Detox-Comic

Setting up and securing a home or small office Wi-Fi network including internet access

This article will tell you how to go about setting up a Wi-Fi network allowing your home or small office computers to connect to a central acces point (AP) using Wi-Fi with as much security enabled as possible. For the purpose of this article I am assuming that you have cable (DSL) access to the internet and that your AP will control that access.

Initial setup

If you have a DSL service coming into your home via the phone line then you need to separate the voice service from the DSL service. To do this you shoul d have a micro filter or low pass filter. This generally looks like a little plastic box with a telephone wire on one end. Plug this into your telephone wall socket. You have now effectively split your voice and DSL service from one to two connection points. Think of it as a Y-adaptor that takes your all-in-one phone line and separates the telephone line from the internet access.

Next place your AP somewhere in your home where there is no interference from cordless phones or microwaves. Remember that wherever you place it, you need to be able to run a cable between it and the micro filter plugged into the telephone wall socket. Connect your AP to the micro filter making sure you plug it into the socket marked DSL not Phone.

There are many computer devices that allow you to connect to a wireless network. If you have a laptop then you may have built-in hardware already. Or you may have purchased a PCMCIA Wi-Fi card or a USB device. For a desktop computer you may also have an internal card with an external aerial. Whichever type of device you have you need to install the drivers and software now. Don't worry about security at this point.

Turn the power on for your AP and plug one end of an Ethernet cable into it and connect the other end to your computer. Read your AP manual for how to access the administration panel. Usually you use a web browser by entering an IP address and entering your login details into the pop-up window. If you don't know the AP login details the manual will usually tell you the defaults. Change the admin password now and keep a record of it in a secure location.

Once you have logged in to the AP you should follow the instructions in your manual to set up your internet connection using the connection details supplied to you by your ISP. Once completed open another browser window and confirm that you can access the internet. Check a safe page like Google first as you have yet to enable any security.

Now that you can access the internet make sure that no security features are set up on your AP and logout and unplug the Ethernet cable from your computer.

Now try to connect to your AP using Wi-Fi. Once you are successful, disable the Wi-Fi device and plug the Ethernet cable back into your computer.

Tip: Never access the admin panel of your AP over Wi-Fi as a hacker may be able to grab your login details and take control of your AP. If this ever happens see your device manual for information on performing a reset. This wipes out all your configuration and resets everything to the default settings. You will regain control of your device but you will have to re-configure it again.

Hiding your SSID

When you set-up your AP you would have given your network a name. This name is known as the SSID (Service Set Identifier). Your AP will broadcast this name so anyone in range can see it. The first step in securing your Wi-Fi network is to hide this name. To do this, in your AP control panel set broadcast SSID to off or no. Also make sure that you change your SSID if you have broadcast it already. Change it to something that is not easily guessable using a combination of alphanumeric characters.

Now when your computer looks for Wi-Fi APs to connect to it will not find your router or if it does, it will have no name.

Adding a Wireless Security method

This by itself is not enough from a security point of view so next we need to protect your network traffic. When your computer communicates with your AP over the air then that data is in the clear and can be picked up by any nearby Wi-Fi device with some specialist software. Plus with no security protocol anyone can still access your AP and use your internet connection. This is not desirable even if you are willing to share. You don't know how they will use your internet access. They could use it to access some illegal content or commit a crime. This may then be traced back to your internet access account. Or if you have a monthly limit they may use it all up in no time.

Your router and W-Fi devices will support wireless security schemes. The default security option is known as WEP (Wired Equivalent Privacy). It comes in 64-bit and 128-bit. WEP has been cracked so I do not recommend using it. If WEP is the highest security option your hardware offers then enable it as its better than nothing but it will only deter casual snoopers and not someone determined to gain access.

The next level of security is known as WPA-PSK. WPA or Wi-Fi Protected Access is the replacement for WEP. PSK means Pre-Shared Key. Its great for home users and small office use because you do not need an extra server to distribute the pass keys. Instead you create a phrase or sentence of text and that is your pass key. Enter the key into the AP and your Wi-Fi software on your computer.

Tip: For the PSK I tend to type 63 random alphanumeric characters. Then copy the key to all your other computers. This way the key is not guessable by a password cracker. Do not transmit your key to each computer. Use a hard connect or a USB pen drive and then erase the key afterwards by deleting the key file then overwriting the contents of the pen drive.

Disconnect the Ethernet cable from your computer and check that you can connect to your AP via Wi-Fi using WPA-PSK and with a hidden SSID.

MAC filtering

The next step in securing your network is to set up your AP so that only your home computers are permitted access. To do this you need to set-up MAC address filtering.

Each network device has a MAC or Media Access Control unique ID associated with it. This ID is in the form of six sets of 2 alphanumeric characters separated by the dash character.

In your AP admin panel enable MAC filtering. This facility may be called something like "Wireless station list" or "access list". Then logout and try to access your AP over Wi-Fi. You should not be able to gain access at all.

Next connect your computer to your AP via Ethernet cable and login. In your access list options it should show you the details of a MAC address that recently tried to gain access. Add it to the allowed list and save your settings and logout.

Tip: When you connect to your AP via Ethernet you bypass all the security processes you have set up. This is not a problem because a hacker would have to be in your house to hard connect to your device. With Wi-Fi access enabled the security processes we are discussing here protects your network from people outside your home from accessing your network via Wi-Fi.

Make sure you disable WPS, Wi-Fi Protected Setup as this is also a known security risk.

Disconnect the Ethernet cable again and try to connect to your AP via Wi-Fi.

Congratulations. You should now be able to access your network and the internet from your computer and be safe from anyone trying to access your Wi-Fi remotely.

In addition to the above I also recommend that you employ a software firewall on any computer within your home that you intend to connect to your network. If your router has NAT (Network Address Translation) functionality then I would also ensure that it is enabled. NAT acts as a great hardware firewall.

For anyone wishing to improve their Wi-Fi security further you should look into WPA2 and ways to modify your APs broadcast signal strength so that it is strong enough to reach all the computers in your home but not strong enough to stretch too far beyond.

Also look through all the settings that your router configuration offers and switch anything off that you do not need or that your networked devices do not support. For instance, if all your Wi-Fi devices are G only and your router offers B and G, specify G only. Therefore no B devices can connect to your router.

Summary:

  • Prove you can connect your computer to your AP via Wi-Fi in the first instance
  • Carry out all admin connections to your AP via cable connection not over Wi-Fi
  • Switch off SSID broadcast and change your SSID name to something more secure
  • Enable WPA-PSK and set the PSK to 63 random alphanumeric characters
  • Employ MAC address filtering only allowing your own computers access

Glossary

AP or Access Point: A hardware device, usually a router that provides access to the internet and your intranet or LAN. The better models offer DSL modem, Wi-Fi, Firewall and NAT functionality.

SSID: The name of your Wireless AP. It can broadcast this name by default for anyone in range to pick up. Never leave it at the default which is usually the brand name of the device. This tells potential hackers something about the hardware you have which could be used against you if there are known exploits available.

Ethernet cable: A Cat5e cable with an RJ45 connector at each end. Most laptops have at least one RJ45 connector slot as the network port. Some desktop computers have the network connector on the motherboard otherwise you will require a network card.

Hard connect: Using a physical medium such as a cable to connect your computer to your AP hardware. Useful when configuring the AP because the data is not transmitted over Wi-Fi reducing risk. Most APs use Ethernet but some also offer a USB connection.

If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at dave@detoxcomic.com.

Article updated: 8th April 2012