NASA Insignia
Site Title

Some sensible precautions for home wireless security

Two campers were hiking in the forest when all of a sudden a bear jumps out of a bush and starts chasing them. Both campers start running for their lives when one of them stops and starts to put on his running shoes.
His partner says, "What are you doing? You can't outrun a bear!"
His friend replies, "I don't have to outrun the bear, I only have to outrun you!"

Securing a home wireless networking setup is a little like the bear joke above: you want to make yourself less attractive than the networks of your neighbors for a would-be hacker.

Networking can be a pretty complicated topic, and until the early-2000s was not something that home computer users really needed to address at all. With this in mind, the manufacturers of home-oriented networking equipment (most especially including wireless routers) have worked to make initial setup easy and painless. This is usually accomplished with "3 step setup" or other "wizards" which succeed in making it easy by eliminating nearly all security.

This document is designed to offer some suggestions on changing the defaults (and a brief statement as to why it is important) that so many routers ship with. It is not product-specific, and you will have to figure out how to make the changes with your particular software. You may not even have the option to set or change some of these settings, but the more that you can change the better your chances to "outrun the bear".

Parameter What it is: Should be set to: Why it matters/Comments
Worrying about security at all Many people say "I am not doing anything secret. Why should I care if someone uses my network"? Your router came with many security features. Use them! Two comments: (a) if someone breaks into your network, then they are behind your router's firewall and are free to try to break into your own computers and (b) you could be legally reponsible for having someone doing something nefarious on the Internet at large if traceable back to your IP address (that of your router).
Default network name (SSID) Service Set Identifier (SSID), colloquially the name of your network. Choose a name which means something to you but doesn't identify you or your location. (One neighbor of mine gives their home address! Bad idea.) If left as the default, it gives hackers/war drivers reason to believe that much of the rest of your network is in a vanilla stock configuration as well, hence easy to break.
Default network password This is the password that will be used on a regular basis to have laptops join the network. Make it something hard to guess or crack. (Use upper and lower case, special characters, etc. Make it more than 10 characters.) A too-short or easy-to-crack password improves the odds for a hacker.
Default admin password This is the password for changing the configuration of the router. Use sensible password-selection rules here, too. If someone can access the configuration tools of your router, then they can disable or reset all security mechanisms you have taken the time to set in the first place.
Broadcasting SSID Your router by default broadcasts its name to make it easy for users to find it and connect. By disabling the broadcast, a user has to know the name of your network to connect. Marginally helps security, thus this is optional. This one isn't a complete guarantee: War driving programs can determine the name of a network after watching enough packets go by. But it can be a useful cloaking nonetheless.
DHCP server The Dynamic Hardware Control Protocol server gives out "private" Internet (IP) addresses to each computer on your network. By default, your DHCP server probably will serve up to 50 or 100 addresses. For a home environment, you can probably cut this down to something like 10 or 20. Remember to count your wired (desktop) computers in the total, plus smartphones, tablets, Internet-connected TVs, etc. Why offer a large service that you could not possibly need for your own purposes?
Guest network (SSID) Some routers offer you the ability to set up a guest network. Either turn it on or know how to turn it on and only do it when it is needed (when you have guests!) A guest network keeps their traffic separate from yours (so they cannot see devices on your network) and means you don't have to share your primary network password with them.
Firewall This software watches network traffic going in and out and makes sure that traffic coming in is in response to something requested from the inside. Should be on by default, with no changes needed on your part. A "Stateful Packet Inspection (SPI)" firewall is a useful and necessary protection against others on the Internet (and even on your own ISP!) who would wish to do your computer(s) harm.
MAC filtering The MAC ("Media Access Control") address of a computer is the identifier of the ethernet or wireless network adapter. It is 12 hex digits, usually listed in pairs. MAC filtering allows you to limit access to your router to just those machines whose MAC addresses you include. List the MAC address of your desktop computer as well as both the ethernet and wireless addresses of your laptop(s). Optional. This is not failsafe, as MAC addresses can be spoofed. But it is a useful first step to making it more of a hassle for a hacker to access your network. Probably too big a hassle in an era of proliferation of internet-connected devices (smartphones, etc).
Wireless Security (WPA2 or newer) This is the big one, of course. These protocols encrypt data between your laptop and the router. Modern routers have this device-to-your-router encryption enabled by default but you should be using the strongest protocol available (what that is is beyond the scope of this article.) Security protocols for networking get updated largely because weaknesses are discovered in existing ones.
Logging Your router may have the capability to keep logs of different types of activity (blocked external attacks, for example). You might as well turn this on. Similarly, if you have the opportunity to give an email address to which the router can send notifications, that is useful, too. Makes the whole operation a bit less of a black box, if you can see what it is catching or finding.
Administration options Your router probably has other settings controlling how you access its web interface. If you have the opportunity to use secure HTTPS, do so. Many routers allow remote administration, which means the ability to change its settings from somewhere on the Internet (as opposed to only from your own home). Unless you have a compelling reason to do this, I would suggest leaving it disabled. Once again, why not take advantage of a security feature for the price of a single letter (https vs http)?!

All of this may not prevent you from getting hacked, but indeed it should greatly diminish the likelihood of it doing so. If you ever bother to run one of the tools that show visible networks around your home, you will discover that few people bother with these precautions. Remember the bear!

I hope this is useful to you!

David Friedlander
22 February 2005 (original), April 2020