How to secure your Wi-Fi network - the more advanced version

Help make your home network secure with these slightly more advanced tips!

How to secure your Wi-Fi network - the more advanced version

In a recent article, we covered the basics of Wi-Fi network protection. We discussed the types of attacks bad actors generally conduct against home routers, and we examined the steps users can take to defend against them.

Let's now discuss some more advanced tips that users can follow to up the ante of their Wi-Fi and router security.

Specify which IP addresses can manage the router and how

When we're talking about routers and wireless internet access, we need to touch on something called wireless local area networks (WLANs). They're exactly what they sound like: wireless computer networks that link two or more computing devices together using some wireless signal distribution method in a limited area such as a building or office.

Home users generally manage a router and gain access to its web-based management interface only from within the WLAN. There's normally no need for them to manage the router remotely. But sometimes that's not the case.

If remote access is needed, users should employ a virtual private network (VPN) to first securely connect to the local network and then access the router's interface. That way, attackers can't directly access the router from the web.

Once that's out of the way, users can further lock down their routers by specifying a single Internet Protocol (IP) address from which they can manage the router. They can do this by manually configuring a computer to automatically use a specific IP address not already assigned to other devices on the WLAN via the router's Dynamic Host Configuration Protocol (DHCP) whenever it needs to connect to the router.

While they're at it, users should also see if they can change their router's LAN IP address to something other than the first address in the DHCP pool. They should ideally restrict the router's entire netblock such as by assigning it to those addresses reserved for private networks. Doing so will help protect the router against cross-site request forgery (CSRF) attacks.

Disable Wi-Fi Protected Setup (WPS):

Most new users connect to a router by turning on Wi-Fi on their devices, selecting the right router network, and entering in the Wi-Fi password (otherwise known as pre-shared key, or PSK).

Apparently, router manufacturers thought this process took too long, so they outfitted their products with something called Wi-Fi Protected Setup (WPS). The feature allows new users to join the network by entering in an 8-digit PIN that, when submitted correctly, transmits the more complex PSK to their device with instructions to store it from now on.

WPS might sound like a good idea, but there's a ton wrong with it.

The biggest flaw emerged back in 2011 when the security community discovered that an attacker within radio range could brute force the WPS PIN, gain access to the Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) password, and mount additional attacks once they connect to the network.

800px cisco router wps button

The WPS button on a Cisco router (Source: Wikimedia Commons)

There's no universal patch for that flaw, as it depends on manufacturers rolling out firmware updates. Without knowing if their devices are vulnerable or, if they are, when they could be patched, users should disable WPS on their routers and set them up the regular way.

Consider network segmentation and MAC address filtering:

Some consumer routers give users the ability to set up what are known as virtual local area networks (VLANs) within larger networks. VLANs are perfect means of segmenting those pesky (and oftentimes incredibly vulnerable) Internet of Things (IoT) devices from the rest of the network. If an attacker compromises a device and gains access to a VLAN, they won't be able to move to the larger network in most cases.

To take it one step further, users can leverage each computing device's media access control (MAC) address, or its unique hard-coded identifier, to whitelist that device and approve its access to the Wi-Fi network. Taking this step will prevent rogue devices that might have access to a network's name and password from connecting to the router.

Macaddress

Combine port forwarding and IP filtering:

Many consumer routers come with a firewall that blocks all devices on the internet from connecting with a device on the local network. To get around that setting, both routers and computing devices alike oftentimes come with a feature called Universal Plug and Play (UPnP). Activating UPnP enables devices on the network and Internet to "discover" one another dynamically and set up a connection.

Not all computers come with that capability, however. In some cases, users might not want wayfarers on the internet to discover a certain device on their network. To accommodate that type of scenario, users can set up what is called port forwarding. It's a set of inbound firewall rules that tells the router to read each incoming data packet's source IP address, destination TCP port number, and other characteristics. Depending on those traits, the router will either send the data packets a device on the network or will block it outright.

When users combine port forwarding with IP filtering, or specifying which IP addresses can use a specific port to reach services on the network, they strengthen their router's security that much more.

Factory firmware is weak. Custom is the way to go!

Let's face it: most of the time, the firmware that comes pre-installed on a router is weak in terms of its security. Users would be better off installing custom firmware they can find online... that is, just as long as they know what they're doing!

Conclusion

There you have it! The more advanced version of our Wi-Fi security series. Now I know some of the tips above might not work with some users' needs and routers. But the fact of the matter is the recommendations above are meant to cover the widest pool of users.

With that said, I hope you found something in the guide that will help you strengthen your router's security.

Hat tip to PCWorld.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

5 Responses

  1. caitt

    December 12, 2016 at 12:27 pm #

    Whenever using a free WiFi, I always prefer to use a VPN. I don't trust these free WiFi networks so, I've always been using PureVPN whenever I hog on to a free WiFi hotspot.

    • Bob in reply to caitt.

      December 12, 2016 at 12:59 pm #

      A VPN won't protect you though if the free WiFi has already been compromised. Instead it'll give you a false sense of security.

      It's easy enough for an attacker to MiTM the connection prior to authentication on many VPNs and then it's game over.

      Have a look on Google for a more detailed explanation; I've kept it simple on here.

      P.S. I'm not saying VPNs are bad, they're not, but they won't necessarily protect you on free WiFi.

  2. Brooke

    December 12, 2016 at 8:39 pm #

    I've been configuring my home wifi with 2 networks. One for my computers and things I trust or know are updated often/have a good security track record and then the IoTs and untrusted items. I give one access like a LAN would, part of my network and the other just internet to only a couple of ports (HTTP, HTTPS, DNS, NTP). I make sure I don't let email out (haven't needed that for my devices yet) and that if one the IoTs/untrusted devices are compromised that I don't have to worry about all of my devices getting hit. Sure they could break into my lightbulbs, IP camera and a couple of other things but they can't get to my bitcoin wallet, Linux server or anything else I have running on my LAN. You're sort of in the guest network if you will with no route to my internal at all.

  3. Matthew Parkes

    December 13, 2016 at 9:54 am #

    This article is all very well and good, however for those with not so much experience of checking and re-configuring their routers, links to detailed instructions on how to do all of these things safely, securely and successfully would be nice. It is all very well telling us to do XYZ but how do you perform XYZ?

    I am fortunate that I understand most of what to do but not everything, I know it may be different for each model and brand of router but could you update this article by providing links to detailed instructions for the major brands or if individuals would like to know specifics can we contact you and tell you what our specific hardware is in order to be provided with a link to the relevent manufacturers web page maybe? Thanks

    • Bob in reply to Matthew Parkes.

      December 13, 2016 at 12:47 pm #

      I think that'd be impracticable for a few reasons.

      1 – Manufacturers websites normally generate unique links. Basically you choose the year of manufacture from a drop-down list, then the model and then (sometimes) the country it was purchased in. They then generate a link for you to download the manual – that link won't work twice.

      2 – This article is touted as "the more advanced version". People reading this, instead of part 1, are expected to be a bit more computer savvy and have sufficient knowledge to be able to locate a manual themselves.

      3 – Most people use the free router supplied by their ISP. Much of the time you're limited to what you can or can't change. Therefore part 2 isn't as relevant to the majority. However advanced users, who ARE likely to be using their own routers, are going to be able to find the manual (or figure it out independently) without further hand-holding.

      Don't think I'm criticising you. I just think that what you're asking for is unrealistic, time consuming for the authors and will be out-of-date in no time.

Leave a Reply