Securing your home wireless network is important, because you do not want to :
- Get accused of being a criminal or worse, a terrorist, because somebody used your wifi network to hack others, threaten somebody, or looked for bomb-building instructions (let's say).
- Allow others to intercept your online traffic, see what websites you are surfing, or hijack your user sessions, usernames and passwords over-the-air.
- Receive a "friendly visit" from a SWAT team complete with assault rifles and flashbang grenades
Hence, here are 16 steps to secure your home wifi router and wireless network, ranked in descending order of importance (red for critical items, blue for medium-priority items, and purple for low-priority, optional items) :
- Remote management should be turned off to disallow any attempts to login and manage the router remotely from the external (Internet) interface. This is the most important setting that should be double-checked during setup, though it is typically already set to disabled out-of-the-box.
- Turn on WPA2 with AES encryption : should be set to encrypt all wireless traffic and discourage over-the-air sniffing and interception of client traffic. This is another important setting to disable casual sniffing of over-the-air traffic. Do NOT use WEP, it can be cracked in a matter of minutes. The fastest WEP crack was done in under 1 minute (!). Also, do NOT use WPA with TKIP, it has been shown to be compromised as well.
- Turn off WPS (Wifi Protected Setup) : there is a serious bug in the WPS protocol that potentially allows break-ins to millions of wifi routers : it turns out that Wifi Protected Setup is not very "protected" at all, and that the searchable key-space is only around 11,000 instead of 110 million, which is easily crackable in a matter of hours or perhaps less. Hence pre-shared WPA2 keys should be set manually instead of relying on WPS.
- Set a complex pre-shared key : after ensuring that WPS is off, the minimum length of WPA2 pre-shared keys set should be at least 12 characters long to discourage brute-force attacks.
- Set a complex password for router management : never leave the wifi router using the default out-of-the-box passwords such as admin, linksys, netgear or some such. Use a suitably long and complex password.
- Disable over-the-air management : disallow attempts to sniff or hack router management over-the-air. This setting may be labelled "Enable Web Access" on some Cisco/Linksys routers, and could be under a different name on other brands and models.
- Enable HTTPS (SSL) for management : after disabling over-the-air router management, this setting will discourage casual sniffing of router admin password over the wired interface as well.
- Disable UPNP : to disable attacks on Universal Plug-and-Play (UPNP) that potentially allow hackers to utilize the wifi router or take over router management.
- Update wifi router firmware : from time to time, there will be updates to the router firmware for bug fixes and security updates. Do keep on top of these updates to keep your wifi router secure.
- Remove unused incoming NAT rules : after disabling UPNP, this part of hardening is to close unused ports and reduce exposure to NMAP-style port scanning. Ensure that incoming NAT or firewall rules point to the right internal IP address and ports. Separately, outside the scope of router hardening, ensure OS hardening : check that the internal servers are suitably patched and hardened, including shutting down unused services when they are not needed.
- Setup separate guest network : instead of giving your guests access to your entire internal network, most modern wifi routers have a feature to set up a separate guest network which is isolated from the rest of your internal network. The guest zone would have its own wifi password as well, which you can hand out to your guests when they arrive. As a best practice, you may consider changing the password after each set of guests leaves, or you can also disable the guest network entirely after their visit.
- Set DHCP reservation : for internal printers, network storage devices or other servers that you have, that usually use DHCP to obtain an IP address, you can "reserve" fixed IP addresses for each of these devices, which would have the IP address allocated by the specific device's MAC address. More for convenience than security, but it does make it a bit easier for you to notice "strange" IP addresses that should not be there.
- Set static DNS servers : for slightly (or drastically, depending on your ISP) improved performance and security, you may consider using an alternative static DNS server such as Google's DNS service at 126.96.36.199 (primary) and 188.8.131.52 (secondary).
- Enable AP isolation : this is a workaround against the so-called Hole196 vulnerability, which allows attackers inside the network to get hold of the encryption key. Not a worry most of the time for home users, unless you have guests coming over and you share your network with them by helping them enter your wifi password on their devices. For handling guests, it is actually preferable to set up a separate guest network for them (see earlier point above). Note that enabling this setting would most likely bring down your connection to your other networked devices such as printers and network storage, hence enable this only if you do not have such devices in use.
- Hidden SSID : to discourage casual attempts to connect to wifi routers, turn off SSID broadcast. People will typically first try their luck at connecting to stations that are broadcasting SSID's.
- Wireless MAC filter : not that secure since MAC's can be easily spoofed, hence this is put as a last option. Again this does not help much against determined and professional attackers, but discourages casual attempts.
The Hidden SSID option makes life a little bit more inconvenient as you have to manually set up each client since it can no longer scan for openly-broadcasting wifi routers. In Windows 7 for example, you have to select the option "Connect even if the network is not broadcasting its name (SSID)". Determined attackers have tools to sniff out your hidden SSID's anyway, so this option is not really very secure actually.
The wireless MAC filter option makes life even more inconvenient (you have to take note of each new client's MAC address and add it to the permitted list) and gives even less back in terms of security (MAC addresses can be easily changed and spoofed with a simple command in Linux and a few clicks in Windows), so in most cases we might not want to bother much with it.
Some people talk about reducing the wireless signal strength. Some router firmware allows that. But you do not really want to do that, because it will reduce your level of convenience while all that your adversary needs to do is to get a signal booster, or simply move in a little bit closer to your wifi router's location. If you are really paranoid enough to be thinking about shielding materials, signal penetration and stuff like that, perhaps you shouldn't be using a wireless network at all (and you probably work for an agency with about 3 letters in its name).
Anyway, the above should contribute a lot towards reducing your security exposure. Don't wait further, secure your home wireless router now.