Complete Guide to Wi-Fi Security

If we've convinced you of the need secure your home wireless network (and the wired one too!), here's a step-by-step guide to help make the process as painless as possible. No network can ever be completely secure, but after you've implemented the recommendations here, wireless hackers will likely choose an easier target. These steps apply to both home and small office networks that have a standard wireless router, and possibly one or more roaming access points.

1. Change your router's name and password. This is always the first line of defense. It's easy for attackers to find out what the default name and password are for various manufacturers. Many also default to using the standard 192.168.1 or 2 subnet internally and give the router itself the IP address of 192.168.1.1 or 192.16.2.1. You should make sure you rename the router, assign a strong password for accessing the router configuration software, and consider changing the IP addressing to a difficult-to-guess internal subnet like 192.168.12.1 or 192.168.83.1 (you can use any number from 1 to 254 in the third position in most cases).

2. Enable infrastructure mode only on all access points and clients on the network. Disable the "ad-hoc" mode, which lets clients set up peer-to-peer networks and could allow rogue users to connect to your network through a legitimate wireless client.

3. Disable SSID broadcast. The SSID (Service Set Identifier) is essentially the network name for the wireless portion. A wireless access point (AP) or router in open network mode will periodically broadcast a beacon signal (usually about 10 times each second) which announces to the world that the network is live and ready to go. The beacon also includes data such as the signal strength and functional capabilities of the AP as well as the SSID. With broadcasting off, wireless clients must first know the SSID before they can connect.

For home networks, this broadcast information is not necessary. You can simply type in the SSID in your wireless client's setup dialog once, and it will be remembered in future connections. Experienced hackers can still find such "closed" networks, but at least you will not be openly inviting them. And neighbors or passersby will not see or accidentally connect to your network.

In public-access hotspots or large company Wi-Fi nets, SSID broadcasting may be required. There are other precautions to take in these cases, as we'll see later on.

4. Turn on the MAC addressing filter in your wireless router. Most Wi-Fi gateways let you restrict access to known MAC (Media Access Control) addresses. Each network device (such as a computer, Wi-Fi card, or printer) has a unique MAC address, and by allowing access only to pre-defined MAC addresses you reduce the risk of accidental or rogue clients connecting with or perusing your network resources. This takes the closed network concept a step further.

Sound foolproof? Not quite. Even if your SSID isn't broadcast and you restrict access to known MAC addresses, your wireless network may still be detected and compromised. Hackers can capture the wireless data packets as they travel from your access point to your wireless client or vice versa. The captured packets may reveal both the SSID and the MAC addresses of client devices communicating with the network. Once a MAC address is known a malicious user can "spoof" the MAC address of the attacking system to make a computer look like it's one of the accepted systems and allow it to connect. So you should still take additional precautions.

5. Enable WPA (Wi-Fi Protected Access) or WPA2 encryption. Encryption is the next step in the wireless security ladder. WEP (wireless equivalency protocol) is the original Wi-Fi encryption scheme, and comes in several flavors -- 40-, 64-, and 128-bit. However, its underlying algorithm is flawed and subject to relatively easy cracking. Without going into the gory technical details, it can be broken in minutes. If you want to test your WEP connection to see how easy it is to capture packets and decode the key, you can use a tool like AirSnort. The longer 128-bit encryption keys require transmitting more data, but don't offer significantly better protection than 40- or 64-bit encryption, and significantly reduce wireless performance.

While WEP is better than nothing, it will only keep out the neighbors and opportunistic hackers. For true protection, you need WPA or WPA2.

WPA builds on WEP encryption by scrambling the key and integrity-checking it to ensure it hasn't been tampered with. Additionally, it allows authentication using public key infrastructure (PKI) encryption. But the strongest wireless encryption standard is WPA2 (based on the 802.11i security standard). WPA2 is similar to WPA, with the added security of the strong AES or TKIP encryption protocols required by some businesses and government agencies. WPA2 is also the preferred encryption method for the emerging 802.11n standard, and provides the best performance.

Note that WPA and WPA2 require that ALL devices on the wireless net be set to them -- clients, the wireless router or access point, and any other relays or access points in between. If you have some older adapter cards that only support WEP, do upgrade them. (But first check with your manufacturer -- there may be firmware updates for WPA.)

No matter which encryption type you use, change your passkey regularly. It takes recording a certain amount of traffic to give crackers enough data to decode a key. Also, passwords do get written down and can fall into the wrong hands.

For more on WPA encryption check out Network World's primer Explaining WPA2. The Wi-Fi Alliance also has an excellent information page on WPA2.