Protect your Wireless Lan

Martin Brinkmann
Feb 7, 2007
Updated • May 30, 2013

More and more users use wireless connections to connect to the Internet. Many do use a wireless LAN router by default that they get from their internet provider and while there are certainly some that go right ahead and secure the router or modem properly, it is likely that many do not and are just happy that it works right away.

Insecure Wireless routers are a main target of  hackers but also of neighbors who like a free ride on the Internet.

While it does not seem too bad on first glance, you need to understand that all activities of the third party falls back to you in first place. If they download copyrighted files, commit fraud, spam, access pornography or spread malicious software, then it is you who gets the (first) blame if detected. You will be held responsible for abuse that is done with your connection.

You need to know the basic information about your wireless router before you can begin to protect it.

  • Who is the manufacturer
  • What is the name and model of the wireless router

Visit the manufacturers website and search for updates for your router. Updates are normally in the form of firmware updates which updates the device, often to include additional features or security updates.Please consult the website for instructions on how to update the firmware of your router.

Make sure you update it using a wired connection because wireless connection are less stable and any interruption to the process may brick the router or modem.

It is now time to protect the router further. Connect to the interface which is normally done by opening the IP of the router. (default most of the time) Enter username and password and change them when your are logged in. Many routers get hacked because the user did not change the default authentication of the device.

You just have to search on the Internet for a name and model to find the default admin username and password listed on websites.

Now it is time to configure the security settings of the w-lan router. Add a service set identifier (SSID), it does not really matter how you name it, just remember the name as you need to select it when you are connecting to the device.

Enable the strongest encryption method available, this is normally WPA2 with AES. If you have an older router or a device that does not support WPA2 you should think of buying a new router or updating the devices. Make sure you use a large string with numbers and letters as the encryption key. A good value is at least between 20 and 30 chars long. Make sure you remember it because you need to supply the key to the other devices that have to connect to the router (you can look it up in the dashboard though).

Enable Mac filtering, look up your mac address by using the command line in Windows XP and typing ipconfig /all. The physical address is your mac address. This ensures that only computers with a Mac address that is listed in the router can connect to it. Please note that the Mac address can be faked.

If you do not need the full transmitter power because your router and computer are physically close to each other you could reduce the transmitter power to reduce the chance that someone from outside your walls will be able to find the router and connect to it. Please be aware that a good antenna on the device that wants to connect to your router is able to counter this strategy.

Here is a list of other ideas that are worth investigating.

  • Disable all services that you do not need.
  • It is a very good idea to power off the router when you do not need it to prevent anyone from connecting to it while you are away. Alternatively turn off wireless.
  • If you have the means monitor the traffic of your wireless connection to find out if someone else uses it as well.
  • Enable the firewall of the router and configure it properly
  • If the router has a logging feature enable it and analyze it regularly.
  • Limit the maximum number of DHCP addresses if you use that feature.
  • Use Authentication if possible.

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Lincoln said on February 8, 2007 at 11:55 am

    Did you mean Moore’s Law or Murphy’s Law?

    1. Martin said on February 8, 2007 at 11:57 am

      Murphy’s law:

      Murphy’s law is a popular adage in Western culture that most likely originated at Edwards Air Force Base in 1948. The Law broadly states that things will go wrong in any given situation, if you give them a chance. “If there’s more than one way to do a job, and one of those ways will result in disaster, then somebody will do it that way.” It is most often cited as “Whatever can go wrong, will go wrong” (or, alternately, “Whatever can go wrong will go wrong, and at the worst possible time,” or, “Anything that can go wrong, will”). /taken from wikipedia/

      1. Lincoln said on February 8, 2007 at 8:49 pm

        So when you said “Make sure you update it using a wired connection because wireless connection tend to become unstable in the wrong moments. (Moore’s law)” you actually meant to finish with “(Murphy’s Law)”?

      2. Martin said on February 8, 2007 at 11:16 pm

        my error, I corrected the article to Murphy’s Law, that’s what I meant in first place.

  2. Iain Cheyne said on February 7, 2007 at 6:38 pm

    You can get an excellent overview of Wireless security at the Security Now podcast.
    Episodes 10, 11 and 13

  3. Iain Cheyne said on February 7, 2007 at 6:36 pm

    This advice is a bit OTT.

    WPA1 with TKIP encryption is enough and has never been cracked. TKIP is more compatible than AES. WPA passwords have been cracked, which is why you should choose a long one.

    MAC filtering and SSID hiding give no real protection and are inconvenient for everyone.

    1. Martin said on February 7, 2007 at 7:05 pm

      Iain I don’t think that MAC filtering and SSID hiding are inconvenient. It just takes a minute or two to setup both. Sure they do not help against attackers who know what they are doing but they could fend off the script kiddie

      1. Iain Cheyne said on February 7, 2007 at 8:16 pm

        But why bother when WPA will defeat all hackers?

        WPA Passwords from GRC’s passwords page are pretty much unbreakable.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.