Secure Your Wireless Network Now!
The beginning of September is a busy time for Boston, with students moving in, and pretty much everyone else swapping apartments. If you got caught up in the moving mayhem and are setting up a wireless network in your new home, take a few minutes to follow this guide and make sure it's secure. I will discuss basic WiFi security and the most common misconceptions associated with it.
Wireless routers can be secured easily, but when you are configuring them, they rarely explain what all of the options they offer mean. With a few minutes' work, you can make sure it's your wireless network and not your neighborhood's. This will help protect your privacy and also prevent others from using your network and drawing the attention of groups like the RIAA which look to blame network owners for everything that happens on their network.
The first important step in securing your network is having the right wireless router or access point. In any home network, you want to have your computer connected to the internet through a router, which will protect your network from malicious machines on the internet which are trying to take over your computer (remember, it's only paranoia if they aren't out to get you). If you already have a wired router which plugs into your cable/dsl/FiOS modem, you'll only need to buy a wireless access point, which adds WiFi to your wired network. However, if you don't have a router, you will need to buy a wireless router, as an access point, alone, is not secure. These days, wireless routers tend to also act as wired routers so you generally will not need to buy both.
If you are not familiar with WiFi, you may wonder about the terms, 802.11b, 802.11g, and 802.11n, which you will see when shopping for routers. These are listed in the order they were released. The newer protocols are significantly faster so you will want to make sure the router at least matches the speed of your computer's wireless network card. Most computers being shipped in the last few years that come with 802.11g WiFi cards, though Apple's line of Macs have shipped with 802.11n since late 2007. Older computers likely have 802.11b. Prices on 802.11n are coming down, so getting such a router may help you future-proof your network and save you money as your next computer will probably have a newer WiFi card.
Out of the box, your router is going to have some default settings you need to change. First is theSSID, which will be the name for your wireless network. This should be something unique (the default names can easily cause confusion and have even lead to neighbors configuring each other's networks) and it is good if it is also long, as the SSID is part of the encryption that will be used. The second thing you want to change is the administrator password for your router. More and more often, malicious websites and programs are trying reconfigure routers so a good strong password should be used here (more on passwords in a minute). This password is different from the encryption key, which is discussed below; the administrator password is what you provide the router in order to change to its settings.
The center of wireless security is data encryption. For encryption to be effective, you need both a strong encryption algorithm and a strong password (called a key). Your router will offer you a host of options for encryption: WEP, WPA, WPA Enterprise, WPA2 and so on. At this point, WEP is really a no-go for security. It is an example of a weak encryption algorithm. It has been broken so badly that no matter how strong your key is, it can be determined by an automated WEP cracking program in minutes. Encryption is like a door lock—anyone with the key can get in—so WEP should be avoided if possible. That being said, older computers may only be able to use WEP encryption. WEP is better than nothing and will prevent someone from casually or accidentally accessing your network, so go ahead and use it with any password you like as a strong password won't help more than a weak one against a malicous neighbor, or more likely, a neighbor who has a malicous virus on their computer. (A note to WEP users, you still need a strong administrator password to the router itself.) It is important to emphasize that breaking WEP or getting around other insecure setups does not require masterful hacking skills, because those skilled hackers have made tools anyone or any computer virus can run. The strong encryption of WPA is our solution to this problem.
For everyone who can use WPA, you absolutely should. Home users should use normal WPA or WPA2, though it's not terribly important which you choose. Using the enterprise version of WPA will unnecessarily complicate your life. WPA uses two pieces of data to encrypt your network (here is where having a long SSID comes in): the network's SSID and the key. WEP, as you might have guess, is fundamentally flawed in and of itself. WPA is much better, but it still has its vulnerabilities. Those vulnerabilities come from using a short key with a common SSID. After you have chosen an SSID, you need a good key. Unlike your internet passwords, you need to enter this key rarely, so you don't have to remember it. This is great for security because we can use a truly random key that is as long as possible. Check out GRC.com's password generator, which will give you exactly that. When you go to the site, it will provide you with a few different passwords. For WPA, use the first one the page gives you (the 64 hex characters). Save this password in a text file where you will not loose it (if you do, you can reset your router and do this again, so you will never be permanently locked out of your network), and you can just copy and paste it from that file whenever you need it. If you have a USB thumb drive, just drop the file on it so you can easily move the key from computer to computer. For iPhone users, or anyone else who has to type their key in manually, you can use less characters, though you should stay above twenty if possible.
The reason to use long passwords is that they are hard to guess. A ten character hex password has one trillion possibilities, but a computer can guess very quickly, so one trillion is not that large a number. A 64 character password on the other hand has a number of combinations so high that it is on scale with the number of atoms in the universe, making guessing your encryption key as close to impossible as you could possibly hope for.
There are a few common misconceptions with WiFi. Firstly, setting your router to not broadcast your SSID will prevent others from connecting to your network. When SSID broadcasting is disabled the router will not formally announce itself to computers, but it does send its name, unencrypted, with its communications. Because it sends its name unencrypted, an automated WiFi cracking tool, like the ones I mentioned that defeat WEP so handily, will see these communications and know that your router exists. While it doesn't inconvenience malicous people or programs, hiding your SSID will probably cause you some grief because every time you need to setup the WiFi on a computer, it will take you more time. This is a technique you should avoid. The second misconception is that MAC address filtering is a good way to secure a WiFi network. A MAC address is a unique number given to each modem or networking device when it is created and seems like a good idea to say that only the MAC addresses of your computers can connect to the network. In reality, it does not provide security since any computer modem or networking device can pretend to have any MAC address it wants. The same programs which aren't bothered by hidden SSIDs will just usurp your MAC address and bypass that attempt at filtering. In both these cases as well as others not discussed, these alternative "solutions" for WiFi security only inconvenience humans and can be ignored wholesale when WPA is being used with a long key.
This primer for WiFi security should get you started with your own network. For help setting up your specific model router, check the manufacturer's website (eg, Linksys, Netgear, Belkin, Apple). In an upcoming article, I will discuss more networking issues, and in particular, how to work around some of the problems associated with being on the type of large managed network that is common on college campuses.
Comments
Do you really want to live a life based on fear? And anyway there is nothing to fear. The only real reason is being greedy with your bandwidth, and do you really want to be a greedy antisocial person. Why not share? Keep your network open, and share the wifi with your neighbors. Keeping it open makes an internet connection available to others. It's just the right thing to do. Why are people so greedy? Believe me, you don't need all that bandwidth. At the very least, open it up when you aren't using it.
Your sentiment is admirable, but naive. Concern of legitimate threats is not irrational, but preservative.
I would love to share my wireless network with neighbors. To do this, though, I need to trust them first. If I feel I can trust them, then I'll give them my network key.
I would never keep my network open, as any individual or compromised devices within range (on the street, in another building, whatever) could sniff packets, connect, and gain access to my files and critical web traffic. An unsecured network is an invitation to identify theft, potential legal problems and infected machines.
Be smart and secure your connection, Rob.