5 min read

How To Secure Your Wi-Fi Network

Securing a wireless network comes down to choosing the right Wi-Fi router and locking down security settings. Here's how to do it.
Typical Installation

Installing a wireless router is relatively easy. There are just three general steps:

  1. Install the CD-ROM driver.

  2. Run the router installation and broadband connection wizard.

  3. Install the Wi-Fi adapters in the users' desktops, notebooks, and PDAs.

This is the easy part. It gets more challenging when we set up security.

Security Precautions

Several basic security precautions will help you to ensure a secure installation right off the bat. To take these precautions, start by entering the router's IP address (usually or in a standard browser. From there, you'll be able to access the administration/configuration settings.

Precaution 1: Change the router's default passwords.

The router's administration page, like that of the Belkin Pre-N equipment (shown below), lets you change the router's password. But if you leave the password in the default setting ("SMCadmin," for example), you'll make it easier for outsiders to access the admin page and change the router settings to suit their dubious ways. So I recommend changing it.

Precaution 2: Make SSIDs invisible.

SSID stands for Service Set Identifier, and it is the public name of a network. Either change this setting to "invisible" or disable "broadcast SSID."That way, outsiders won't be able to see the name you've given the Wi-Fi network. Once you do this, the client systems will also need to have the SSID manually entered in order to connect to the WLAN. The screen shot below shows the Belkin channel and SSID page:

To input the SSID manually on the client PC (Windows XP), open Wireless Network Connection Properties (Control Panel/Network Connections/Right Click Wireless Network Connections/Select Properties/Click Wireless Networks Tab/). Then click the Add button. You'll see a screen for inputting the SSID (see screen shot below). Here you'll put in the exact same SSID as the one the wireless router broadcasts:

Precaution 3: Disable DHCP, and assign IP addresses manually for client systems.

If you're working on a small network, you can do this easily. Afterwards, only those IP addresses you've assigned can access the network. Otherwise, DHCP software on the router assigns an IP to any device that can see the network and log-on. Here's a shot of the Belkin LAN settings page, which you'll use for this task:

You'll need to choose the actual Wi-Fi security settings: WEP (wired equivalency privacy), WPA (Wi-Fi Protected Access), WPA-PSK (WPA-Pre-Shared Key), or WPA2. Most routers and wireless access points have similar processes for establishing security settings. Generally, the process goes as follows:

  1. From the router or access point administration page, go to the Wireless menu. As shown in the screen shot below, you'll see options for SSID, Security Key settings and more:

  2. Enter a unique SSID. You can keep the default name, which is usually the router manufacturer's name. Or you can make up your own difficult-to-guess name.
  3. If you don't want outsiders to see the Wi-Fi network, make the SSID invisible. This setting is marked "disable" in some router interfaces. You can then enter the correct SSID manually on individual wireless clients, and no one else will be able to see it if they're sniffing the local radio waves. The network simply will not appear.
  4. Choose either WEP or WPA. (See the sidebar below for help with this.) Then choose a 128-bit security key. Use randomized passwords and pass phrases; methodologies like Diceware and software like RoboForm are available for generation purposes. Here's the Belkin page, for example:

Setting Up Client Devices

Starting from Windows XP Service Pack 2, first open the control panel, then click on Network Connections. Next, right-click Wireless Network Connection. Click Properties, then the Wireless Networks tab as shown below:

Next, highlight an available network, and click the properties button. Then input the right network key for your security settings, as shown below.

Once you match the right security key with the router, you'll be connected.

Sidebar: Choosing Among WEP, WPA and WPA2

WEP security works best in situations where neither the network nor the data contain critical information, sensitive user data, or intellectual property. In fact, some security experts say that keeping your data protected by WEP is like using a chain lock on your door rather than a deadbolt. That's because on a WEP-protected network, a hacker with the right cracking software can gather enough packets to deduce passwords (64-bit or 128-bit).

However, cracking WEP will take a lengthy period of time. So if your client is out in the boondocks and is only moving family photos and videos around their network, then chances are good hackers won't spend the time needed to crack the user's WEP password. For these types of applications, WEP may be fine. As the experts also say, you don't need a bank vault to protect a dollar bill.

Still for most users, the wiser choice is WPA. This wireless security standard employs advanced encryption and authentication processes that are sufficient for most networks.

To use WPA, both the router and the wireless network adapter must support WPA. The good news is that all new routers--and even most of the one- to two-year-old routers--support both WEP and WPA.

Also, client systems need to be configured correctly and supplied with the correct keys and pass phrases. While that's an easy task for small networks, it's a sizeable burden for larger concerns.

WPA2 is an even better encryption scheme. It's based on the Advanced Encryption Standard (AES), sometimes referred to as the 802.11i standard, and promises to make security a non-issue for larger enterprises. Vendors are already selling WPA2 products that are certified by the Wi-Fi Alliance--a trusted international nonprofit association, though not an official standards body. For example, Cisco's Cisco Aironet 1200 Series Access Point and Broadcom's Airforce products have WPA2 versions.

PHIL DUNN is a technology journalist and independent communications consultant for high-tech companies. He's been reviewing, testing, and reporting on products since 1995.