Being known as the “computer guy” in your family and circle of friends, comes with a heavy burden. You are often tasked with fixing a slow PC, recovering accidentally delete files or (worst case) dealing with a virus or ransom ware. While all those are fun (/sarcasm) the one that I am challenged with the most is setting up and securing WiFi at their home or small office.
This post will provide some basic tips and advice to help you assist the folks who ask you for help. It’s a checklist of sorts with some insight into what you are doing. As usual, this information is not meant for someone totally unfamiliar with technology on one extreme or a veteran engineer on the other. My assumption is you know your way around a laptop enough to access the router GUI, you may just plug in an get a DHCP address (dynamically assigned) or you many need to manually change your IP, it’s usually 192.168.1.1. You will them browse into the router, and my assumption is we are starting with a new device.
- First and foremost, change the default admin password. Factory passwords are standard, and are known to everyone. Last thing you want is the neighbor’s teen logging into your device as the Admin and messing with your settings. At your uncle’s house you can write this password down and stick it with clear tape (or a label maker) to the bottom of the device, along with the IP address you will set later on. In a small business with a single WAP, secure the password some other way.
- If you do nothing else on the device, Turn on Encryption. This can be done in the security tab of the router, and what you are looking for is WPA2-PSK, and the type to AES, and setup a password. Not the same as the password above. This PSK password (pre-shared-key) is the one you will give anyone you authorize to use your WiFi.
- Next Turn off Guest Wifi. You don’t want random people connecting as guests and using up precious bandwidth.
- Optionally Change the SSID. This is the name of your WiFi network. I would recommend this, but it’s not critical. More than anything else it will reduce confusion between you and your neighbors coverage.
At this point you have taken the very basic steps in securing the WiFi device. You have limited the access with the pre-shared key, you don’t allow guests and the admin password is unique and secured. Now lets get fancy.
- Routers are mini computers, as such they need updates. Update the Router Firmware, most devices can be done from the GUI, but in some cases you will need to look up instructions online. It will take 5-10 minutes but its worth it.
- Change the internal IP network Range to something other than 192.168.1.0 but do stick with a private IP range from the list below, and I would suggest to also stick with a 24 bit subnet mast (255.255.255.0)
-
- 192.168.0.0 – 192.168.255.255
- 172.16.0.0 – 172.31.255.255
- 10.0.0.0 – 10.255.255.255
This is step is not required and creates an additional layer of abstraction from the nosy neighbor.
- If the device has the options Turn on the Firewall. The more expensive routers will have this option, some legacy and entry level routers will not. For most home users it’s not required, but for a business I would encourage you to buy a device with a firewall built in.
In most cases, at this point you are done. You have sufficiently secured the WiFi device for your family or friend. Here are some additional things you can to increase security, but add management overhead and reduce ease of use.
- You can turn off the SSID broadcast. This means that a normal user will not see the WiFi network to attempt to connect to it. When a guest comes to your house, you will need to manually setup their device with the SSID and password to give them access to the internet. Not a big deal, just an extra step to deal with. It will also not stop a savvy hacker, who can scan for a hidden SSID.
- You can turn off DHCP and turn on MAC filtering. This means you can control access to the internet on a device level and can create significant overheard. Outside of a large corporation I haven’t found this to be a useful solution.
- Optionally you can turn off WPS but this isn’t something I do. WPS allows device like a printer to “pair” with the WiFi device, similar to Bluetooth. For it to work the person needs to physically touch the router. I figure if someone is hacking me from my closet where the device resides, I have bigger problems.
I hope you find this checklist useful. If you want me to dive deeper into any of the topics discussed in this post, please use the Contact Me link above to drop me a line.
Happy Teching!
-Yury