By Paul Gorski
This Wi-Fi security column is reader-inspired. Reader “Curt” requested to hear my recommendations for Wi-Fi security after making comments online to two recent columns, most recently to “Tech-Friendly: Computer security 101 — use strong passwords” from the Sept. 25-Oct. 1 issue. Links to that article and previous computer security-related articles are listed at the end of this article.
Wi-Fi networks allow computer, tablet and smartphone users to wirelessly access the Internet, printers and other computing devices. This article will focus on home Wi-Fi networks. Most home Wi-FI networks start with a “wireless gateway” or “wireless router/gateway” or “modem/router/gateway.” I prefer router/gateways that provide both wired ports and wireless access. For the purpose of this article, I will refer to all of these devices as “gateways.”
Most gateways ship with security features disabled. The Wi-Fi security features should be turned on the first time you set up your network. Gateway settings are typically managed online using a web browser or simple software that comes with the gateway. Wi-Fi security features are designed to isolate and encrypt your communications or “traffic” on your network and to prevent outsiders from accessing the network.
First thing not to do: do not use Wi-Fi Protected Setup. Wi-Fi Protected Setup was originally designed to help you quickly setup a secure network. Flaws in the protocol may allow hackers to compromise your network.
What you should do: change the default SSID (ESSID) or network name. The SSID is the name your Wi-Fi network will have, the name your device will connect to. Make the SSID unique. Twelve characters or more, no dictionary words, and mix up the characters a bit. Why? Unique SSIDs help make your network password harder to crack. Trust me here.
However, contrary to what you may have heard, “hiding” your network name does not make your network more secure. Hiding the SSID just annoys users trying to connect to your network. Keep your SSID visible, but give your SSID a unique name.
Next, change your gateway’s administrator name and password, using a strong password as outlined in “Tech-Friendly: Computer security 101—use strong passwords” (http://rockrivertimes.com/2013/09/25/tech-friendly-computer-security-101-%E2%80%94-use-strong-passwords/). I’d go a step further and use a password with at least 12 characters. This password should be unique to your gateway — don’t use this password for any other account you may have.
Then, turn on (and require) the WPA2 security protocol (not WEP, not WPA) and create a network password/passphrase according the guidelines in my password security article noted above. Again, use a unique, strong password with at least 12 characters. If your wireless devices do not support WPA2, they must be pretty old. Upgrade the software/firmware, if possible.
Some security experts say that’s all you need to do. I recommend implementing a few other “hurdles.” My first two suggested hurdles block access to the gateway itself to prevent unauthorized changes to your network.
One, disable remote access to the gateway management console. Remote management is not normally enabled by default, but if turned on, allows changes to be made to the gateway from the Internet, outside your home. Second, if possible, disable wireless access to the gateway management tools from your own network. You’ll still have Internet access, but you won’t be able to change gateway settings from a wireless device. The ability to enable/disable this feature is not available on all gateways. I prefer allowing only wired devices to make changes to my gateways. This may not be possible, depending on your network. You may only have wireless devices.
A much-debated hurdle is MAC filtering. Nearly every computer, tablet and smartphone has a supposedly unique identifier, a MAC address. By enabling MAC filtering, and entering the MAC addresses of “allowed” wireless devices into your gateway, access to your network is restricted to only those devices with MAC addresses you’ve entered, assuming the users have entered the correct network password. MAC filtering is not part of any security specification because it isn’t really secure.
The problem with MAC filtering is that hackers can fake MAC addresses and pretend to be your wireless devices. But without the correct secure password, they’ll still be locked out. That said, I still like MAC filtering, because it can frustrate the junior hacker. However, MAC filtering, like hiding the SSID, might prove to be frustrating for you when you want to connect to your network. You’ll first need to enter the MAC address of your device into you gateway’s allowed list before you can access your network.
The key again is to use unique, strong passwords. To recap: use a unique network name, turn on WPA2, and use strong passwords for your network password and your wireless gateway administration tool. Restrict access to the gateway itself, if possible, and MAC filtering is optional. I could have just said that at the start, but I wanted you to read a few ads on this page along the way. Thank you.
Related computer security articles include:
“Tech-Friendly: Computer security 101 — use strong passwords” (http://rockrivertimes.com/2013/09/25/tech-friendly-computer-security-101-%E2%80%94-use-strong-passwords/).
“Tech-Friendly: Upgrade Windows anti-malware software” (http://rockrivertimes.com/2013/07/31/tech-friendly-upgrade-windows-anti-malware-software/).
“Tech-Friendly: While not common, Mac malware exists” (http://rockrivertimes.com/2013/07/03/tech-friendly-while-not-common-mac-malware-exists/).
“Tech-Friendly: OpenDNS — Malware blocker, faster surfing” (http://rockrivertimes.com/2013/06/26/tech-friendly-opendns-%E2%80%94-malware-blocker-faster-surfing/).
“Tech-Friendly: Install Java and Flash security updates now” (http://rockrivertimes.com/2013/01/16/tech-friendly-install-java-and-flash-security-updates-now/).
“Tech-Friendly: Update your browser for safe computing” (http://rockrivertimes.com/2013/06/19/tech-friendly-update-your-browser-for-safe-computing/).
Paul Gorski (www.paulgorski.com) has been a technology manager nearly 20 years, specializing in workflow solutions for printing, publishing and advertising computer users. Originally destined to be a chemist, his interest in computers began in college when he wrote a program to analyze data from lab instruments he hard-wired to the back of an Apple IIe.
From the Oct. 2-8, 2013, issue