How can I configure my wireless network for the strongest security?

9

5

There seem to be many security features in wireless routers from MAC address filtering to the authentication type and data encryption. WPA or WPA2 PSK? AES or TKIP?

When I set up a new wireless network, what settings should be used to ensure the strongest security? Is it router dependent or are there some settings all routers have that should be set? Are there some must have security features that I should consider before even purchasing a wireless router?

Jeff Yates

Posted 2009-07-15T14:02:51.590

Reputation: 1 518

more related info: http://superuser.com/questions/3180/what-is-the-most-practical-security-method-for-a-home-wireless-network/3190#3190

– cregox – 2010-03-31T23:39:34.303

Answers

11

Definitely WPA2 - it replaces WPA and is considered "secure". Use AES (TKIP has flaws) with a pre-shared key; make it > 13 characters and as random/secure as possible. This should pretty much guarantee that no one can get into your home router. Not that anyone ever would want to, though -- there are plenty of unsecured APs out there that they'd use first.

MAC address filtering is basically useless as the MAC is sent unencrypted, so anyone watching packets could wait for a MAC to come along that is authenticated, then spoof that (trivial). It just adds overhead to your management ("I got a new laptop, why can't I get on my wireless? OH gotta add the MAC, D'oh!")

Disabling SSID broadcast is also not really useful as that is also easily derivable by sniffing the wireless traffic. Again, it only adds a bit of headache to when you want to reconnect to your network ("What was my SSID again? Ah right, 'SDFSADF'")

If you can set up a home-based VPN on your system as well, that adds an additional level of security. I set my home wireless router to place wireless users in the DMZ (aka internet) so they cannot access my home network unless further logging in via VPN (another username/password w/login timeouts/resets the cracker would have to defeat). For the near future and against a non-governmental cracker, this is secure. :D

Matt Rogish

Posted 2009-07-15T14:02:51.590

Reputation: 775

Interesting. I have a games console that may not like the VPN access idea though :). – Jeff Yates – 2009-07-15T14:24:15.383

The DMZ goes straight out to the internet so you can use your 360 or PS3's networking just fine. Of course, you wouldn't be able to use it as a home media server or the like unless it supported VPN. – Matt Rogish – 2009-07-15T14:31:40.837

1

What I usually do when setting up a wireless network:

  • Use WPA2-PSK encryption using AES if possible (AES offers stronger encryption than TKIP), with as long / complex a passphrase as possible.
  • Enable MAC filtering, so the network only accepts devices with a certain physical address (MAC address). This security measure is easy to get around and not practical in some scenarios, but if possible, I still usually enable it.
  • Hide the SSID broadcast of the network. This way, the network does not publically announce its presence. Again, not always practical, but if possible I do enable it.

Daan

Posted 2009-07-15T14:02:51.590

Reputation: 590

Asked: 2009-07-15T14:02:51.590

Viewed: 2 643 times

Active: 2013-09-11T17:48:30.050