Given the rise of nasty worms like Win32/Conficker.C, co-workers have asked me about securing the home network. Having a working and up-to-date virus scanner and firewall are important; people tend to forget about securing their wireless router. Here then is a list of steps you can take to lock down your router and reduce your “attack surface”.
- Use encryption: Some older routers and network cards only support WEP, which can be cracked. If you need to, upgrade to hardware that supports WPA or WPA2, and use the improved encryption.
- Tweak your SSID: First, ensure you have turned off SSID broadcast. This will make the router invisible to the casual observer. Second, change the SSID to something other than the factory default. Default SSIDs for most major consumer-level routers are available online, which makes it easy to guess even if the SSID broadcast is turned off.
- Use MAC filtering: Every piece of hardware connected to a network (or the Internet) has a big and unique number called a media access control (MAC) address. You will see a number like
01-23-45-67-89-abor01:23:45:67:89:ab. Configure your router to only accept known MAC addresses; you will have to enter the addresses from your wireless equipment into your router configuration. - Change the password: Just like the default SSIDs, default administrator names and passwords for consumer-level routers can be Googled on the Internet. Make sure you change the password (and administrator name if possible) document the changes and store somewhere safe.
- Disable remote administration: If your wireless router has an option that allows administration over the Internet, turn it off.
- Modify administration web address: Most wireless routers host the configuration interface on
192.168.1.1. If your router firmware supports it, change the address for the interface to make it harder to find. Remember to document and store with your username/password info.
Keep in mind that no single step here will prevent breaches; you must complete as many of the steps list here as you can. Most important is encryption. As mentioned, this is typically dependant on the hardware you are using… so the encryption you can use is only as strong as the weakest protocol supported by your hardware.
A dedicated hacker can probably (eventually) break through all this security, but these changes increase the level of effort required to exploit your network.
As a side note, some wireless routers can be strengthened even further by using DD-WRT, an open source, Linux based firmware. If your router is on the supported hardware list, you should consider upgrading your firmware to gain advanced features.
