess it. If your router allows you to, also change the user name to something other than the default (Some routers don’t provide a means for changing the user name); and if so, don’t use your name; pick something hard to guess.
 
When configuring your wireless router, you definitely want to require users to enter a key before being granted access. Find your router’s Wireless Settings. Let me remind you again, your screen may not look exactly like the one I have depicted here.
 
First thing you need to know about this screen, don’t panic. There are a lot of options here that you probably don’t know anything about. Don’t worry, I will tell you exactly what you need to choose. For our purposes today, there are only 4 options that we need to be concerned with: SSID, Authentication Method, Encryption, and Pre-Shared Key. If you don’t see the same exact same names on your screen, it’s OK:
 
* Service set identification (SSID): this is the unique identifier of your wireless network, or you can say network name. Whenever you connect a wireless device to your network, this will be the name of the wireless connection.
* Authenication Method: This is a selection of wireless security protocols used for authentication purposes. The name of this option is not universal to all routers. It may be something completely different on your router. It can be named Security Mode, Security Options, Authenication Method, etc. For this option, you want choose either WPA-Personal (WPA-PSK) or WPA2-Personal (WPA2-PSK). Do not Choose WPA-Enterprise or WPA2-Enterprise, there is another layer of authenication required for those options (only needed for larger companies) and it not well suited for a home or small business network. Also do not choose WEP, it is a deprecated standard that has many security loopholes.
* Encryption: This is a selection of an encryption method. There is only one option you want, and that’s AES. You may see TKIP as an option, but this protocol is deprecated and is no longer secure. In some wireless configurations you will see Encryption and Authentication Method as one option instead of two.
* Pre-shared Key: This is a shared secret, meaning it’s something known only to the parties involved. You provide a passphrase, and the router extrapolates an encryption key from your passphrase and uses it to encrypt your wireless network traffic.
 
Now you may be asking, “Why not hide the SSID.” I constantly hear that not broadcasting your SSID will make your network more secure. But trust me, you’ll just be causing yourself additional headache from not being able to see your wireless network name, and you’ll have to key the name in for each new device that wants to connect. And some devices will not connect to a network that has a hidden SSID.
 
But my network will be more secure if no one can see the name right? Won’t this protect me from hackers?
 
Sorry, it won’t. See while you can hide the name of your wireless network, it’s still not really hidden because it’s still transmitting. If someone is running a wireless network sniffer/analyzer, they can use it to scan the air waves for data packets (your wireless devices are constantly in communication with your router), and all the info they need are in those packets (including your SSID). So if Hacker Jason wanted to access your network, hiding your SSID will not stop him. If he’s good, encryption probably won’t stop him. But a strong passphrase and WPA/WPA2 authentication will definitely stop Neighbor Barry across the street from stealing your WiFi.
 
The option to setup a guest network is not an included feature in every router. But if you have this option, you want to use it and I will tell you why. Setting up a guest network, allows you configure a subnetwork that does not have access to your intranet. So visitors will not have access to information and files that you share over your primary network. You can create a guest network for friends and family or customers, if you run a business, and not worry about exposing private material.
 
You configure the guest network the same way as your primary network. Also, if you run a business, you don’t ever want visitors connecting to your primary network; they should only have access to the guest network.
 
Since you’ve setup this wireless connection for visitors, it’s OK to make the passphrase something easier to remember. But make it a strong phrase, stronger than the one you see in the pic above. A good usable passphrase would be something like “#Guest$1265”. It’s strong (this is only strong in relation to a passphrase for a guest network, for any other purpose add more complexity), you can remember it, and it’s not easy to guess.
 
If you run a business, it may be a good idea to change the passphrase every once in a while. For instance, I’ve stayed at several hotels that changed the passphrase on their guest wireless every week. Once you are no longer a guest, you should not be able to continue enjoying guest benefits.
 
Wi-Fi Protected Setup (WPS) is security standard that was developed with the home user in mind. It’s a simple way of securing a network and adding new devices to a network without having much security knowledge using a 8 digit PIN. Some routers even have a WPS button (software button and physical button located on the router itself).
 
Unfortunately WPS does the opposite of what was intended; it makes your network more vulnerable instead of secure. A hacker can perform brute-force attacks against your network and obtain the WPS PIN quite easily. You may be thinking that an 8 digit PIN should take a while to crack right? Well, the problem with WPS is that even though there is an 8 digit PIN, it’s treated as 2 sets of 4 instead just one big PIN. After cracking one set, the hacker can move to the next set. There are also methods for cracking both sets in one go.
 
When offered WPS, just say no.
 
Following these steps will give you a pretty secure wireless network. Of course, you can take it further than this, but these steps definitely are my “non-negotiables of wireless networking.” I hope this was helpful. Leave a comment; let me know what you think. Take care.