Complete Guide to Wi-Fi Security

6. Check frequently for rogue access points or clients attached to the network. Most Wi-Fi gateways have a status screen that shows the MAC addresses of all clients currently connected to the network, and some have logging capabilities that will keep track of wireless connections. If you spot unknown clients attached for lengths of time (not just passing by), change your WEP or WPA code, and scout around for where they might be located.

Another way to monitor your network is with a packet sniffer like the free Wireshark. Packet sniffers show you all the traffic that's zipping around your net, and you'll see things like plain text messages and passwords flashing by heedlessly. It shockingly illustrates the weaknesses of common protocols like telnet, ftp, AIM and others. You'll not only find out if unauthorized people are using your network, you'll also see what THEY see when they are snooping around.

Rogue clients aren't the only thing to look for, however. Rogue access points are dangerous as well, although more of a concern in public areas than in the home. Rogue access points are designed to mimic your regular wireless access point, and capture data sent through them. You can use a utility like NetStumbler or iStumbler for Mac to see them. See the page on protecting yourself at Wi-Fi hotspots for more details.

Norton Personal Firewall

7. Use a strong firewall. The steps we've discussed so far focus on securing the wireless network, but once your wireless data reaches the access point, it becomes part of the wired net, and subject to any attacks or snooping that might come in through your broadband gateway (or from other users on your local wired net). Furthermore, WEP, WPA and WPA2 encryption only apply to data in the air; as soon as it passes through the Wi-Fi gateway, data is decrypted.

Most home networking routers come with built-in firewall capabilities. The firewall is usually a basic port-blocking or packet-filtering firewall which lets you permit or deny incoming traffic on certain ports. The typical configuration is to block ALL incoming ports by default and then allow you to open ports for specific purposes. Stateful Packet Inspection (SPI) firewalls take things to a higher level still by actually examining network traffic for suspect activities and reporting attacks and intrusions.

Unless you are running a Web or FTP server you shouldn't need any of the ports open, but some peer-to-peer file sharing networks and online games require communication over certain ports. Worms like MSBlast and Nachi were aimed at the Windows SMB (Server Message Block) and NetBIOS ports that are intended for directory, file and printer sharing across the network. Having your computer respond to NetBIOS inquiries can also give away valuable information that an attacker may use to gain access to your system or network. It is especially recommended that you block TCP ports 135, 137, 138, 139 and 445 from external access and that you disable NetBIOS over TCP/IP to prevent such attacks or leaks of pertinent information.

Zone Alarm Pro

You can also use a personal firewall like Zone Alarm Pro or Norton Personal Firewall (part of the Norton Internet Security Suite) that runs on your computer in addition to the network firewall. Personal firewalls provide an extra layer of security against outside hackers, as well as safeguard against snooping from within the local network. See the page on protecting yourself at public hotspots for more on personal firewalls.

8. Password your data. Often overlooked in a home environment, passwords provide another layer of security for your private data. You can generally password-protect and/or encrypt your computer, certain folders, or even specific files with the tools built right into Windows XP and Vista, or Mac OS X. Make sure your passwords are not easily guessed or written on a sticky note on the front of your monitor.

Whenever possible, try to place private, confidential or otherwise sensitive documents in special folders that only you or those designated by you have access to. Older OSes like Windows 95 and 98 don't have password-protection capability built-in, but Windows 2000, XP, Vista and Mac OS X all make it a relatively simple matter.

In general, the longer the password the longer it will take someone to find it using password-cracking programs. Use words that aren't in the dictionary and that contain combinations of lower-case and upper-case letters, numbers and special characters. And change them if you have any reason to suspect they might have been violated, such as by a keystroke-capture program. (Most businesses require changing things like email passwords regularly.) If you are curious to see how easily your password can be cracked, check out tools like Cain & Abel.

9. Separate your wired and wireless nets. If you're a network pro and have a small office network, consider doing a couple more things: change the default community names that ship with network management tools like SNMP so they can't be easily guessed; and put wireless access points on separate subnets with firewalls between them and the main network router. Gibson Research has directions for doing so here.

10. Turn off wireless devices when not in use. The final word of advice for home wireless networks is "Turn it off!" While it may seem like a pain, you'll sleep easier knowing that since your gateway, computer, laptop etc. are not turned on, no one can access them. Use a power strip to plug in all your devices, and just flip one switch when you get to work. In multiple-user households, you'll probably want to leave the broadband gateway on 24/7, but you can still turn off your own PC. A computer that isn't connected can't be hacked or compromised from the network. If you rely on dial-up Internet access this is not as big a concern.