Most people who install a home network never delve inside the netherworld of security settings on their router. Who can blame them – it’s about as frightening as putting your hand in a shoebox full of rabid gerbils. Nevertheless, it’s worth the effort if you know what you’re doing.
That said, here are 10 router settings that can be used to make your network more secure. For the purposes of this article, I used a popular router, the DLink DI-524, to show you how to engage the features, because it doesn’t bite, usually.
To use these features, you’ll need to get inside your router and access its control panel. To do this, type the router’s internal IP address into your web browser on a computer on your network like this address for DLink routers: http://192.168.0.1. For Linksys routers it’s http://192.168.1.1 and it’s 192.168.2.1 for several other brands. Check your router’s manual if none of these work for you or look for the ‘Default gateway’ IP address when you use the ipconfig /allcommand mentioned in item #5.
1. Turn off UpnP – UPnP or universal plug and play is a handy feature that let’s devices on your network self configure on a network, but it’s also a security hazard. A Trojan horse or virus on a computer inside your network could use UPnP to open a hole in your router’s firewall to let outsiders in.
So it’s a good idea to turn off UPnP when not in use. To do that, click the Tools tab, then the Misc. button and click Disabled next to the ‘UPNP’ listing. Be sure to click Apply to update the router with this new setting.
2. Change your admin password – Routers come with a factory default User ID and password used to safeguard a router’s configuration panel. On DLink router the User ID is admin and the password is left blank.
You should change the password so wireless snoopers can’t get into the router and mess around with its settings. Here’s how: Click Tools tab, then the Admin button and change the Administrator password by typing it twice.
3. SSID broadcast -SSID is short for Service Set Identifier and is the name of your wireless network that is broadcast by a router into the radio spectrum. It can be seen by Wi-Fi enabled computers looking for a network to connect to. You can turn this broadcasting feature off so that the router appears invisible to casual wireless snoopers by clicking the Home tab then the Wireless button and choosing the Disable button next to SSID Broadcast.
- Note that determined wireless snoopers can find your network using free snooper software available on the Internet, so turning SSID broadcast off is not a foolproof security measure.
4. Turn on the DMZ – Short for Demilitarized Zone, this feature lets you designate an internal device on your network to appear as if it is outside your router’s firewall. It’s handy if you have a webcam or gaming computer that won’t be blocked by the router firewall. To set up a DMZ simply assign the computer (or webcam) a fixed internal IP address and then turn the DMZ in the router on and add the computer’s IP address. DMZ settings can be found on a DLink router by clicking the Advanced tab then the DMZ button.
5. Filter MAC addresses – A MAC (Media Access Control) address is a unique identifier – like a fingerprint is to humans – that is assigned during manufacturing of a network device, such as a network card or Wi-Fi adapter. A device’s MAC address can usually be found on a sticker often on the bottom of a device. On a computer, it can be found in the network settings. On a Windows computer, click START, then Run, then type command and click OK. At the DOS prompt, type ipconfig /all and look for the ‘Physical Address’ entry. It’s a series of six hexadecimal numbers that look like this: 00-13-CE-32-E3-58. It can be used to keep wireless surfers out of your network. Turn on MAC address filtering in a DLink router as follows: Click Advanced tab then the Filters button then Click on the button next to MAC filters. Enter a name for the computer and its MAC address and click Apply. This has to be done for each wireless device allowed on the network. (If you have a wireless TiVo box, you’ll need to add that too.) Note that devices connected by a physical network cable to a router are exempt from MAC address filtering.
6. SSID name – Change the SSID name on your router from the factory default. On a Linksys router it is ‘linksys’. On a DLink router it is ‘default‘. Change these to a familiar but unique name that doesn’t give away any personal info like your surname or home address. I always try to call it something humorous like snackcentral, fuzzyslippers, or tastymackerel. This shows any would-be hacker that you have changed the default settings on you router and know how to work the router. If it’s named the default SSID, it’s an invitation to an outsider to come in and poke around.
7. Update your Firmware – Firmware is the software that operates inside your router. And just like software on your computer, occasionally it needs to be updated because software bugs need to be patched. Your router manufacturer will periodically issue firmware updates on its website, so it’s worth checking every quarter to see if anything new has been issued. On the DI-524 click the link on the Tools tab, then the Firmware button for a link to DLink’s support site where you can download the new firmware file. Then browse from the Firmware settings page on the router to the firmware file on your hard drive and click Apply to install it on your router. It’s a good idea to do this over a wired connection. A failed installation will stop the router from booting and you’ll have to reset the factory default (see #8).
8. Factory Reset – If you mess up your settings and can’t get them working right, restore the router back to the way it was the day you bought it. Click the Tools tab and then the System button. Then click the Restore button on that page. If you have locked yourself out of your router, you can do a hardware reset. There’s a pinhole at the back (or sometimes the bottom) of most routers with the word RESET next to it. Find a paperclip and straighten an end and push it into the hole and hold it for 10 to 20 seconds. When you release it, the router will restart and will be reset to the factory default. Don’t forget to go back in and reconfigure it the way you want and also download any firmware updates again.
9. WEP – WEP is short for Wired Equivalent Privacy. It can be used to scramble the data that moves over your wireless network. To enable WEP click the Home button then the Wireless button. From the Security pulldown choose WEP. Then enter a series of numbers and letters between 0 and 9 and A to F. For a 64 bit key enter 10 characters. For 128 bit key enter 26 characters. When you attempt to connect a computer wirelessly to your router you’ll be required to enter this key again when prompted by your computer.
10. WPA – This is short for Wi-Fi Protected Access and is the preferred method of encrypting your network, as it’s a newer, more secure protocol. To enable WPA, click the Home button, then the Wireless button. From the Security pulldown choose WPA-PSK (PSK also known as personal mode is short for pre-shared key). Then enter a passphrase like: ‘My cat is attached to my trousers’. You can enter eight to 64 characters, including white spaces. Click Apply. When a computer or other Wi-Fi device tries to connect to the router after it reboots, it will be prompted for the passphrase.