How to Setup a Secure Wireless Network Router

Updated: 3/10/2019

Security has become an ever more important part of using a personal computer. Increasingly, the daily headlines include news of companies and websites getting hacked. It is important to learn how to properly secure your wireless Internet as well as secure your personal computer.

This article focuses on how to secure your wireless network router so that you do not become part of the statistics. The wireless router typically includes a firewall that defines the perimeter of your network. Think of this as a fence, walling off your network from the Internet. Having a vulnerable wireless network allows criminals to ppossibly steal your data as well as Internet access. You could also become responsible for illegal downloading if your wireless Internet was compromised.

October 2017 Wi-Fi KRACK attack Warning

KRACK attack on Wi-Fi. Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted.  Virtually ALL Wi-Fi equipped devices need to be updated.  The attack is particularly bad on Android 6.0 and Linux. If you have a device with no updates (eg Internet of Things), you will be open to attacks.

You should not be using any non-802.11ac devices any more, if at all possible; and you should make absolutely certain you’ve updated the firmware on all routers to the latest available version.

If that newest available firmware version is older than November 2017, it is without a doubt vulnerable to KRACK, and you’re going to need to discard and replace that device. If it’s older than, say, July 2018 it might or might not include KRACK mitigations, and you should go through all of that device’s firmware release notes since November 2017 to make certain.

Government Spying via Compromised Wi-Fi Routers

WikiLeaks has confirmed that insecure wireless routers were hacked and users spied probably by the CIA.  If you own a router on the list, update its software immediately or buy a new one.

Federal Trade Commission Makes Asus Improve Router Security

In February 2016, the Federal Trade Commission settled charges with Asus, over critical security flaws in its routers that put the home networks of hundreds of thousands of consumers at risk.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

Finally!, the government is forcing these manufacturers to fix wireless routers that can be come huge security holes.

Wirless Routers are a big Security Hole

The Wall Street Journal commissioned a security researcher to test 20 popular internet Wireless Routers in late 2015. 10 had known security weaknesses. 4 had old firmware that when upgraded could contain undocumented security problems.  Keep your router’s software update and if it is older than 2 years, you should buy a new one. Few routers automatically update their software, like Windows does. Most networking companies’ stop updating them after a year or two (They have no financial incentive), resulting in a major security risk.

Hackers can take control of insecure wireless routers to snoop on all your Internet traffic, initial denial of services attacks on others, or steal your financial information.

Cable or DSL Modem Direct Connection

Some high speed Internet connections allow you to directly connect your computer to the modem.  We recommend installing a network router in this situation to help protect the computer from external traffic. Install a wireless router and turn off the wireless capability if you do not need it.

Hardwired Ethernet Network

Secure wireless is an oxymoron! Using a hardwired Ethernet connection is much more secure than wireless Internet, a must for those looking for the maximum protection. Unfortunately, this is type of access is not possible for some devices (iPad, iPhone, etc.) and is far from convenient. Most users who demand the utmost in security and performance lay Ethernet networking in their homes and businesses. They may still run a wireless network, but limit access on that network to just a couple devices.

What is the most secure Wireless Router?

Wireless router hardware is available from many major manufacturers, including Apple, Cisco – Linksys, D-Link, or Netgear. We suggest avoiding smaller companies because they may be slow to update the software (firmware) and patch security holes. Unfortunately, even the large comes stop upgrade software on their routers after a year or two, you then should buy a NEW router. Fewer notify users of new software availability.

Manufacturer’s models differ in wireless range, speed, wireless standard support (Wireless-AC), and special features. Always make sure to update to the latest firmware available; bug fixes, security fixes, and enhancements were possibly added.

More Advanced Routers

The best routers are more robust routers targeted towards small business. They have more advanced security and are updated more often. If you are not technical, forget about buying one.

• pfsense – Makes a solid security appliance. Their 2 port model is more affordable at $299, $374 with 802.11N. You need to be somewhat technical to setup Virtual LANs.
• Ubiquiti Networks – Makes a great low cost multi port router, EdgeRouter X, for under $50. Add their UniFi AP AC Lite access points ($90) and you have one of the best and cost effective Wireless setups. Again not for beginners. Great Setup Guide

Cheap 3 Router secure Wireless Setup for IOT

Here is a good setup if you are concerned about security, are not a network expert, and need to have a guest network or have Internet of Things devices. (IE Nest Cam, Nest Smoke Detector, etc)  This configuration prevents these devices from snooping or intercepting your normal traffic. Using a typical Wireless router’s Guest network will NOT accomplish the same thing.

Kudos to Steve Gibson of Security Now. Buy or re-use a cheap old router that does not have to have wireless capabilities. We will be connecting them in a Y configuration. Connect this Router 1 to your Cable / DSL Modem.

Wireless Router 2 and Wireless Router 3 are both plugged into Router 1.

• Use Wireless Router 2 for all your computer, tablet, smartphone needs.
• Connect Wireless Router 3 with all your IOT or Internet of Things devices, like security systems, cameras, thermostat, etc.
• IOT devices should use a different DNS Server than your standard one.

Optimizing Wireless Routers for Maximum Range

• Physical Location – Where you place the wireless router is very important.
  • Position the wireless router to most central or optimal location for best coverage of your wireless network, and least amount of leakage to unwanted places like your neighbors or passersby on the street. This may be high up on a wall and may not be in the room the Internet connection is located in. Keep the wireless router away from microwave ovens and cordless phones.
  • If you have sufficient wireless coverage and your wireless router supports it, you could also Reduce your wireless router’s transmitter power so it doesn’t send the signal beyond your home.
  • Run a utility such as inSSIDer that helps you adjust your wireless router’s channel configuration to prevent interfering with surrounding wireless wifi networks. Wifi Analyzer for Android, Wi-Fi Finder iOS also works. Most routers are preset to channel 6, causing more collisions.
  • Antennas – Low cost 3^rd party add on antennas extend range without the need to buy a new wireless router; free antennas can also extend range. Some antenna’s omnidirectional, while others are directional, allowing you to focus a wireless signal. Replace the cheap antenna that came with your wireless router, to significantly increase performance.
  • Add an electrical power timer to turn off the wireless router when not in use or at night. This saves money and offers added security.

Wireless Network Router Settings

Wireless routers need to be configured properly to ensure proper operation as well as maximum security. Although wireless routers from different vendors include differing configuration options, most include these configuration settings. We have included screenshots for a variety of popular wireless routers, but can never cover every single wireless router available. We recommend disconnecting your cable or DSL modem while your router is being configured as some routers take a while to boot up and present an unfiltered connection while loading up.

Before you make any changes to your wireless router, always note how it was configured before the changes were done, so you can undo changes.

Access the administrator configuration for your wireless router by either running the software that was included with it or by accessing it directly from a web browser. For instance, Linksys router web interface for their wireless routers can be accessed when entering the following URL into your browser: https://192.168.1.1/

Administrator Password

• Password entered to gain access to the wireless router hardware. The administrator password MUST be changed from factory default to something difficult and long. Many people never change the factory password and leave themselves wide open to getting hacked. See our article on generating secure passwords for tips.
• Router Default Passwords can show you passwords for routers left unchanged from default
• Disable remote router access or Remote management so no one can change your settings from outside your network. On Linksys routers, it is located on the Administration tab – Management.
• Enable Logs so that you can go back and see where problems arose.

 

Cisco Linksys Wireless Security Settings

Cisco Linksys Dual Band 2.4Ghz 5Ghz Wireless Security Settings

DLink Wireless Security Settings

Wireless Encryption

• It is best to use WPA2-Personal security mode, AES encryption (do not select TKIP), a long Pre-Shared Key. Recommendation: Long (40+ characters) and include symbols, and upper and lower case. You will have to enter this password on each wireless device.
• Do not use WEP or WPA encryption as they are easily hacked. WEP encryption can be broken in under a minute. If you have hardware that does not support WPA2 encryption, replace the hardware.
• Always use encryption and NEVER have an open Wi-Fi access point without a password.

 

Mac Address Filtering

• This should be Disabled. This ensures that only authorized Wireless devices’ Mac Address (the serial number of the networking devices) are allowed to access the wireless router. Enabling it does not make it anymore secure against hackers. They can spoof Mac Addresses.

SSID

• Name – Change the default name. Do not use your address or a personal name. It is important to have a unique name so that when you’re away from home, your devices do not automatically try to logon to other wireless networks with the same name. This will also make you less susceptible to attacks using precomputing tables based on default names. Make sure you do not use names like: linksys, netgear, attwifi, 2wire####.
• To make your WiFi Network name more secure you should also add “_nomap_optout” to the end of it.  This prevents early Windows 10 installs from sharing it and Google from indexing it.
• Broadcast – Should be enabled to present easy access and prevent devices beaconing for it when it is out of range. Hiding it does not make it anymore secure against hackers.

 

UPNP – Disable this feature.  Very Important! It makes your network much more vulnerable. Although adding devices will require manual action. You could also enable Universal plug and play only when adding a new device.

Wi-Fi Protected Setup (WPS) – Disable this feature (if possible) and enable manual setup, even though it makes setup much easier.  It makes your network much more vulnerable to external hacking. A flaw allows a remote attacker to recover the WPS PIN and, with it, the router’s WPA/WPA2 password in a few hours was uncovered in December 2011. Checkout our WPS article on this.

Some older Linksys routers have SecureEasySetup™ (SES), which can be disabled to increase security.

Bands – More advanced wireless routers operate on multiple frequencies at the same time.

• 2.4 GHz – This is the typical Wi-Fi frequency used by most wireless routers.
• 5 GHz – More advanced routers support this frequency. Your computer or Wi-Fi device needs to also support the 5 GHz frequency option, so an extra network adapter may be required. Utilizing only this frequency helps prevent your network from being probed by less sophisticated hackers. *Note* 5 GHz performance transfer rate decreases dramatically the farther the device is from the router. Buy a new router if this is the case.

DHCP

• DHCP is used to handout Internet IP Addresses to your local network devices. Be sure to set a limit to the number of DHCP addresses given out by your router. This number should correspond to the actual number of devices you own. Occasionally, login to your router and audit the number of DHCP addresses given out, to look for nearby Internet leeches. RogueScanner is a free tool that will help you find rogue wireless access points and devices.

DNS

Set the DNS (Domain Name Server) that the router uses to either your ISP’s DNS Server or better yet, to Google’s high performance DNS: 8.8.8.8

Leaving the field empty could lead to DNS spoofing.

Wireless Routers with Guest Network 

This is an IMPORTANT feature to look for in a new Wi-Fi router. If your wireless router is capable of setting up a separate network for your Guests and Internet of things (IOT – Cameras, Doorbells, etc) devices, you need to ensure that it is set up properly to prevent access to your main network. Keep in mind that some older guest networks (Linksys, Cisco) simply have a password but do not utilize wireless encryption such as WPA2. Buy a new router if this is the case.

Use a different password for this network and give this out to your guests.  Also place the following types of devices on this network, not your main network.

• Security Cameras
• Wireless Thermostats and Smoke detectors (IE Nest)
• Internet of things devices (Toys, Cars, Appliances, etc)
• Cars

Isolating Guest Network Access

If you have a D-Link wireless router, be sure that the Enable Routing Between Zones option is not checked. This will prevent access by a guest network client, onto your main network.

If you have an Asus wireless router, be sure that the Access Intranet option is set to Disable. This will prevent access by a guest network client onto your main network.

• Some Asus routers have Set AP Isolated in their Wireless-Professional Menu. Setting this to Yes for the 2.4Ghz Band will also increase security by preventing guest network clients from accessing each other.
• Advanced Asus Router users: If you are running 3rd party Asus Merlin firmware adding this rule to a firewall-start file will prevent guest network users from being able to access each others:
  • wl -i wl0.1 ap_isolate 1

Known Wireless Router Issues

If you own an AsusRT-N66U or Linksys E-series wireless router, make sure it has been updated to prevent the Moon worm.

Additional Security

• Options such as Radius Authentication may be supported by the wireless router. This is more for corporate or small business security. ZeroShell allows you to set up a RADIUS server inside a virtual machine.

Third Party Wireless Router Firmware

• 3^rdParty Firmware or software for the wireless router is often available with additional features not available from the manufacturer’s firmware. This many also be more secure than your original firmware.
  • Why? – Need a particular special feature. Often only for power users.
  • What features would be available? – Stability, security, configurability
  • Wireless Router Compatibility – Check website to see if your wireless router is supported by 3^rd party firmware

 

• Tomato – Popular 3^rd party replacement firmware for many wireless routers.

 

• DD-WRT – Popular open-source 3^rd party replacement firmware for many wireless routers. This firmware enables you to adjust the transmit power of the router to help boost range.
• Asuswrt-Merlin – This 3rd party alternative firmware is focused on Asus routers.

Buffalo  makes wireless routers with DD-WRT pre-installed. This allows them to reduce the amount of software (firmware) they have to write, and concentrate their efforts more on hardware. If you are afraid of accidentally damaging your wireless router by installing 3^rd party firmware consider purchasing a Buffalo High Performance wireless router.

• Do It Yourself (DIY) Wireless Router – allows for advance features , good if you have extra computers, higher performance needs, QoS, IP filtering, traffic stats, special network configurations that are not mainstream.
  • Smoothwall – Popular 3^rd party Linux based router software. Runs on any Pentium-class PC with at least 128 MB of RAM. Snort Intrusion Detection System support is also available, so you do not have to run Snort in a separate installation.

Testing Wireless Router Security

Testing wireless router security is important to see how secure your wireless router really is. Here are some sites that help test your wireless router’s security. You can adjust your configuration to close any vulnerabilities they find.

• Rapid7 – Has penetration testing software
• Shields Up – Tests your network with tools from Steve Gibson of GRC.
• HackerWatch – Tests your network with tools from McAfee.
• HackerTarget – Multiple tests on your network
• Arachni – Security scanning framework

By applying special settings to your wireless router, you can significantly increase the security of your wireless network to prevent theft and secure our privacy.

Also keep you wireless router’s software up to date and buy a new one every couple years, if there has not been an software update recently.

This concludes our How to setup a Secure Wireless Network Router  article. Other articles on Safegadget.com help you secure the other aspects of your personal computer, including How to Set up a Secure wireless network Router, and How to Secure Internet Explorer article, or How to Secure Firefox Article. Please see our other articles on security tips for your e-mail, iPad, online banking, online shopping, smart phones, and more.