Step by step: How to protect your Wi-Fi network

Fri May 16, 2008 4:53PM EDT

See Comments (81)

Reader Joshua writes: I have searched all over the net for detailed instructions on how to protect my Wi-Fi network, and I just can't seem to find them. I would appreciate some help.

Most vendors provide an installation CD with their routers, and if you use this CD (you never have to, by the way), you'll be walked through setting up security on your router, step by step.

Personally I find these programs cumbersome, and since I tend to swap out routers every couple of months, I never install them to avoid having multiple management applications which correspond to nothing on my network.

So, without further ado, here's how to set up security on your router without using a custom application.

1) Type in the IP address of the router in your browser. This is how you get to the management system. You will need to check your router's manual for the IP address (it's probably 192.168.0.1 or something close to that) and the default password for the router. Now every router's management interface is different, and I don't have every brand here to work with, so I'm just going to point you toward the areas you need to tweak. This isn't complicated, but it might take a little trial and error on your part. Just poke around until you find the appropriate section to manage. It's usually quite simple.

2) Set a new administrator password. Always a good first step so you don't forget it later. This is often not under the Security section, so don't forget to look under the Utilities or System Settings area. Once you find it, change the password here like you would with any user account.

3) Turn on encryption. Look under Wireless Security or a similarly tagged section. You want to turn on encryption here: Use WPA (or WPA-PSK) if all devices on your network support it. Otherwise use 128-bit WEP. Type in the key you'd like (or use a passphrase to generate the key if you're using WEP). Note  the passphrase you're using so you can type that password into your client machines.

4) Change the SSID. Nothing says "hack me" like a default SSID (essentially, the name of your router) like "linksys" or "belkin." Change it to something menacing, not "janesrouter." One router I can see from my office is named "virustrap." I can't imagine anyone willingly trying to hack into that network. Remember you'll need this SSID when you browse available wireless networks from your client machines. You'll find this setting under a menu called Channel or SSID, something like that.

After that, you've covered the basics of security. You'll probably have to reboot your router multiple times during this procedure (so it's best to use a cable to do the configuration), and don't forget to hit "Apply Changes" or "Save Changes" after every tweak you make.

You can continue to make more advanced wireless security changes if you'd like, but I think they're overkill. Still, if you're paranoid, you can turn off SSID broadcasting (so you have to type in the network name manually; it doesn't show up in the Windows scan). You can also turn on MAC address filtering, which limits access to your network to a list of clients that you specifically approve. If anyone really wants information about how to configure MAC filtering, email me or post a comment below and I'll whip up a blog post down the road.

Comments on Step by step: How to protect your Wi-Fi network

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 46 Posted by dillenium28 on Thu Sep 3, 2009 3:43PM EDT Report Abuse

    I would like to know more about MAC filtering dillenium28@yahoo.com

  • 47 Posted by dillenium28 on Thu Sep 3, 2009 3:43PM EDT Report Abuse

    I would like to know more about MAC filtering dillenium28@yahoo.com

  • 48 Posted by techie24chick on Thu Sep 3, 2009 9:59PM EDT Report Abuse

    Thanks, this tutorial was very easy to follow. I think I will pass it on to some of my friends.

  • 49 Posted by leonak2002 on Thu Sep 3, 2009 6:49PM EDT Report Abuse

    I just want to thank you for your simplified instructions. I hadn't realized that I needed security on my Laptop until just recently. I thought since I had a Firewall, Antispyware, Antivirus and Windows defender, that was enough. I feel much better now since I know this will help keep my files safer. I am more aware of internet Fraud and Identity Theft. I would strongly suggest that anyone who has a laptop follow these easy steps!

  • 51 Posted by clintonmschroeder on Thu Sep 3, 2009 3:27PM EDT Report Abuse

    Take home message. Don't use the default preferences for your router / modem (wi-fi or otherwise). You just make it easy for others to jump on your network. I can't tell you the number of times I have accessed wi-fi routers / modems with the default login from Belkin, D-Link, Motorola, etc. (for example: ID: Administrator; Password: Blank). One time I had a customer with slow internet and found three people in his apartment complex were using his wi-fi network. It was no problem for them to do so as nothing had been done to secure it. If you don't understand what has been written so far in this blog about IP addresses / MAC addresses it might be advisable for you to go to a wired router (cat5 cables).

  • 52 Posted by somebodys_here on Thu Sep 3, 2009 9:32PM EDT Report Abuse

    In a nutsheck this crap is why I've (strongly) passworded my WiFi Router and just set it for "HotSpot" mode. No networking, just open access to the web. I did change the SSID though... something like 'back-hacked-IP-tracker' I think. Nothing else really needed as my network is fairly weak (only enough to get signal on the back porch) and the neighbors are technologically illiterate -I live in a suburb of a large city; but my area is primarily senior citizens- so not much chance of anybody breaking in unless they sit in the bushes outside my window. Eh, enough said.

  • 53 Posted by me.dannyvf on Thu Sep 3, 2009 7:14PM EDT Report Abuse

    Yeah, show us about a right MAC filtering configuration. I'm using a MAC filtering, but don't use an encryption method (and my SSID is visible), are OK?? Thanks.

  • 54 Posted by dan.henhoeffer@rogers.com on Thu Sep 3, 2009 3:34PM EDT Report Abuse

    how do I remove all of my neighbors wireless networks being picked up by my router? I find if there is a lot of neighboring networks that my connection does not work as well.

  • 56 Posted by matt.chewy on Thu Sep 3, 2009 7:11PM EDT Report Abuse

    Another way to protect your WI-FI is to turn off the SSID broadcast. When you turn off the SSID broadcast it hides your SSID so when people search available networks, it will not show up. However, when you go to connect to your network for the first time you will have to enter the SSID manually.

  • 57 Posted by gt500guy@pacbell.net on Thu Sep 3, 2009 4:14PM EDT Report Abuse

    There are a lot of bits of good information, and a lot of erroneous bits in the posts above. As a security practitioner in the networking and wireless space (CWNP certified), I've had to learn a good bit of this to obtain and maintain the certs. All the features have their uses. Don't use WEP unless you have a legacy device that can't use WPA/WPA2, RADIUS, TACACS+, or some such. It takes 6-7 million packets going by on a passive sniffer for the available software to crack WEP keys. The literature on the subject says sub ten minutes. MAC filtering is helpful but, as noted, MAC addresses can be spoofed. Any of my wireless devices can do that. Don't broadcast your SSID, but keep in mind that unless you have a high-end configurable Access Point and can change the behavior, the standard response to a probe packet without a specific SSID (with a null SSID) is to respond by broadcasting your SSID. And the connection dialog always does that, so if a snooper is listening for a bit, they will see your SSID (and MAC of the AP) go by in the protocol packets. Do use WPA/WPA2 if at all possible. Do adjust the transmitter power down if you can, to prevent booming signal past the perimeter of your house or intended coverage area. Do consider using a non-typical subnet mask. 255.255.255.0 allows up to 254 nodes, including your DHCP space. 255.255.255.240 allows only 14, and 255.255.255.248 allows only 6. You can then set the scope of your DHCP server very closely. If I have four PCs at home, I'll set my router's IP address to 192.168.201.1, the subnet mask to 255.255.255.248, and the DHCP scope to 192.168.201.2 - 192.168.201.5. Then I'll set my printer to 192.168.201.6 and I have no unused IP addresses. Use an SSID that isn't generic, and doesn't invite curiosity. I use something like shnvl2 for Smith Home Network Virtual LAN 2. Then a WPA key that's long and complex. And TKIP, so the cipher changes over time. I may also buy a Cisco ASA 5505 and use the dmz security zone for wireless, the inside zone for hardwired, and the outside zone to connect to the ISP. I could also buy a Cisco ISR 877 with ten possible Virtual Private Networks, and be even more creative. It also replaces your ADSL modem. Basically, if you have anything worth protecting, consult with a professional. And not a Big Box nerd, but someone who does networks for a living. Wireless can be made nearly as secure as wired, but it takes time. Oh, 802.11bg uses the 2.4GHz range, so can interfere/be interfered with microwave ovens, wireless phones, etc. The default channel out of the box is 6, and it uses Collision Avoidance (if it hears another talker, it just waits). Only three clear channels exist in 802.11b/g. These would be 1, 6, and 11. If your performance is less than expected, try one of the other channels.

  • 58 Posted by paulydelaney@verizon.net on Thu Sep 3, 2009 8:03PM EDT Report Abuse

    like he says 6-7 million packets to crack wep. when I am cracking a network, I am getting 200 thousand packets a second when there is traffic on the wifi so do the math it takes minutes to crack wep.a lot of people use mac filtering, but all i do is shut my firewall off( something they havent done) and most of the time I see that they are sharing their router. And they havent changed the default password so I logon add my mac address and im in.So shut your firewalls off for a sec and see if your router shows up.its like building a fort but leaving the dooor open.and not showing your ssid? when I snoop for networks it shows up blank for a minute or so then it shows me the ssid.The software I use can be download for free on the internet.B ack to routers, also sometimes people change the passwords and check the remember the passowrd box and then dont understand that there sharing their router.so I can see your router logon and the password and logon is there.

  • 59 Posted by paulydelaney@verizon.net on Thu Sep 3, 2009 8:03PM EDT Report Abuse

    Just a note the networks a crack are my own, I test my own security on my network.I use wpa-sk no one has cracked that yet.banks use it.I dont hide my ssid or filter my mac address.no need to with wpa-sk

  • 60 Posted by paulydelaney@verizon.net on Thu Sep 3, 2009 8:03PM EDT Report Abuse

    another good idea is use a 52 character password: use numbers and symbols and capital letters and small case .in wep this wont matter still take only 5min.but with wpa 52 characters mixed and matched using the above suggestion is very very hard to crack

  • 61 Posted by msmorro@sbcglobal.net on Thu Sep 3, 2009 7:29PM EDT Report Abuse

    Major ditto on post # 24!!!! With my laptop protected, it is not even usable out in the field - library, hotels, Internet cafe's...Is there an EASY way to change whatever settings so that one's laptop can be used in the field but yet not be 'seen' by those around in that same wi-fi setting?

  • 62 Posted by paulydelaney@verizon.net on Thu Sep 3, 2009 8:03PM EDT Report Abuse

    This is what people dont understand when ecrypting your network you not just keeping people off your network you're encrypting all the stuff coming from the wifi end of your network, in other words if your on your unencrypted wireless network on a laptop then buy something your credit card info,email etc is going thru the air unencrypted.and someone can get it.

  • 63 Posted by lgreen67 on Thu Sep 3, 2009 6:50PM EDT Report Abuse

    Post #20 (medullaboi) it is very RUDE to insinuate that others are "stupid". I am very glad you can do it yourself, however, your comment was not helpful to anyone except...perhaps yourself.

  • 64 Posted by snoboarder1245@sbcglobal.net on Thu Sep 3, 2009 9:30PM EDT Report Abuse

    the ironic thing is, mey friend recently got an XBOX 360, but he couldn't find the right size cable to get Live. He bought one of those wireless adaptors, but the only way it worked was when he used his neighbor's wireless network. but then the connection was way too slow, so he still doesn't have XBOX Live... loser! [cough, cough]

  • 65 Posted by cool_breeze_2444 on Thu Sep 3, 2009 3:29PM EDT Report Abuse

    I'm surprised he says turning off SSID broadcasting may be overkill. After all, if someone scans for networks and yours doesn't show up, they're probably going to leave it alone. I would certainly turn off SSID broadcasting, as well as using all the other tips in the article.

More Posts: First Prev 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.