Some sensible precautions for home wireless security

Two campers were hiking in the forest when all of a sudden a bear jumps out of a bush and starts chasing them. Both campers start running for their lives when one of them stops and starts to put on his running shoes.

His partner says, "What are you doing? You can't outrun a bear!"

His friend replies, "I don't have to outrun the bear, I only have to outrun you!"

Securing a home wireless networking setup is a little like the bear joke above: you want to make yourself less attractive than the networks of your neighbors for a would-be hacker.

Networking can be a pretty complicated topic, and until recently was not something that home computer users really needed to address at all. With this in mind, the manufacturers of home-oriented networking equipment (most especially including wireless routers) have worked to make initial setup easy and painless. This is usually accomplished with "3 step setup" or other "wizards" which succeed in making it easy by eliminating nearly all security.

This document is designed to offer some suggestions on changing the defaults (and a brief statement as to why it is important) that so many routers ship with. It is not product-specific, and you will have to figure out how to make the changes with your particular software. You may not even have the option to set or change some of these settings, but the more that you can change the better your chances to "outrun the bear".

Parameter What it is: Should be set to: Why it matters/Comments
Worrying about security at all Many people say "I am not doing anything secret. Why should I care if someone uses my network"? Your router came with many security features. Use them! Two comments: (a) if someone breaks into your network, then they are behind your router's firewall and are free to try to break into your own computers and (b) you could be legally reponsible for having someone doing something nefarious on the Internet at large if traceable back to your IP address (that of your router).
Default network name (SSID) Service Set Identifier (SSID), colloquially the name of your network. Choose a name which means something to you but doesn't identify you or your location. (One neighbor of mine gives their home address! Bad idea.) If left as the default, it gives hackers/war drivers reason to believe that much of the rest of your network is in a vanilla stock configuration as well, hence easy to break.
Default network password This is the password that will be used on a regular basis to have laptops join the network. Make it something hard to guess or crack. (Use upper and lower case, special characters, etc. Make it more than 10 characters.) A too-short or easy-to-crack password improves the odds for a hacker.
Default admin password This is the password for changing the configuration of the router. Use sensible password-selection rules here, too. If someone can access the configuration tools of your router, then they can disable or reset all security mechanisms you have taken the time to set in the first place.
Broadcasting SSID Your router by default broadcasts its name to make it easy for users to find it and connect. By disabling the broadcast, a user has to know the name of your network to connect. This one isn't a complete guarantee: War driving programs can determine the name of a network after watching enough packets go by. But it can be a useful cloaking nonetheless.
DHCP server The Dynamic Hardware Control Protocol server gives out "private" Internet (IP) addresses to each computer on your network. By default, your DHCP server probably will serve up to 50 or 100 addresses. For a home environment, you can probably cut this down to something in the small single digits. Remember to count your wired (desktop) computers in the total. Why offer a large service that you could not possibly need for your own purposes?
Firewall This software watches network traffic going in and out and makes sure that traffic coming in is in response to something requested from the inside. Should be on by default, with no changes needed on your part. A "Stateful Packet Inspection (SPI)" firewall is a useful and necessary protection against others on the Internet (and even on your own ISP!) who would wish to do your computer(s) harm.
MAC filtering The MAC ("Media Access Control") address of a computer is the identifier of the ethernet or wireless network adapter. It is 12 hex digits, usually listed in pairs. MAC filtering allows you to limit access to your router to just those machines whose MAC addresses you include. List the MAC address of your desktop computer as well as both the ethernet and wireless addresses of your laptop(s). This is not failsafe, as MAC addresses can be spoofed. But it is a useful first step to making it more of a hassle for a hacker to access your network.
Wireless Security (WEP/WPA) This is the big one, of course. These protocols encrypt data between your laptop and the router. These are nearly always off by default. WEP, the older standard, has serious security flaws and can be broken in a matter of hours. (WEP is still better than nothing, if your laptop only has an 802.11b card.) WPA fixes many of the weaknesses of WEP and is always preferable (although you will likely need an 802.11g card to use it). If you have a modern 802.11g card, run WPA, not WEP. It may be called "WPA Personal" or "WPA Pre-Shared Key" (same thing, different names). If you have no choice but to run WEP, at least do so with the longer (and more secure) 128-bit keys. Even if you are using encrypted protocols such as SSH across the Internet, you still want to encrypt traffic from your laptop to the wireless router. WPA makes it much harder for a hacker to break in, in part because in a home network with only a handful of clients, it is hard to collect enough data in, say, an hour before the keys change (done automatically).
Logging Your router may have the capability to keep logs of different types of activity (blocked external attacks, for example). You might as well turn this on. Similarly, if you have the opportunity to give an email address to which the router can send notifications, that is useful, too. Makes the whole operation a bit less of a black box, if you can see what it is catching or finding.
Administration options Your router probably has other settings controlling how you access its web interface. If you have the opportunity to use secure HTTPS, do so. Many routers allow remote administration, which means the ability to change its settings from somewhere on the Internet (as opposed to only from your own home). Unless you have a compelling reason to do this, I would suggest leaving it disabled. Once again, why not take advantage of a security feature for the price of a single letter (https vs http)?!

All of this may not prevent you from getting hacked, but indeed it should greatly diminish the likelihood of it doing so. If you ever bother to run one of the tools that show visible networks around your home, you will discover that few people bother with these precautions. Remember the bear!

As a final note, the next step up in security is to run a RADIUS server (such as we do for the EUD wireless environment), something usually not practical for the home environment. WEP used a single key, unchanging in time, for all users. WPA improves upon this by having the keys rotate every hour or some other time period, but there is still a single shared key for all users. WPA/RADIUS has per-user keys, which also rotate in time.

I hope this is useful to you!

David Friedlander
22 February 2005
NASA Logo, National Aeronautics and Space Administration