Many homes an businesses are using wireless networking to connect their computers, laptops, tablets, smartphones, printers, televisions, DVD and DVR players and other smart devices and appliances to the local household or business network, and to the larger Internet beyond. Wireless networking devices such as wireless routers and access points are usually completely insecure out of the box, and require careful configuring to provide security for other wireless users, as well as from the wired Internet connection. Here’s how, thanks to an article by security firm Calyptix:
- Update the device firmware. Firmware is the “software on a chip” that makes the router or access point function. The box you bought online or in the store may not have the latest firmware installed. Firmware updates usually patch security holes, fix other problems, and sometimes provide more functionally.
- Set up WPA2 encryption. This is setting up the “password” or more properly the passphrase or encryption key that the Wi-Fi device uses to created an encrypted and secure data session. Without encryption, an open or unsecured wireless network session can be “read” right off the air by another user with a wireless laptop and a bit of software. Do not use WEP or WPA encryption, as these are no longer immune to attack.
- Name your SSID. Your SSID or Service Set Identifier is the name you give to your network. Using the default SSID such as Netgear or Linksys is unwise, because it suggests to attackers that the router still has it’s default settings is is open to attack.
- Change the default Admin credentials. Typically the router will have simple administrative User/passwords pairs such as <blank>/admin for Linksys, or admin/password for Netgear. Changing these means that nobody can log in to your router from another computer on the network, and change the settings or discover the wireless passphrase. Keep this password secure in case you need it again, although most routers have a reset button that will take you back to factory defaults.
- Turn off Remote Administration. Remote administration allows you or someone else to remotely connect to the access point over the Internet, and make changes to the configuration. No matter how good you think that password is, it can and probably will be cracked by a determined attacker, and this will grant them access to your larger network.
- Turn on MAC address filtering. The MAC or Media Access Control address is a unique hexadecimal number that is hard coded or “burned” into the network adapter in your computer. This is different than the IP address, which is typically temporarily assigned to then network adapter. Although this can be a hassle to administer, limiting connection to those computers you have specific identified by their MAC address is one more way to prevent outsiders for logging into your network without permission.
- Turn on the firewall. Most of these devices include a rudimentary stateful packet inspection firewall which also includes the ability to block the 65,000 available communication ports that you don’t need. Typically network need to open port 80 and 445 for Internet, and maybe a few others for email, VPN, or other services. Typically this is no more than ten or a dozen. The rule is if you don’t need a port close them.
- Change the default IP address scope. Here again, changing the defaults makes it harder for an attacker to make a lucky guess. Instead of 192.168.1.1 or 192.168.0.1 which are popular default addresses, uses something like 192.168.44.1.
- Turn off WPS. Wi-Fi Protected Setup is the “easy way” to connect a new device to your network. You typically push a button on the router, and it sends the encryption key to the new device. Hey if it is easy for you, it is easy for an attacker too.
- Log out and delete your cookies. If you want to be super secure, when you are done configuring the router interface in your browser, log out instead of just closing your browser. Then clear your browser cookies and restart the computer. This prevents someone from sitting down at that computer later and logging into an active session or through a saved cookie.
Lot’s to do here, but even if you did half of these you would be better off than doing nothing.
ShareAUG
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com