So you've got your wifi. The first real question is - what are you doing with it?
Common uses for using wifi in the home are:
1 - too lazy / difficult to run cable.
2 - have a laptop and it's convenient and handy to be able to run around anywhere.
3 - have lots of friends with laptops and like to offer them some geek juice.
Now, a relatively secure home network is one that takes into account a few key steps.
* - changing and then not broadcasting the SSID (name of your wifi network)
* - only allowing certain machines to connect to (great unless you're keeping the network open for friends)
* - running on highest encryption available (I'm of the opinion this part doesn't matter, but some folks'll tell ya to make it 128bit)
* - changing the admin password on the router
* Not broadcasting the SSID
Changing the SSID (service set identifier) is generally something you do during router setup when you first get one. An SSID is how your computer or other machines understand which router they're connecting to. While there's no rule that two routers can't have the same SSID, this is simply the first step. Think of it as the street name in a street address.
When you are in "broadcast mode", your wifi router is continually screaming "I LIVE ON GEORGE STREET", "I LIVE ON GEORGE STREET", "I LIVE ON GEORGE STREET" and any passer by can quite easily find the source of that shouting just by walking by and having a quick listen.
Each router you pick up brand new has a well known default name. Linksys routers by default have an SSID of "linksys". Check out your routers manufacturers website or the instructions that came with the router to figure out how to change the name of the SSID as well as turn off broadcasting. When broadcasting is turned off, only people who know your "street name" will be able to find their way over.
* only allowing certain machines to connect
Great, you've made the damn router shut up but you've still got the occasional stranger who knows where your router lives and just walks right in. Let's add a little something so that only your friends can get in.
MAC-Address filtering. Every piece of network equipment has a MAC-Address. Your broadband modem, your wifi router, your wireless card in the laptop, the card you plug a cable into on a standalone machine. These are numbered in such a way as to uniquely identify you on a network. Neat. Think of it like a fingerprint. No two people have the same one.
Now - we add a "fingerprint reader" to the doorway in your router to keep access limited to a select few.
First, get the MAC-Address of the machines in your house.
For Windows users, this means clicking Start, then Run. Now type in "ipconfig /all" without quotes. The space between ipconfig and /all is pretty important.
You should see this:
Code:
Windows IP Configuration
Host Name . . . . . . . . . . . . : zeus
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 0F-A9-CB-44-A9-70
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.75
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 22.200.123.122 We can go over this complicated mess a bit later, but for now the interesting blurb to you is the Physical Address line. 0F-A9-CB-44-A9-70 in my case. That's your network adapters MAC-Address. (note, for you wireless kids, above it won't say "Ethernet adapter Local Area Connection", but will likely say "Wireless adapter Local Area Connection" or something similar to that)
Now, again consult your manual or the routers website for instructions on how to restrict network access to specific MACs. Most manufacturers hide this in the DHCP settings, as most simply restrict DHCP assigning based on MAC address.
This is probably the most secure thing you can currently do with your router to prevent external access, especially from Johnny Anonymous who doesn't know too much about wifi cracking. The downside of this is the need to add the MAC-Address of every new person who wishes to use your wifi.
* Running on the highest encryption possible
Continuing with the "your router is a house" idea, encryption and its attached password system is your lock and key on the front door. Noone gets in without the key.
Again, consult the instructions or the website to set this up. What you're looking for specifically in this rather confusing mess is:
WEP
128bit strength
WEP (wired equivalent privacy) is currently the type of encryption most commonly used and accepted by wifi technology. It comes in two flavours, 64-bit and 128-bit, which describe how long the key is.
On keys - the key is the long string of hex you are asked for as a password. The key-index is rarely used. You can set up a router to have several keys (generally 4) and rotate it through those at any time. If the router is set to use key-index 2 you'll need to set the client that is trying to connect to the wifi to key-index 2 as well and use the proper key.
When setting it up on certain routers, you may be asked to put in a keyphrase and it will generate a key based on the keyphrase. This is especially true for Linksys routers. Many people get confused by this and attempt to use the keyphrase and not the key, or get confused by terms like "Key Index".
A true wifi password is going to be written in hexadecimal, so only numbers 0-9 and letters A-F will be used, ie 0324ACD32D9 is a hex number whilst "munchies" is not.
nevali adds:
WPA-PSK is where it's at. If only computers actually supported it. Which reminds me, now we're not using any PCs with el cheap-o WLAN cards, I can kill the WEP and put the world to rights
WPA-PSK (WiFi Protected Access - Pre-Shared Key) is theoretically more secure. It requires that you choose your own password to it, a pre-shared key which is not a big mess of hexadecimal. Strong password skills are key here, but that's really for another article. A mix of numbers, letters, capitals, and symbols is always recommended with at least 9 characters in the password.
* changing the admin password on the router
And last in a line of bad analogies, the configuration page on your router is like a big instruction book on how to change the locks and such in your house. This is hidden inside a safe which only you know the combination to.
Consult the website/instructions on how to change the default admin password, as well as preferably the name of the admin account.
Closing thoughts...
None of this will actually keep a determined cracker (housebreaker) out of your router.
Non-broadcasted SSIDs, while not signaling their name send out a blurb of info during standard chat with the laptops/PCs attached to it that can be detected and have the SSID pulled out of it with minimal effort.
MAC-Addresses can be faked, causing a little bit of confusion inside the house but there are tools to accidentally kick someone off the network in the middle of the night then use the wifi access while noone is around to reset it.
Encryption, even the highest encryption possible, can be broken in a manner of hours by a determined cracker on a low-traffic network, a larger network can be broken into in less than 10 minutes.
Breaking into a router can be done, usually in cases where the home owners haven't upgraded the firmware on their router to the latest version. Known exploits travel around the internet and a burst of incorrect traffic can occasionally yield password information, or just outright give access to the configuration pages.
However, following the steps above can give you a fighting chance against the neighbourhood kids just driving past for a lark and surfing porn all night on your open connection.
A few milliseconds of sniffing and you can find out the IP range in use, at which point you can pick an apparently-unused address at random and neatly avoid a DHCP server at all and by extension trampling all over the lack of filtering.
