Print
The first thing you should do if your working with a new router is to change the default user name and password. Leaving the defaults in place is like leaving the front door open, and anybody within range of your router can gain access to your network, no matter how strong your wireless encryption password is. Some routers also give you the option to “remotely configure” or “remotely access” your router. You’ll want to make sure that these are disabled. Basically this feature gives you the ability to access your router configuration via the Internet. Sounds innocent enough, but I honestly can’t think of a circumstance where this would be useful, and you simply expose another surface for attack.
It is also a good idea to change your routers SSID (Wireless Network Name). Broadcasting to the world that you are using a Linksys for example might not be a problem if you’ve changed the default passwords, but the trick to security is to always keep your attackers guessing. Many routers give you the ability to make the wireless network invisible, but don’t bother with this feature. Setting your network to invisible might keep people from accidentally latching on to your connection, but anyone using the right tools can find it easily. A very common security mistake with wireless routers is to set them to “invisible” and then run with no security. All of your data is still being transmitted in the clear and don’t kid yourself, the bad guys won’t be fooled. Security through obscurity alone isn’t enough to protect your wireless network.
Plugging devices in using the RJ-45 Ethernet connectors on your router is the safest way to setup your home network, but let’s face it, its rather inconvenient. Wireless networking has made it possible to roam around the house and connect devices no wire could ever reach, but its important to remember that it comes with a slew of security considerations. Everyone has heard the terms WEP, WPA, WPA2, etc tossed around, but what is the best option? When it comes to wireless security, WPA2 is always the way to go, but WEP is still better than nothing at all. Here is a summary of the most popular options.
Connecting to an unsecured wireless access point is like having a conversation in public. Anybody within range of your signal can see the information passing through the air “in the clear”. This basically means that when you type in your usernames, and passwords, they can be easily recorded by anyone who feels the need to listen in. The same is true outside of your home when you connect to unsecured wireless hotspots, so beware of what services you login to on open networks. Sessions on open networks can still be conducted safely if you notice an “https://” in the address bar (also look for the lock icon in your browser).
Running with no security on your home router doesn’t just allow your neighbors to share your Wi-Fi, but in addition to monitoring and recording your sessions, they can also access shared drives on your machines that are connected to the network. On my last vacation I got a kick out of browsing through peoples iTunes libraries that automatically appeared courtesy of the unknowing souls who were connected to the hotels wireless network. Logging into a VPN will also allow you to safely work on unsecured wireless networks, but if you don’t know what a VPN is, you probably don’t have access to one.
Wired Equivalent Privacy might sound like a fancy and secure acronym, but sadly it’s a flawed, and painfully inadequate encryption method. WEP is generally good enough to keep out nosy neighbors, but it can be easily cracked within minutes using freely available software tools, so it’s definitely not to be trusted for your everyday use. Some find themselves using this method to ensure backwards compatibility with older devices such as the Nintendo DS, but anyone who wants to get into your network can do so in a matter of minutes. Some routers offer the ability to enable a “guest mode” and run a separate unsecured or lower security network in addition to something stronger, but these generally still aren’t recommended.
If you absolutely must maintain a WEP or No Security enabled router, the only safe way to go about this is to create a “Y” configuration with one router just for your insecure WEP traffic, and a third for trusted WPA capable devices. To do this you need to have a central router to connect you to the Internet, and then have a WPA access point and a WEP access point. Basically you would be running two wireless networks. One is secure, and one is not. With this configuration, even if someone cracks your WEP protected router, the best they can hope for is to mooch off your Internet connection. Fancier solutions to this problem exist, but with consumer grade routers going for around $20 these days, you won’t find anything cheaper.
Wi-Fi Protected Access was implemented to replace the much weaker WEP encryption mentioned above, but we now know that it too is vulnerable to attack. The underlying encryption method behind WPA is called TKIP (Temporal Key Integrity Protocol) and it is now known to be vulnerable to a “key stream recovery attack” that will allow hackers to inject packets onto your network.
For the most part this attack isn’t as serious as those found on the WEP side, because it doesn’t actually review your master key, and they still won’t be able to eavesdrop on your session or monitor your traffic. Of course, once they start injecting code into your connection, the possibilities are endless, but most home users can get away with running this if they have devices that don’t support the newest WPA2 encryption method.
This setting typically isn’t for home users, and is designed to work with a RADIUS server which allows for centralized authorization of clients.
Wi-Fi Protected Access 2 replaces the beleaguered TKIP encryption from its predecessor with one of the most powerful algorithms available, AES. Advanced Encryption Standard is a robust, lightweight solution, which only has one known weakness, a brute force attack. Somebody wishing to crack into a WPA2 protected network will need to try random combinations in the hopes of guessing your passkey, that’s why its important to avoid using common dictionary words. The headline “WPA has been cracked” has been in the news recently, but rest assured this applies to WPA, which uses TKIP, and not WPA2, which exclusively uses AES. Some routers will offer the ability to run both WPA and WPA2 encryption on the same wireless connection, but keep in mind your security is only as strong as the weakest link. This approach should be taken only if you have hardware that won’t work with WPA2.
Pretty much every new client device I’ve tested within the last five years (except the Nintendo DS) supports WPA2. This offers up unbeatable protection that will allow you to fearlessly do even your banking from any room in the house. Of course, any encryption is only as powerful as the Pre-Shared Key (pass-phrase) that you select as your password. WPA2 is still vulnerable to “brute force” style attacks which attempt to guess your pass phrase, and they often try combinations from various common passwords. Simple word combinations might “feel secure”, but these simply aren’t enough these days to keep out a determined brute force attacker. New GPU assisted crackers have significantly improved the efficiency and viability of brute force, so as a rule of thumb, your password shouldn’t be easy to remember.
Want to grab a random and secure password? Surf over to the passwords section on GRC to get a peek at what a really strong password looks like, or grab one that is randomly generated for you. With one of these passwords protecting your router, a brute force attacker is more likely to die of old age (or get evicted from his parents basement) before he ever breaks in.
Comments are closed on this article
nduanetesh
November 30, 2009 at 8:52pm
So, say I want to use another wireless router to expand the range of my current wireless network. Basically, I want to use a router as a repeater or range expander. The two routers will be too far apart to connect via an ethernet cable. Can this be done with a regular router? How would I set that up? Or do I need to buy a real "wireless range extender" (which, ironically, is more expensive than a router)?
Thanks for the help!
IFLATLINEI
October 06, 2009 at 2:53pm
As already stated this is nice for the novice but even still these guides are a dime a dozen. Maybe the article writer should have done a google search. He would have seen them all over the place. Not to mention most of this stuff can be found right at the manufacturers site.
The Ultimate router guide would have included so much more that you cant get anywhere else. Like actual test results for a number of different brands and models. It would cover things like how many consumer grade routers fail to follow your port forwarding instructions 100% of the time or that you can DMZ a PC or Console and still have ports blocked. Or how quickly these things are overloaded.
Funny how testers will tests the living crap out of a Processor, HDD, Ram, but put out junk like this for a router guide. Isnt it time to expose these router companies for what they really are? Show the consumer how and why wireless really isnt for what they think its for. Like gaming.
pfjaco
October 06, 2009 at 11:00am
Come on Guy's the easiest way to add more RJ45 ports is with a network switch you can get them up to 1 Ghz with 4,8,or12 ports, or more if you go with an enterprise unit; plug the uplink from the router into port 1 of the switch (or the link port if one is specified) and and you're good to go with no IP address hassels; you can even stick a WAP into the switch if you need another wireless point.
Justin.Kerr
October 07, 2009 at 9:25am
This is a "router guide" not switch guide, but yes using a switch would be easier.
I would however qualify that by saying going with a new switch won't save you any money, and is less versatile in the long run. Not only that, but your more likely to have a spare router kicking around from a previous upgrade than a spare switch.
thefuzz4
October 06, 2009 at 10:41am
Of cours in windows if your wondering what networks are around you for finding a clear channel you can use net stumbler.
But for us linux users out there I recently discovered a very awesome tool called kismet. Kismet will not only sniff out all of the wireless networks out there but through packet sniffing will also find out the names of your networks that are not broadcasting. I found a neighboor who was not broadcasting and also had their network wide open I couldn't believe they went the step of turning off the broadcast but didn't lock it down that was about useless. If your a linux user try out kismet it's a little tricky to get setup but one it is, it's awesome.
mrvander
October 06, 2009 at 9:37am
First off, good article. Articles like these are the reason I come to MaxPC.
You write contradictory statements though early on. You write,
"...but the trick to security is to always keep your attackers guessing. Many routers give you the ability to make the wireless network
invisible, but don’t bother with this feature. Setting your network to
invisible might keep people from accidentally latching on to your
connection, but anyone using the right tools can find it easily."So you say to always keep attackers guessing then in the very next breath, say to ignore a feature that adds yet another layer of "guessing. That's just silly. Of course, if you're securing your router and don't need to broadcast it, why not turn off broadcasting? You know the SSID and as you say, the trick is to keep the attackers guessing and each layer helps.
Turn off that broadcast and maybe your neighbors more visible router will be attacked and not yours.
Justin.Kerr
October 07, 2009 at 9:30am
My point was simply that it dosn't offer (any) security beneift, and isn't worth the hassle.
Keep them guessing at your password, not your SSID which is being broadcast in the clear even if you turn it off.
WarCrime342
October 06, 2009 at 3:22pm
If I may say I think the point he's trying to get at is that it's not worth the headache or the effort to make it invisible if an intruder just side-steps with a click of the mouse. I've had my fair share of devices that have issues connecting to invisible Wi-Fi networks and it's not very practical to put into use in order keep out a hacker. Having a password and MAC Authentication list would be enough to keep unwanted roamers from connecting.
UndeniablyPC
October 06, 2009 at 4:54am
This article is pretty much useless in regards to security IMO.
Yea, it does tell you to change the default password and does tell you that essentially that WPA2 is the only way to properly encrypt a wireless signal without compromising security, but it really doesn't provide ample coverage in regards to the actual firewall settings in order to lock the router down.
In the matters of the router firewall it fails in my opinion to talk about stateful packet inspection, and how to properly configure your ports to allow only specific types of traffic through. Yes, port forwarding and QoS are important features, but they do nothing when it comes to the actual security of the network.
Also, in the area of security they should have mentioned the fact that users should only have a certain number of IPs allocated to their internal network, i.e. if you are using only 3 computers, only give your network a grand total of three IPs. Also those IPs should be associated with the specific MAC addresses of those machines. This way if someone does happen to find the network, they are unable to obtain an IP on the network. These steps are prudent when you are dealing with both a DHCP and static IP architecture. IMO.
But, I will digress and give you guys credit where it is due, as this guide will help the novice get a little better understanding in regards to the settings of their router.
Saltboy
October 06, 2009 at 5:34am
Spoofing a MAC address is a cake walk. It really is a waste of time as that is the first thing a person that knows what they are doing tries. Right now, WPA2 is about all that is useful for keeping folks off your network.
Justin.Kerr
October 07, 2009 at 9:37am
If Mac address filtering is your only means of security, it's not enough, and is easily defeated. On the other hand if you have a strong WPA2 implementation, this is an unnecessary step. To each their own.
ironorr
October 06, 2009 at 12:17am
A really easy way to find out what WiFi channels your neighbors are using is to use this command in Windows:
cmd /k netsh wlan show networks mode=bssid
It's not as pretty as the GUI example you showed, but it gets the job done quickly.
whr4usa
October 05, 2009 at 10:30pm
potentially extremely useful article as per usual MaxPC!
noticed a couple errors on terms and grammar (I agree with first poster Lolz)
W-LAN, WiFiLan OR WLAN but not just WAN
wireless networks are still Local Area Networks but a WAN is a Wide Area Network is owned and maintained by a single ISP (usually) even if its resources (bandwidth, server clusters etc.) are shared or contracted out
you won't find any accurate home wireless networking information by googling (...or Binging) 'WAN'
also a router having a DHCP server has little to do with sharing an Internet connection (ICS or NAT ring a bell..?) 192.168.0.x & 192.168.1.x are Class C Private IP addresses which esidential routers won't route, they just get looped/broadcast back across the network from which the original signal came which can eat up bandwidth at regular intervals, hence the reason for including a DHCP server for efficiency and better management but not in any way enabling the sharing of that priceless Internet connection
one more 'also' lol to implement that router stacking solution you must or rather 'should' (network appliances keep getting smarter so what do I know anyways?) set the gateway in each of the stacked routers to the static IP of the router closer to the Internet than them in terms of wiring or physical connections so that the Internet connection is directly processed instead of adding overhead to the routing firmware (this assumed you plugged the more distant routers into each closer router's main port labeled "Internet" (usually, aka physical residential gateway port)
confuse anybody yet?
ironorr
October 06, 2009 at 12:37am
Yeah, I'm guessing you will confuse many people with that garbled mess. Jesus. Did you even read that before you posted it? Do you not feel like a total hypocrite for commenting on the author's grammar?
whr4usa
September 09, 2010 at 1:04pm
I apologize for my poor spelling & typing
grammar is fine though!!
DBsantos77
October 05, 2009 at 10:04pm
I'm actually very surprised to see so many networks using WEP.I'm also surprised that devices like the Nintendo DS Lite vI require a WEP password for online play..
-Santos
lunchbox73
October 06, 2009 at 7:18am
That was a good reminder for me. I had to downgrade to WEP a couple of years ago when I bought a DS for my kid's xmas gift. Now that they don't use it any more I can ratchet back up to WPA2.
