Thursday, January 22, 2015

How to secure your home WiFi

These days most people have a home wifi network, yet it's my experience that very few people (even technically minded people) know how to properly and completely secure their wifi network.  So here is my guide to securing your home wifi network.

First, I'll briefly cover why you should secure your home wifi.  There are multiple reasons, all of which revolve around protecting you and your privacy.
  1. Keep others (like your neighbors) from freeloading off your Internet which you pay for.
  2. Keep the data on your network from prying eyes.  Even if an attacker doesn't use your network to access the Internet they can still monitor your network in hopes of grabbing things like credit card numbers.
  3. Protects you from possible lawsuit.  Suppose someone uses your wifi and downloads illegal material.  Since they did it using your network you could be held liable for their actions, even though you didn't know it was happening.
  4. Keeps you safer from viruses, malware, trojans, etc.  Suppose your neighbor is stealing your wifi and they get a virus - since they're on your network now you're more vulnerable to getting infected.

So here are my top 17 recommendations of things to do to protect yourself and securing your wifi network.  Since every router is different I can't tell you exactly how to implement the following, you'll need to research your specific model.
  1. Buy your own wifi router.  Many times the ISP (e.g. ATT, Charter, or Comcast) will give customers a free wifi router.  These are almost garbage and should not be used.  First off their router is likely to have security holes in it, and the manufacturer is not likely to publish an updated firmware fixing the problem.  Also, some ISPs have a feature whereby they turn your home wifi router into a "wifi hotspot" for anyone else who's a customer.  So other people might be sharing your connection with your ISPs permission, and there's nothing you can do to disable it (yes it's an isolated network so in theory they can't access your files, but it still uses your bandwidth and electricity).  So I recommend ditching their free wifi router and buying your own.  If their wifi router is integrated with the modem (a.k.a. a gateway) then look in the settings for a way to disable the wifi access point and add your own router.
  2. Update the firmware of your router.  Good router manufactures release updated firmwares from time to time that add new features and (most importantly) fix security issues.  So check for an update and install it if available.
  3. When buying a router, use a well-known and trusted manufacturer.  If a manufacturer makes a lot of routers, chances are they have worked out the security flaws in the operating system of the router whereas that no-name manufacturer may have lots of issues.  Probably the biggest router manufacturers are Asus, Belkin, Cisco, D-Link, Linksys, and Netgear.  Of these, I personally prefer Netgear, Asus, and D-Link.
  4. Enable the strongest wifi security available to you.  WEP is awful, don't use it.  WPA is good, but WPS2 is better.  TKIP is okay, but AES is stronger.
  5. Disable WPS (Wi-Fi Protected Setup).  This feature (which might go by other names) is a convenience feature where you press a button on the outside of your router then you can connect a device without having to input your wifi password.  It can be convenient, but there is a well-known security flaw in the design that allows an attacker to gain access to your network in a few short hours.  So disable it!
  6. Disable access levels and points you're not using.  If all your devices are 5GHz then disable the 2.4GHz band. If all your devices are wireless-N, then disable wireless-A/B/G.  The idea is to minimize the ways in which someone could try and access your network.
  7. Disable remote administration.  Most routers allow you to remotely login to them via the Internet.  Chances are you don't need this feature, so disable it.
  8. Consider disabling wifi administration.  Most routers allow you to enable/disable the ability to login to and mange the router from a wireless device.  Assuming you have at least one wired computer connected to the router, then disable this feature.  Anytime you need to manage your router, do it from a wired connection.  In the event someone hacks into your network, this at least keeps them from gaining access to the router itself.
  9. Enable HTTPS login for the router management and disable HTTP.  Many routers allow you to login to the router management via HTTP and/or HTTPS.  Don't use unsecure HTTP and always use HTTPS (the S stands for Secure - literally!).
  10. Check port forwarding and DMZ, and disable unless necessary.  All routers offer features like port forwarding and DMZs.  Close any you're not using as each of these is one more security risk.
  11. Use firewalls on all computers and devices within your network.  This helps protect your computers in the event your network is compromised.
  12. Use long complex passwords everywhere.  This includes your router login, the wifi network password, and the DSL login (where applicable).  The longer the better, the more random the better.  Use a password generator if necessary.  The password "myDSLaccount" is easy to crack whereas "zcXZadF0SmIZCspqw9vG9CUf1aj6NYOa" is hard to crack.
  13. Change passwords from time to time.  Maybe once a month.  If someone hacks in, if you change the password you'll lock them back out.
  14. Record all MAC addresses for the hardware you own.  Any good router will show you the devices connected to it, but most of the time it's just a MAC address (10:23:E3:F6:03:1A).  Unless you've taken the time to figure out all your devices and their MAC address(es) then you won't know if someone else is on your network.
  15. Do not use hidden SSIDs.  This used to be a recommended security practice.  But this does nothing good, and in fact has negative side-effects.  Any would-be hacker will be using tools that shows him all wifi networks, regardless of hidden SSIDs or not.  So don't fool yourself into thinking you're safe.  But they've also shown that hidden SSIDs also reduce the battery life of your portable devices because the device is constantly having to verify the hidden network is in fact the one it thinks it is.
  16. Don't put personal info into the SSID.  Don't have an SSID of "StephensWiFi" or "375PalmAve."  SSIDs like this compromise your personal info and/or give away your location.  If someone wants to hack into your network, don't make it easier for them.
  17. If you have friends and family visiting, enable the guest SSID(s), use a strong password, and give them access to the guest account.  This keeps them off your main secure network.  If you're not expecting friends or family, then disable the guest SSID.  Again, expose as few of avenues of attack to hackers as you can.

With security there is always a trade-off.  One the one hand there is convenience, on the other is security.  Rarely do they overlap, which means if you want your home network to be more secure, ultimately it will be less convenient for you as the user.  But once you accept this fact you can secure your network and enjoy piece of mind.

2 comments:

  1. thank you! any comments for security with the apple airport extreme base station?

    ReplyDelete
    Replies
    1. Sorry, I have no experience with Apple routers. So I can't say anything specific about their routers above the general recommendations in this blog post. Good luck.

      Delete