… and getting your configuration right can be frustrating. So I was lucky enough to receive a guest post from Dan Shernicoff (a good friend) of Brassnet blog fame explaining the whole subject. Without further ado, let’s get to it.
Having a secure WiFi network is important to your peace of mind.
Insecure WiFi can have a lot of bad consequences. It can let anyone access your network (and all of the personal data you have on your computers.) It can let anyone pretend to be you (just Google Firesheep and you’ll get an idea as to what I mean.) It can leave you open to viruses and attacks. The good news is that it’s not hard to secure a WiFi network; you can do it with 6 simple steps.
- Change the SSID – The SSID is the name of the WiFi network. It’s what you see when you go to configure it. All routers have a default name for the SSID, commonly the name of the manufacturer. By changing the name of the SSID you make it harder for a bad guy to figure out what the password is to access the configuration and make changes on you.
Set up WPA2 – WPA2 is a form of encryption that is used on all the data sent between two endpoints on the wireless network. What that bit of tech speak means is that it takes the data sent from your computer, phone, tablet, Roku, etc. and turns it into gobbledygook that only the access point (router) and the device understand. Since WiFi is basically radio anyone with a receiver that can pick up the appropriate channel can see everything sent from the computer to the access point and back again; WPA2 makes that information unintelligible to anyone other than the intended recipient.
It’s important that when you’re setting up WPA2 you use a strong password. Since this is a password you’re only going to have to enter once on any given device you should make it long as well. One suggestion might be a group of unconnected words (not a phrase) with some of the letters capitalized and the zip code of your second home. If you want to test the strength of your password you can go to a site like http://www.passwordmeter.com/ to check.
Disable UPnP – UpnP (Universal Plug And Play) is a network protocol designed to allow devices on the network to open ports on the router. In order to let you know why this a bad thing I’ll have to go into a bit of networking (and it might get technical) feel free to skip the explanation and just take my word that open ports are a bad thing.
Ports are a way of letting an individual computer to manage multiple network connections at once. Every time you load a web page you are actually opening multiple sockets (a socket is just a fancy geek term for a network connection) and what differentiates these sockets is the port. One of the sockets is downloading the webpage itself while another might be downloading an image and a third is retrieving a script that’s needed for the page to work properly. On the server side all of these sockets are going to the same port (80 being the standard for http data) and the router on the server side knows that data on port 80 gets sent to a specific port (not necessarily the same one) on a computer. Any time a port is open data from the outside world can go to a computer on the network and there is no guarantee that the data coming in is friendly. Ideally any port that does not need to be open should be dead (i.e. it doesn’t reply, it just ignores knocks on the door.) UPnP lets applications open ports. While this is all well and good if the application that is trying to open the port is friendly (maybe that media server you decided to set up) but what if the application that is trying to open the port is a virus? There is nothing preventing a virus author from leveraging UPnP to open ports to let more viruses in – or hackers – and even if you find the virus, the port is open and you’ll never know about it.
- Disable WPS – WPS (WiFi Protected Setup) is a standard that makes setting your network up easy, press a button or enter a pin and, voila, your network is ready to go. The problem with what sounds like an ideal situation (you don’t need to remember that long password you set up in step 2) is that there’s a hole in the standard that it makes it pretty easy to hack giving anyone with the skills and knowhow to do so the ability to be on your network.
- Disable WAN management – WAN management is the ability for someone who’s not on your network (i.e. someone on the internet) to manage your router. That means that if you didn’t change the SSID (step 1) then someone can access your router from afar and do some not too pleasant things (like opening ports – read the techie part of section 3 for why this is bad) and in general make your life miserable, sometimes without you even knowing it.
- Change the admin password – This is the password to the router itself. This password is what you need to know to do all of the things mentioned above. Every router ships with a default username and password – usually printed on the label on the bottom of the router and always searchable. If the password to your router is the default (and for a number of manufacturers that’s username: admin password: admin) then your router is easily hackable with brute force attacks. Since your router is your first (and main) line of defense from hackers you want it to be as secure as you can make it and this one simple step takes care of making it pretty secure.
That’s it in a nutshell. Follow the simple steps above (and it’s OK if you just read the bullet points and not the explanations) and your network will be as secure as you can make it without a dedicated IT team and a very large budget.
The Warptest POV
There is very little I could add to this that Dan hasn’t already explained in excellent detail. Thanks Dan.