Why Most Wireless Network Security Advice Doesn't Really Work

Just about every day I read articles about wireless networks and what should be done to make them safer. Mostly I get a couple of lines in and then read no further. This is because the advice in a lot of these articles is a waste of time. Don't worry though because there's stuff you can do that's a lot less hassle and will work a whole lot better.

I'll get onto what you should do, but first of all I'm going to repeat what you'll probably read elsewhere and tell you why it doesn't help:

THINGS THAT DON'T REALLY WORK

Turning off SSID broadcast: This is often misleadingly referred to as "SSID hiding", but there's no such thing. It turns off SSID beaconing on your Wireless Access Point or wireless router, but there are other mechanisms that also broadcast the SSID over the wireless network and so you're disabling only 1 of many. Turning off SSID broadcast makes your network a lot less user friendly and won't do anything meaningful for network security.

MAC filtering: Frequently mentioned as a security mechanism and it can be used to keep leaching neighbours from using your broadband, but then encryption is a better way to achieve that and more. The problem with MAC filtering is that it can be hard to set up and maintain and the MAC address of your wireless card can be seen in the header of all wireless packets to and from your PC by anyone with a "sniffer" (a bit of traffic capturing software you can get for free on the Internet). It's then pretty easy to spoof the MAC address and gain access. It's really not worth the trouble to configure it.

Disable DHCP: Another big waste of time. DHCP allows the automatic assignment of IP addresses and other configurations. Many articles advise disabling DHCP and configuring static IP addresses to "increase security". It'll take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Just as with turning off SSID broadcast you're making your life harder for no gain. Anyone who tells you that this is a way to secure your wireless network doesn't know what they're talking about.

SO WHAT DOES WORK?

The good news is there are some simple things you can do that will improve the security of your wireless network. Here are three simple steps to improved wireless security:

Step 1 - Password protect your router

If you have a wireless or broadband router then it should allow you to access its config via a Web browser. To access your router’s setup, open a browser and enter the routers setup URL. The URL will be specified in the manual that came with the router.

The manual will also specify the default login details for your router. The problem here is that this means everyone knows what the default is so you need to change it. Once logged in it's usually pretty easy to find the link in the config to change the password.

If for any reason you don't have the manual for your router then you can search on the Internet using the term “default login for x”. Don’t be surprised to find quite a number of pages listing default login parameters for many different routers, even uncommon ones.

Step 2 - Disable router access from the Internet

If your router has the option then disable access to the router's configuration from the Internet. This will mean that you can still log in to the router to change the configuration from your internal network, but nobody from the Internet will be able to log in.

Step 3 - Add strong encryption

You need to encrypt your wireless network...really. Read that sentence again if you like, it's really important. Beyond that it's pretty important to use WPA encryption rather than WEP. WEP is better than no encryption at all, but it can be cracked in only a few minutes and the tools to do this are readily available.

If you've got Windows XP (you need to apply the free update to SP2 if you haven't already) and a newish router or access point then you should have WPA available. Use as long a key as you can stand to use and make it difficult to guess. A random combination of hexadecimal characters (numbers 0-9 and letters A-F) is best.

For more on configuring encryption refer to your router or access point manual.

Businesses should consider using WPA2 in combination with a strong authentication method such as RADIUS (Remote Authentication Dial In User Service), but this isn't available on most home kit.