Wireless Networks are everywhere nowadays and while the technology has evolved in many ways making it easier for everyone to have a Wireless LAN (Local Area Network), security seems to have been an afterthought. Hopefully this guide can help you secure your own wireless network and give you some peace of mind about having wireless access in your home or office. Remember that security is an on-going practice, you really need to be proactive about it. This guide is at best a starting point as to how you can go about deterring network intruders and establishing a secure WLAN.

Wireless Hardware

The first step is to actually start out with the correct wireless hardware. At this time there are a variety of wireless standards. Most people will run either wireless B or G networks. Wireless B networks are older, have less range, and offer very limited security. Wireless G products offer better range and security and there are some variants like, Linksys Speedbooster, that offer some modest improvements to G networks. The next wireless standard, sometimes referred to as N wireless, offers significant improvements but is not yet an official standard, so most of the N products are unofficial (or worse non-compliant).

The least expensive wireless network to build at this time is a wireless G network. The router or access-point should support at least WPA security (if not WPA2). Another feature to look for is some type of state packet inspection (SPI) firewall, that helps block out some internet intrusions. Although it is not necessary to match wireless cards and router brands, it is sometimes easier to do so. In this case you will want all wireless cards to at least feature WPA compatibility, and of course be wireless G. If you have some computers with wireless B cards, you should upgrade them.

Enable WPA Security

Before WPA came along, wireless networks used WEP authentication to secure connections. WEP proved to be very easy for hackers to crack and so anyone serious about deterring network intrusions needs to enable WPA. The downside of WPA is that it does cause some overhead and will have a slight impact on the amount of data that the client computer can send to the access-point. However in most situations the impact is hardly noticeable.

Use Long Password Phrases

The most common mistake that a person can make is to use a short and easily guessed password. Lets face it, we are all guilty of using an easy password like our dog's name or even the actual word password. Remember that our goal here is security, so you must make sacrifices, and the most important one is to use a secure password phrase. If you have trouble coming up with a good phrase use our Password Generator tool to generate a secure password phrase for you.

A secure password must be random, meaning it cannot be found in the dictionary, and it should be 25 characters long. Note that you do not have to remember this password. You can save your password in Windows or in Mac OS X's Keychain utility.

Even if you use WEP, using a secure password phrase is the most important thing you can do to securing your network.


Other than not changing the WPA password, many people never change the SSID. A simple way of thinking of the SSID is to think of it as the name of your network. Although you can use whatever you want for the SSID, it is best to use a word or phrase that has meaning only to you. Using something like "Mary's Network" is not a good idea. It lets hackers know whose network it is and makes it easier to know just where the access-point is located. Personally I find astronomy terms to be a good SSID, like "DISCOVERY" or "VOYAGER".

Once you can connect all your clients to the wireless network, you should check to see if your access-point allows you to not broadcast the SSID. This will help hide your network, so that only you know it is out there. A determined hacker will probably still be able to find your network, but at least you won't be announcing it to everyone that it is out there.

Secure The Wireless Router

The main target of hackers is not really your laptop's data, but your wireless router or access-point. If they can control your router, then they can control the connection. This is why it is important that you secure the router itself. This means that you must both physically secure it and limit access to the administration interface. Most home WLANS are not physically secured, because home WLANS do not have employees or too many unescorted visitors. Physical security is a big concern to businesses and that is why all server rooms are locked and require special access privileges.

To limit access to the administration interface you need to first change the default password. Some routers use only a password, others use a login name and password. Whatever your router uses, make sure you change it. Although every wireless router allows you to access the administration interface from a web connection, you should only allow wired ethernet clients the ability to connect to the administration interface. Wireless clients (otherwise known as wireless administration) should not be allowed access.

Filter Connections By MAC Address

Every network device has what's called a MAC address. This is a unique id number for the device and it is used in networking for a variety of purposes. Routers can allow or deny access to certain MAC addresses. For wireless networks, you probably do not know the MAC address of your intruders, so denying access is not an option. Instead you can allow access only to a select list of MAC addresses. You will need to add the MAC addresses of all the network cards that will be connecting to your router's MAC filter list.

MAC addresses can be spoofed or faked, so this feature is not a substitute for WPA authentication. It does however make your network more of a hassle for hackers.

IP Subnets

At this point, if you have implemented all the previous security measures you should be proud of yourself. You would be surprised just how many WLANS you can find in your neighborhood that are totally unsecure compared to yours.

After working on computers for so long, I have learned that there is one sure way you can mess anything up. You just have to change the defaults and if you do it in such a way, you will most likely break it. Everything in Windows depends on certain default parameters being in place. Programmers in general code to a certain baseline of expectations. For example, you can't run a program for JAVA without a JAVA run-time installed on your machine. In certain ways hackers also depend on certain parameters. If for example a hacker who thinks your router is a Netgear router will try to hack into your network assuming that you have not changed the default password or IP subnet of the Netgear router. But if you have then it will make the hacker's job that much longer. And time is something which is valueable to everyone nowadays. The equation is simple, the more time it takes to do something, the less appealing it is to do in hacker terms.

Changing your router's default IP subnet is not really a security measure, but it does make your network different and harder to figure out. Most routers use a standard subnet like 192.168.1.*, with your router having an IP address of An easy way to change your subnet is to just replace 192.168.1.* with 192.168.55.*, essentially changing, the third number to something else besides 1. In this case our router would end up being Although some routers will allow you to specify an IP other than *.*.*.1. However it is easier to just change the subnet of the network, and not worry about the actual IP address of the router.

I personally like to call this type of security measure, Security By Obscurity. It does require a bit more time to setup and it is kind of a hassle when having to troubleshoot the network, but the rewards are that you get to learn more about networking and no one but you will be able to do anything on your network, unless they are proficient with TCP/IP.

Disable DHCP

While DHCP makes networks easier to manage and helps administrators reduce configuration problems, for home LANS, DHCP is absolutely a pain. DHCP features on wireless routers are also limited and so when trying to optimize your online gaming, DHCP just becomes a hassle. The answer is to just turn it off on your router and setup static IP addresses on each of your computers. This will make port forwarding easier to manage and make wireless clients connect faster to the router.

One option to consider for making the network more secure without DHCP, is to allow only a certain range of IP addresses. This way, if you only have four connections, then you will only have a range of 4 IP addresses that the router can allow.

Router manufacturers are adding more features and as professional features are added to consumer models, you might be able to enable DHCP and allow IP reservations on some consumer routers.

Disable Wireless

We tend to think that our new connected lifestyles are suppose to be always on and available to us, but in reality if you are not going to use your wireless network, or even your internet connection, it makes sense to just disable wireless access or even turn off your router. This not only prevents intrusions, but saves electricity. The technology industry has always pursued faster and better processors and just recently has the idea of power efficiency really become critical. Today's technology still uses quite a bit of power even while idle, and so shutting off a router, printer, scanner, or whatever idle devices you have is a good idea. It will save electricity and save you some money in the long run.

Other Tips (not related to Security)

It is possible to increase your wireless range for some routers if you are having problems staying connected (See Upgrading Linksys Wireless). If you do a site survey of local wireless G signals, you can see what channels your neighbors are using. It is best to pick a different channel then your neighbors. Best channels to choose are 1, 6, or 11.