Wednesday 18 August 2010

The WiFi, it works!


How busy is life? Babies, work, pets and the occasional bit of social life seem to be keeping me occupied, and the blog slips from my mind. I am back however! If any readers have specific questions you would like me to talk about please feel free to leave a comment or drop me a line on Twitter.

Anyway, on with the blog...

Inspired by: Me! Having configured many home routers for others I thought I'd share some of the pitfalls of the free WiFi router your ISP supplies in order to gain your custom.


WiFi. The box arrives from your ISP, you plug in your new router, follow the instructions to put in your account details for your Internet connection,turn on your PC and you have WiFi. Your PC connects automatically, your phone connects, your laptop, games console, fridge, freezer, etc, etc. It works, out of the box, excellent! Wrong, it is not excellent, if all your devices connect automatically then what about next doors laptop?

I have helped set up (and fix when not involved in the set up ;) ) enough home routers to know how many of them work. Infact, alot are exactly the same underneath, especially the free ones supplied by the ISP. So, can you secure these devices? Yes, you can certainly make your home WiFi more secure. First thing first though, get a pen and some paper. If you are going to change anything always write it down, and only change one thing at a time. This will help with fault finding should anything go wrong.

Administrative account
The first step is always to change the default administrative account's password on the router. There are usually written instructions on how to login into the router (I would recommend using a wired connection to begin with) using the default password.
It is trivially easy to find a default password for a router. Try yourself, Google for "default password for {insert make and model of router}". Scary huh? As I described in this post, good passphrases are easy to make and remember. Choose a strong one for the admin account.

Remote assistance
Does the router support remote assistance? Probably yes. Search through every menu, make sure this is turned off. Why would you want anyone, at any time, attempting to log into your router? 
If it is required you can turn it on as and when it is needed. If you do turn this on for someone to gain access, set a strong passphrase, and remember to disable it once it is no longer required. Remote assistance can be the foothold the bad guys need.

SSID Broadcast
An SSID is basically the name of your wireless network. If this is set to broadcast, your router is basically shouting from the rooftops "If you want to join my network talk to me". Do you want anyone to join your wireless network? Didn't think so. Write down the SSID so you can manually configure devices with it and turn off broadcasting.

Note: If you can, configure the router with a different SSID than the one that is pre-configured.

Encryption
If your wireless network does not enforce encryption all the data you send can easily be read by a third party. This includes passwords to non-encrypted sites, such as Facebook. Even for encrypted web sites, encrypting the wireless network adds another layer of security to your data transfer.
Modern WiFi routers support WPA or WPA2, which is more than adequate for a home network. WEP may be supported, however this is considered weak encryption now and there are tools freely available which can break WEP based encryption.
WPA/WPA2 can encrypt using a pre-shared key, which is perfect for home users. Create a long password/phrase, and keep it in a safe place. I personally keep all my WiFi details in an encrypted file away from my computer ;)

Before turning on the encryption, ensure any device you want on the network supports WPA/WPA2. Most modern devices should, but there is no harm in checking.

DHCP
Dynamic Host Configuration Protocol (DHCP) is a way of automatically configuring devices with the correct address information to "talk" on the network. This is an excellent protocol, making the chore of connecting new devices to the network seamless (usually). However, it could also make life easier for a bad guy to connect to your network. If you are extra paranoid (as I am), then turn off DHCP on the router and manually configure each device you want on the network. Here is a guide to configuring static addresses on some of the most common devices...


Firewall
If your router has a firewall inbuilt, turn it on. It may not be the greatest in the world, but it is another layer of defense none the less. The firewalls that come preinstalled on these types of routers generally have three settings, deny all, allow all, and allow outbound but deny inbound. I recommend "allow outbound but deny inbound" as a general rule. This will stop connections from the Internet coming in, but not you browsing the web, emails etc.
If you require connections to come in from the Internet (for remote access) I recommend researching the router in order to just allow the type of connections you require.

The above is only a brief overview of the settings you can encounter in the typical home router, and they can vary from model to model. Before changing anything, have a look through the settings, make sure you know what they do before you change them.

As always, comments and/or questions are more than welcome.