Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Author: Joe Moran Review Date: 6/28/2005
Price: $29 per year (provides one secure access point and five user accounts) Pros: Inexpensive; adds user authentication to WLAN without additional hardware or software
Cons: Service may not work with some access points
It's common knowledge that when it comes to securing a wireless network, WEP, while still better than nothing, is only slightly better. In fact, using WEP is a lot like locking your car doors but leaving the key in the ignition and the engine running. And while WPA is nothing less than a huge improvement over WEP, WEP and WPA still have something in common— while both encrypt wireless traffic, neither does anything to authenticate users trying to associate to your WLAN.
Those who want to add this extra layer of security to their wireless network may want to look into SecureMyWiFi, a service from WiTopia.net (a subsidiary of Full Mesh Networks) that improves WLAN security by requiring users to authenticate to a remote server before granting access. The technology behind SecureMyWiFi is RADIUS (Remote Authentication Dial In User Service), which is widely used by ISPs (think about your username/password to sign on to a dial-up connection) as well as the corporate world.
Hardware Requirements In order to use SecureMyWiFi, you must have an access point or wireless router that supports WPA-Enterprise or WPA2-Enterprise (which are sometimes referred to as WPA-RADIUS and WPA2-RADIUS).
Remember that WPA-Enterprise is not the same thing as WPA-Pre Shared Key (WPA-PSK, or WPA-Home), which uses a passphrase-generated key to encrypt wireless traffic. While WPA Enterprise/RADIUS uses a similar method of encryption, it takes the extra step of authenticating users before allowing them to associate to the network.
Holding the user accounts is a RADIUS database that typically resides on its own server somewhere on the network. Some vendors' access points (ZyXEL comes to mind) even have a basic RADIUS server built in, eliminating the need for a separate server. But what makes SecureMyWiFi interesting is that it can add RADIUS authentication to your WLAN without needing a RADIUS server of your own. The server and the authentication list it holds are remotely hosted. (The downside to this is that you need a full-time Internet connection to get authenticated.)
Lots of routers and access points don't support WPA-Enterprise To help you find a compatible device. WiTopia provides a link to a lookup tool hosted at the WiFi Alliance Web site, or you can access the database directly at wifialliance.org/OpenSection/certified_products.asp?TID=2. But as you'll see later on, simply finding a WLAN device that's WPA-Enterprise-capable may not be enough.
Setup and Configuration Signing up for the SecureMyWiFi service is a simple task. After creating an account on the WiTopia Web site, you'll receive an e-mail with some configuration information as well as a link to complete the registration process online. When you click the link, you're also asked to provide the manufacturer and model of your AP, along with either your IP address or one or more MAC addresses from your AP hardware.
RADIUS typically uses an IP address along with a shared secret as a means of authentication. However, if your ISP provides a dynamically assigned (and thus potentially changing) IP address —as will often be the case— a MAC address from your access point can serve as a piece of static identification information that SecureMyWiFi will use to authenticate your account.
After entering account and hardware information online, the next step is to configure your router or access point to communicate with the SecureMyWiFi server. The steps will vary slightly depending on the make and model of your hardware, but it essentially involves enabling WPA Enterprise authentication/encryption, inputting the 32-character shared secret (used to encrypt data), and telling the access point where to find the SecureMyWiFi servers. (Both an IP address and FQDN (define) are provided by SecureMyWiFi, though many SOHO routers only accept an IP address.)
After adjusting the AP configuration, the final step is to reconfigure any clients that will connect to the wireless network so that they authenticate using EAP (Extensible Authentication Protocol). With Windows XP, this is a matter of about a dozen mouse clicks, and should take less than a minute per computer. Once reconfigured, joining the network requires you to provide an account username and password in lieu of an encryption key.
Possible Problems WiTopia positions SecureMyWiFi as being quick and easy to set up, even for non-technical users. That will probably be the case for many, but if my initial experience was any indication, there may be unexpected pitfalls encountered depending on what hardware is used.
After proceeding through the SecureMyWiFi account setup and hardware configuration process (since my IP address was in fact dynamic, I entered a MAC address for my Linksys WRV54G WLAN router), I attempted to sign on to my newly reconfigured wireless network. However, after I entered my username and password, the computer seemed to ruminate for several seconds before prompting me anew for the same information. Even after verifying all the configuration settings, the problem continued to occur each time I tried to sign on.
A pow-wow with WiTopia personnel pointed out the problem: my particular Linksys router model. According to WiTopia, it turns out that the WRV54G does not output the proper RADIUS data, which prevents authentication. Adding insult to injury, the WRV54G also accommodates a maximum shared secret of only 20 characters, 12 short of what SecureMyWiFi requires.
After striking out repeatedly with the Linksys device, I replaced it with a D-Link DWL-2100AP access point and was able to connect without any problems.
According to WiTopia, that type of problem is relatively uncommon, but it acknowledged that the overwhelming number of device manufacturers, models, and firmware versions out there makes comprehensive advance testing essentially impossible. WiTopia has verified the compatibility of several WLAN products like the Apple AirPort Express, Linksys WRT54G and WAP54G, and Proxim AP-4000 and AP-700, all of which are available for sale, pre-configured, at WiTopia's site.
Documentation and Support WiTopia doesn't offer technical support over the phone, but it does provide assistance via e-mail. You can access a document library that walks you through the configuration steps for both Mac OS and Windows clients as well as the Linksys and Apple hardware mentioned above.
WiTopia also maintains a support forum on its Web site (annoyingly, your SecureMyWiFi account credentials won't get you access to the forum— you must register for it separately). At the time of this writing, the forum had fewer than two dozen members and relatively few entries posted, reflecting the fact that SecureMyWiFi has only been live for about 45 days. So it won't provide much in the way of instant gratification if you have a problem. On the plus side, forum moderators seemed to respond to questions fairly quickly—in hours if not minutes. Hopefully, that responsiveness will be maintained as forum activity increases.
Pricing So what does SecureMyWiFi cost? Surprisingly, not very much— an annual fee of $29 lets you use the service with one access point and create up to five user accounts. (You can add, modify, or delete accounts—or access points, for that matter—at any time.) You can add additional access points (up to five total) for $10 each, and similarly add additional users (up to 25 total) for $1 per user (in groups of five). A business-oriented version with higher user capacities is also planned.
For what amounts to about eight cents a day, SecureMyWiFi can improve your wireless security over that provided by either WEP or WPA-PSK not only by securely encrypting your traffic but by authenticating users as well. The only thing that mars the product is the inability to be certain in advance whether your WLAN device will actually work with it. At the moment—given the sheer variety of WLAN hardware available— there's unfortunately no ironclad way to know whether a given piece of hardware (excepting those currently sold by WiTopia) will work with SecureMyWiFi, until you try it. WiTopia says it plans in the future to list on its site hardware that has been confirmed to work or not work, which will help.