Basic guide to home Wi-Fi security
The following items are considered the minimum settings required to achieve an acceptable level of security.
All AP’s will provide a method of point to point encryption between the AP and the end user device such as PC or handheld device. The following table summarises the available types of encryption and their suitability for use:
WPA2 > Highly recommended where supported by all home WiFi devices.
WPA > Recommended when required for compatibility with devices that do not support WPA2.
WEP > None
Change default SSID;
The default SSID must be changed to a locally unique network name that does not identify your address or end user information.
Use a strong pre-shared key;
A pre-shared key (PSK) is a known passphrase shared been the AP and the end user device. It is used in the encryption process and effectively locks out those devices that do not know the PSK. The Standard for non-Personal Account Passwords should be used for guidance in this instance. i.e. at least one non-alphabetic character; no dictionary words; no names or personal information, etc. In addition, to protect against a brute force attack guessing of the PSK, a truly random passphrase of at least 13 characters should be used.
Enable MAC address filtering;
Many AP’s provide the functionality to filter out all access requests except those from devices on a “known good” list of Media Access Control (MAC) addresses. While this does not prevent an experienced attacker from discovering and spoofing an authorised MAC address, it does raise the security bar and should be viewed as part of a multilayered security posture.
Disable remote management;
Where supported by the AP, it must be configured to ensure its management interface cannot be accessed via the WLAN or WAN (Internet facing) interfaces. Management should only occur via the wired LAN interfaces. SNMP services where available should be disabled.
Use a strong Admin password;
Many successful network attacks are based on manufacturer default administrator passwords not being changed after installation. The admin password should be set according to Personal Account Password Standard. For example, the password must consist of at least seven characters; contain at least one non-alphabetic character and not have any blank spaces at the beginning; not contain words found in any dictionary; names and personal information must not be used; passwords must comply with the password complexity rules, etc.
Backup AP configuration settings;
Once the router has been completely configured, its configuration should be saved off- router (typically to a PC hard drive) so that it can be reinstated should it become corrupt or the router replaced due to hardware failure.
Disable WiFi if not used;
If you do not require WiFi functionality, or it will not be used for an extended period of time, then the safest option is simply to disable it on the AP altogether.
A session timeout of 15 minutes should be set. This feature mitigates the risk of an abandoned, authenticated session being hijacked by an unauthorised attacker.
Rename admin account;
Where supported by the AP management interface, the administration account should be renamed from the default.
Do not enable SSID broadcast mode;
The Service Set Identifier (SSID) is used to identify a specific WiFi network. Disabling broadcast of this identifier requires the end users to know the network name before they can join and use it. While this does not prevent an experienced attacker from discovering a network’s SSID, and provides only minimal additional security to home users, it should be viewed as part of a multilayered security posture.
WiFi > IEEE 802.11b/g standards for Wireless Local Area Networking
WLAN > Wireless Local Area Networking. Same as WiFi.
WAN > Wide Area Network
Wireless network > Wireless Broadband network
Access Point > WiFi capable fixed line router
WPA > WiFi Protected Access
WEP > Wired Equivalent Privacy
SSID > Service Set Identifier
AP > Access Point
PSK > Pre-shared key
MAC > Media Access Control
SNMP > Simple Network Management Protocol
NTP > Network Time Protocol
SSH > Secure Shell
HTTPS > Secure HyperText Transfer Protocol