Six Ways To Protect Your Wireless Network

It doesn't take a whole lot of work -- or any extra money -- to make your network secure. Follow these steps, and you'll go a long way to keeping

July 10, 2006

8 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Got a wireless network at home or your small business? The odds are that it's insecure. And that means that it's wide open to hackers, war drivers, or anyone else passing by.

But it doesn't take a whole lot of work -- or any extra money -- to make your network secure. Follow these steps, and you'll go a long way to keeping your network, PCs, and data safe.

Step 1 -- Hide Your Network's SSID, And Stop Broadcasting It

Computers on your network connect in a kind of two-way conversation. Your network router constantly sends out its name, known as its SSID (service set identifier). Your wirelessly equipped PCs see that SSID, and then connect to the router by using the SSID name. So if someone knows your SSID, it makes it easier to connect to your router.

When you buy a wireless router, it comes with a default SSID. That default SSID is the same for the thousands, or millions, of routers the manufacturer makes. So a would-be intruder can search for networks with a few common default SSIDs from the major manufacturers, and quickly find wireless networks. So a good line of defense is to change your network's SSID from the default to a unique name that others can't guess. By itself this isn't a great defense, because most war driving software will automatically find the SSIDs of any nearby networks. And Windows XP will automatically do the same thing. So you need to do more than just change the name. You also need to tell your network to stop broadcasting its SSID. Now only someone who knows the name will be able to connect to it. The steps you take for changing the SSID and telling your router not to broadcast the SSID varies from router manufacturer to router manufacturer. In the Linksys WRT54GX4, log into your administrator screen, and click the Wireless link. In the "Wireless Network Name (SSID):" box type in a new name for your router. In the "Wireless SSID Broadcast:" box, click Disable. Then click Save Settings.

Your router is now invisible to passersby, but it's also invisible to your own PCs on the network as well. So you need to tell them to use the new SSID. On each PC, in Windows XP SP2, click small wireless icon in the Windows System Tray and click the View Wireless Networks button. Click the "Change advanced settings" link in the left-hand column and then click the Wireless Networks tab. Click the Add button in the "Preferred network" section, type your new network name, click OK, and then click OK again. You'll now be connected to your network.

Step 2 -- Use Encryption To Keep Yourself Safe

It's this simple: You need to use encryption. Encryption keeps you safe in two different ways. First, it won't allow anyone onto your network who doesn't have the special encryption key, and so it's a way to make sure that intruders can't get it. And it also stops snoopers as well, because anyone who tries to sniff out network activity will only see garbled, meaningless characters, rather than your email, for example.

There are two encryption standards you can use to protect your network: Wireless Equivalent Protocol (WEP) and Wi-Fi Protected Access (WPA). The WEP protocol is older and less secure than WPA, so your best bet is to use WPA. But the truth is, even WEP is most likely good enough for you. It's not as if your home network has CIA-level classified secrets. So it's not likely that intruders or snoopers will want to spend large amounts of time and energy trying to break your encryption, even if it's as weak as WEP. You mainly want to use encryption to protect your network against passers-by and war drivers looking to make a little mischief.

How you set up WPA differs according to your router. In a Linksys WRT54GX4, log into your router administrator screen, click the Wireless link, then click Wireless Security. Choose your encryption method from the drop-down list, type in an encryption key, and write it down on a slip of paper, because you'll need to use it at each PC. Click Save Settings. After this, you'll have to set up encryption on each of your PCs, using the same key as you used in the router. In XP, on each PC, click the wireless connection icon in the System Tray and click the Properties button. Click the Wireless Networks tab, highlight your network, click the Properties button, and then click the Association tab. In the "Network Authentication" drop-down box, select your encryption method. In the "Data encryption" dialog box, choose TKIP. Next, uncheck the "The key is provided for me automatically" box. Enter your WPA key in the "Network key" box, and type it again in the "Confirm network key" box. Click OK and then OK again. The PC can now connect to your network using WPA encryption. Step 3 -- Filter Out MAC Addresses

Little-known fact: Every piece of networking hardware has a unique ID number, like a serial number, called a MAC address. No two pieces of networking hardware have the same MAC address. A MAC address looks something like this: 00-08-A1-00-9F-32.

You can use these MAC addresses to keep out intruders. Many routers let you permit only certain MAC addresses onto the Internet. You can tell your router to let in all of your computers, and keep everyone else out.

Again, how you do this varies from manufacturer to manufacturer, and even from model to model. On a Linksys WRT54GX4, log into the administrator screen, and click the Wireless link, and then Wireless Network Access. The Wireless Network Access screen appears, with boxes labeled MAC 1, MAC 2, and so on, up to MAC 50. Select "Permit only PCs listed to access the wireless network. Scroll to the bottom of the screen and click "Select MAC Address from Networked Computers." From the screen that appears, make sure all the boxes are checked, and click Select. You'll be sent back to the Wireless Network Access screen. All the MAC addresses that you check will be automatically filled into the boxes next to MAC 1 and so on. Click Save Settings. Now only PCs on your network can connect to it; all others will be blocked.

What happens if you buy a new computer, and want it to get onto your network, or you have a friend over who wants to use your network? You just need to find their wireless adapter's MAC address and pop it into a MAC box on the Wireless Network Access screen. To find out the network adapter's MAC address, choose Start-->Run, type command, and press Enter. A command line box will open. Type ipconfig /all and press Enter. Look for the numbers next to "Physical Address," such as 00-08-A1-00-9F-32. That's the MAC address. Copy that number into a MAC box on the Wireless Network Access screen, and that computer will be allowed to connect to your network. When you copy the number, don't include the hyphens. Step 4 -- Limit The Number of IP Addresses on Your Network

When one of your computers connects to your network, your router gives it an IP address, which every computer connected to the Internet needs in order to browse the Web.

Normally, your router just hands out these IP addresses willy-nilly to all comers. So any time a nearby wireless PC asks for an IP address, your router blithely hands one over, no questions asked. Friend or pest all get them.

But you can tell your router to only give out a certain number of IP addresses—one for each computer on your network. How does this help you? If the computers on your network use all the available IP addresses, it prevents your router from assigning an IP address to an intruder trying to connect to your network.

This trick varies somewhat from router to router. In the Linksys WRT54GX4, log in as an administrator and go to the Setup screen. In the box next to "Maximum Number of DHCP Users:" type the number of computers that will use your network, (both wired and wireless), and click Save Settings. That's all it takes. Now intruders won't be able to get IP addresses to get onto your network. If you add another computer to your network, make sure you go back to the Setup screen and increase the number of DHCP users by one. Step 5 - Sniff Out Wireless Intruders

Even if you've taken every possible step to keep out wireless intruders, there's a chance that someone can slip into your network. So you should regularly check to see whether someone's where he shouldn't be -- on your network. And if you find someone, kick them off. One way to do this is to get the free program, which will keep a weather eye out for wireless intruders, and when it finds any, tell you they're on your network, show you their activity, and even send them alerts telling them that you know they're using your bandwidth. Get it from http://home.comcast.net/~jay.deboer/airsnare.

Step 6 -- Use Firewalls On All Your PCs

The truth is, one of your best ways of protecting yourself isn't to protect your network itself -- it's to protect individual PCs on it. If an intruder makes his way onto your network, but then can't touch any of your PCs, the only damage he'll be able to do is steal your bandwidth. So use a firewall on each of your PCs.

At a minimum, turn on XP's firewall, which is turned on by default. But the XP firewall won't block outbound connections. So get a better firewall. The free version of ZoneAlarm, available from ZoneLabs, provides excellent protection. You can also buy any of the many for-pay firewalls and security suites as well. 0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights