Have you ever asked this yourself? You ordered a new wifi router, unboxed it, connected all the cables, fired it up and you were ready to go! Nice – or isn’t it?
Don’t get me wrong here – not everyone is an expert with all these electronic devices today. There is a need to bring people online as fast and easy as it can be.
Although, not every network is worth to be compromised. Here are a few settings/tips/tricks – call it whatever you want to get more out of your wifi network security!
Steps to make your wifi installation more secure
Keep software/firmware up-to-date
This one is old I know, but it is one of the basics when we talk about security. Outdated firmware/software might have serious security vulnerabilities that can be used to compromise your network/data. (e.g. see https://www.cvedetails.com – security vulnerability data source). I highly recommend your wifi router firmware/software is up-to-date.
Change router login/password
Some wifi router have no password set (rare case today – but possible). Others have the password printed somewhere on the device.
Change the pre-defined/out-of-the-box password of your wifi router and keep the password at a safe place.
Complex wifi key/password
Most router come with a pre-defined wifi setup. As a “ready-to-use” configuration. The SSID and the wifi key/password are printed on the back of the device or on a piece of paper for the customers convenience.
Good for a quick setup, but from a security perspective not the best idea. Someone with access to your router can take a picture of all the data and has access to your network or even to your router configuration itself.
Most of the wifi routers has SSID broadcasting enabled. Means as soon as a wifi router is up and running it is telling the world that it’s here. That makes it quite easy to find your wifi network. Disabling SSID broadcasting stops the wifi router from “screaming” around. So, devices that want to join the wifi network needs to know the name before they can connect.
Note: Disabling the SSID broadcasting does not mean that the wifi network cannot be discovered anymore. There are apps and tools available to scan also for “hidden” wifi networks!
Complex SSID name
Rename your wifi’s SSID to something that is not really related to you, your family, your home, company or anything else that let’s someone else easily guess that it’s your wifi network. E.g. “JohnDoeFamily-Wifi” or “CompanyXYZ-Wifi” in opinion are not the best choices.
Use wifi encryption
Use the highest encryption possible. For wifi at this point in time the go-to standard is WPA2. Do not use anything lower e.g. WEP!
DHCP (Dynamic Host Configuration Protocol) is a service that is out-of-the-box enabled on wifi routers. Its function is to dynamically allocate IP addresses to devices that are joining your WIFI network.
192.168.0.1 # e.g. router and gateway to the internet 192.168.0.12 # e.g. personal computer cable connected 192.168.0.200 # e.g. Smartphone wifi connected
Once a device is connected to your wifi network (or cable network) the router assigns a dynamic IP-address to it. Disabling DHCP means that every device needs a manual configuration to assign IP-addresses, etc.
It’s more effort to manage, but adds an additional layer of security.
E.g. an attacker that successfully joined your wifi network or cable network is not automatically able to fully communicate and connect with other devices over it. The attacker needs to have a valid IP-address. There are ways and method to identify the networks IP-range, but it’s additional work.
Use Mac Address Filtering
Every network device has a unique address called MAC address (Media-Access-Control-Address).
Example MAC address:
To identify the MAC-address of your devices open a command line and type on Windows “ipconfig /all” or on Linux based systems “ifconfig”.
The MAC address identifies a device within a network (don’t mix this up with IP-addresses). Out-of-the-box most routers log the MAC address and use it e.g. to assign DHCP addresses and manage IP-address lease times, but they do not block them. So, every new device can basically join the network and start communicating.
To allow only known/permitted devices to access a network it is possible to enable MAC-address filtering. Means you can decide which device has access. Others will be blocked and needs to be enabled explicitly.
The good thing – it is possible to prevent unknown devices to connect to a network. But it also comes along with additional efforts on managing new devices as they need to be configured manually.
Guest wifi network
A guest wifi networks is a cool feature to let friends, family or visitors’ access for e.g. the internet on an enclosed network. The guest network has no connection to your private or company network. So, guests are not able to scan your private or company network and it limits the factor that someone comes along with malware (intentionally or not) and infects your network.
Also, use the highest encryption possible. For wifi it at this point in time WPA2.
Additionally, I recommend to connect the guest device by yourself. This doesn’t make sense for public wifis where for e.g. hundreds of guests join day in day out, but on your own private network you have the control.
Some wifi routers allow to print a QR-code that the guest only needs to scan to join the guest network. Keep this printed QR-code at a safe place and only use it when necessary. If someone unknown gains access to your guest wifi network and surfs or download illegal stuff, he or she is surfing with your public internet connection/your provider – so in the end you are responsible for the traffic!
Make us of access profiles
Create access profiles for different devices to only allow certain services. E.g. create a profile for guests to only surf specific internet pages (blacklist/whitelist). Or only allow certain application to be accessed. Or schedule the access to internet e.g. only in the morning ours.
Review your router logs
If you are not sure if someone unknown is or was accessing your network – check your routers system logs or network overviews.
Network device overviews show currently connected devices (e.g. router, computer, printer, smartphone, etc.). It also shows devices that where connected in the past. So watch out for suspicious devices you don’t know.
Disable wifi if not needed
If you don’t need wifi enabled, because you have your computer and printer connected via cable – why not disable wifi completely? I think it’s a rare case in today’s era of mobile-devices everywhere. But, for a company that only allows accessing the network via cabled desktop pcs, laptops and printer, etc. it might make sense and eliminates a vector for possible attacks.
If a router allows to schedule wifi availability I recommend to use it. E.g. when you usually sleep at night or you are working all day away from home disable your wifi. Same for a company wifi – if the company has fixed working days/hours – disable wifi e.g. on the other days/hours.
Turn off WPS
WPS (Wifi-Protected-security) lets you easily connect two devices by pushing the WPS buttons. The feature connects both devices and no need to enter any password/credentials.
If possible, disable this function for your router and only enable it on demand. E.g. for connecting a wifi repeater.
Turn off remote management
Remote management is a possibility to access your router for support purposes. If activated the router maintains a certain way to access the device. I recommend to disable this option and only activate it in case you really need it. Use it on demand!
These are a couple of basic steps you can take care of to make your wireless network experience at home or at a company safer than the out-of-the-box configuration.
If you have additional recommendation, something that I missed or any other trick let me know down in the comments.
Thanks for reading!
https://www.cvedetails.com – CVE details, security vulnerability data source