Comcast's High Speed Internet service is a wonderful thing, and many of us have come to depend on it for many things, from sending email to friends and family, to playing games, to managing our finances, to working at our jobs at home. In households where there is more than one computer, it's becoming more and more common to see routers used to network these computers together to share the same Internet connection. Wireless routers are a very popular choice, especially with laptop users and in those places where it's impractical to run an ethernet cable. But along with them comes some extra security concerns specific to wireless that should be addressed so the user's computers and network are not exposed to needless risk from the more unsavory elements in the Internet community. Since you do not need direct physical access to use a wireless router, how do you ensure that only you and those you approve can use your router? Thankfully, that's an easy question to answer. The router itself can help you with this, it has many configurable options that allow you to control its wireless function so that you can be as secure as you like.
I'll walk through a typical wireless router setup using the Linksys WRT54G as my example. I'll describe the various options that effect wireless security and you can decide what settings are right for your particular situation. Wireless routers come in all shapes and sizes and they don't all share the same options, so I may describe an option your router doesn't have, or you may have an option mine lacks. When in doubt, RTFM. Let me say that again, READ THE DARN MANUAL! Phew, glad I got that off my chest. Your router's manual is an invaluable source of information about your specific model, use it.
At the bottom are links to other posts which describe connecting to a secured router from XP, Vista, and a Mac.
Here come the details, so take a deep breath and dive right in...
To change these router options, we're going to be using the WRT54G's Web based Setup pages. Most routers have a tiny built-in webserver you can just point your favorite browser at, login, and make whatever changes you need. On my router, I simply use http://192.168.1.1 (which is just the router's LAN side IP address). This is pretty standard on most Linksys routers. Other manufacturers might use http://192.168.0.1 or http://192.168.2.1, or http://10.0.0.1, for example. Consult your pesky documentation for what you should use on your router. Once connected, you should be presented with a login dialog that looks similar to this. Enter the router's administration password and press OK. The default password on Linksys routers is usually "admin" with no userid. You should then see your router's home page. Take a few minutes, poke around and familiarize yourself with the way your router's website works and where the various pages and options are. One important thing to note with Linksys routers, once you make a change to an option, be VERY CERTAIN to click on Save Settings at the bottom of the page or you will never actually turn that option on. So anywhere I say change an option, remember to hit Save before you continue to another page or the change will be lost. You have been warned .
Now let's get right down to the security changes:
1. Change the router's administration password. Strictly speaking this option has nothing to do with the wireless function itself but since it's such basic security, it bears repeating. Your router comes with a default password, but everyone knows what this password is, so it's no protection at all. Change it to something only you know. On the WRT54G, go to the Administration --> Management page, enter the Router Password and confirm it. Then press the Save Settings button at the bottom of the page. You will be presented with a logon dialog again, just use the new password.
2. Disable the ability to get to the router's web setup pages from a wireless system. This is probably of minor usefulness, but I like to be as thorough as possible. Disabling this option means you have to use a system directly connected to the router (or through the Internet, more on that in a minute) in order to make changes to the router. A couple of caveats here. If you only have wireless systems, leave this enabled or you won't be able to control your router! Also, if you're doing this procedure from a wireless system, you'll need to move to a wired system to complete further changes. So think about your needs before clicking here. On the WRT54G, this option is "Wireless Web Access" on the Administration --> Management page. Don't forget Save Settings to lock the change in.
3. Disable the ability to control to the router from the Internet. By default this option ("Remote Management") should be disabled and you should leave it that way unless you have a specific need to allow this. Valid reasons include: you're away from home and need to adjust the VPN passthrough settings, or you want someone on the Internet to help you do some troubleshooting, etc. Bear in mind that you have no control over WHO on the Internet is allowed to connect, other than controlling the password. Think long and hard before enabling this option. If you do, consider using HTTPS so that information going back and forth to the connected user is encrypted and protected from prying eyes. You will find this option on Administration --> Management page.
4. Disable UPnP. This is just plain evil and allows a program to configure the router without your knowledge. Unless you have some very specific need for this, disable it. Again, on the Administration --> Management page.
Disable SSID broadcasting. By default, most wireless routers sit around constantly shouting to anyone in range who can listen "HELLO OUT THERE! I'M RIGHT HERE AND MY NAME IS XYZ! COME USE ME!". Not very secure. What you want is an access point that sits there quietly and unobtrusively until someone comes along who already knows the access point is there AND knows its name. In order words without foreknowledge, the access point is mostly invisible. Now the more knowledgeable among you might be saying "Hold on, that's not true!" and you'd be technically correct, but this will prevent the majority of ne'er-do-wells from finding you, and that's a good thing. It's true a really smart and determined hacker will still know you're there, but that requires smarts and effort which is severely lacking in your typical script-kiddie. Now when you do this, the onus is now on you to specifically configure your various wireless clients with the proper (case sensitive) SSID for your wireless router. Since the router is no longer broadcasting, you can't bring up the XP wireless client (for example) so you can see your router. You have to add it by hand. This is a simple process, just see the instructions for your wireless client on how to do this. Change this option with Wireless SSID Broadcast set to Disable on the Wireless --> Basic Wireless Settings page and press Save Settings. EDIT 08/24/2011: I have decided to remove this section, not because it's a bad idea (I do it here), but because it has the side effect I mention above about making it harder to connect (which is it's purpose). With the proliferation of wireless devices (cell phones with WiFi, iPads, laptops, blue-ray players, game systems, etc), more and more folks with limited wireless knowledge find connecting to their router much harder if the router is not broadcasting. After trying to explain unsuccessfully to countless people why their wireless network really IS there, I've decided this option is more trouble than it's worth for most folks. So from now on, I only recommend this option for people who have a solid technical understanding of their wireless network and how turning off SSID broadcasting effects their wireless client setup.
6. Change the default SSID (or Service Set Identifier) to something unique. A wireless access point has to have a name associated with it called the SSID. All the access points (there might be more than one, but in our setup there is only one, the wireless router itself) in a single wireless network will share the same name and the same security setup. Most routers come with a default value here. For example, all Linksys wireless access points have a default SSID of "linksys" (original, huh?) You want to give your router a unique SSID that only you know. The SSID must be no more than 32 alphanumeric characters and it IS case sensitive, so that "charlie" is different and distinct from "Charlie". Supply your chosen SSID in the Wireless Network Name field on the Wireless --> Basic Wireless Settings page.
7. Enable Wireless MAC filtering. Please do not confuse MAC (media access control) address with the Apple Macintosh computer, they are two totally different things. Each wireless adapter has a unique hardware address that can be used to identify that particular wireless adapter. The router has the ability to accept or deny connections based on this MAC address. You can set this up to deny or allow access to a list of specific MAC addresses. I use the more restrictive of the two, which is only allow access to MAC addresses I have listed. On the Wireless --> Wireless MAC Filter page, select Enable for Wireless MAC Filter, select Permit only, press Save Settings, then press Edit MAC Filter List, enter your wireless adapter's MAC address in the list, press Save Settings and you're done. To find your adapter's MAC address, on XP/2K /ME, use the command ipconfig /all and find the Physical Address field for the wireless adapter. On 95/98, use winipcfg and select the wireless adapter, you're also looking for Physical Address. On Linux, use /sbin/ifconfig and you're looking for "HWaddr". On the Mac, ifconfig also works in the Terminal, and here you're looking for the "ethernet" field which is kind of misnamed, or you can also use Applications:Utilities:Network Utility and on the Info tab select the wireless adapter (on my PowerBook, it's en1) and you want the Hardware Address. For those that have lots of people or devices coming and going and want to allow access, this option can be troublesome and I would recommend turning it off in those situations. Also remember this a year down the road when you have a fancy new iPad that you are trying to connect and it won't work, did you remember to add the new device's MAC address to the table if you this option enabled?
8. Turn on wireless encryption. This is the single most important thing you can do to secure your wireless router. There are two main encryption methods in use at this point, the older and not very secure WEP, and the newer, more secure WPA. Unless you have some overriding reason to use WEP (like your adapter driver won't support WPA), stay far away from it. It's easily cracked and there are open source programs that do this. Last resort use only and then you must change the keys OFTEN (once a week at least). Always use WPA whenever possible. To activate WPA, go to the Wireless --> Wireless Security page, select WPA Personal for Security Mode, AES for WPA Algorithms(don't select TKIP, it's been partially cracked), and some phrase for the WPA Shared Key. The key phrase must be between 8 and 63 characters long. the more random the better. Short phrases made up of common words found in the dictionary are not good choises since there are brute force dictionary attacks that can crask WPA if you choose such a weak passphrase. If you have WPA2 Personal avaliable to you, that's a better choice than WPA Personal since it requires AES. Press Save Settings to save the changes.
Mac OS X Wireless Client Configuration
If you are configuring a laptop like a PowerBook and use more than one wireless access point (or WAP) regularly, you can create new locations using the Apple -> Location -> Network Preferences -> Edit Locations option. For example, you can have a Home and a Work location, each of which has their own default secured network, or maybe you often meet friends at Starbuck's, you can create a location for that network as well. You switch locations easily by using the Apple menu on the menu bar, Apple -> Locationand select the location you want. Makes going back and forth from your home network to the network at the office (or anywhere else for that matter) very simple.
XP Wireless Client Configuration
Windows Vista Client Configuration
26-Apr-2005 Added Mac OS X Panther client instructions
02-Mar-2008 Added Vista setup link
07-Nov-2008 Changed TKIP to AES as the preferred encryption algorithm
08-Nov-2008 Removed old Mac instructions, replaced with link to post with Mac instructions
18-Nov-2008 Added XP instructions link, finally!
24-Aug-2011 Changed my stance on #5 SSID broadcasting