Skip to main content Skip to main menu Skip to footer

Secure your home wireless network

Secure your home wireless network

Decrease Text Size Increase Text Size

Page Article

How to Secure an 802.11b/g/n Wireless Home Network: 

It's essential to secure your wireless network, preventing unauthorized access to your internet connection, files, and activities.

Accessing Your Router:
  • For Windows: 
    Click Start > Run > type 'cmd' > Click 'Enter.' 
    In the Command Prompt, type 'ipconfig' and hit 'Enter.' 
    Note the 'Default Gateway' IP, often '192.168.1.1.'
    Open a browser and input the Default Gateway IP.
  • For Mac: 
    Open Terminal (Applications > Utilities).
    Type 'netstat -nr | grep default' and hit 'Enter.'
    Note the IP next to 'default.' This is your router's IP.
    Open a browser and input the IP.
  • Enable Encryption:
    Avoid WEP; it's easily breached.
    Use at least WPA, but WPA2 or WPA3 is more secure.
    Update older hardware that doesn't support WPA2/WPA3.
  • Set Strong Passwords:
    For both router access and Wi-Fi.
    Avoid easily guessed passwords like "ABC123."
    Include upper and lowercase letters, numbers, and, where supported, special characters.  Avoid predictable sequences.
  • MAC Address Filtering:
    Although it offers some security by restricting access to known devices, it's not foolproof. MAC addresses can be cloned.
    Instead of relying solely on MAC filtering, ensure your network's encryption is robust.
  • SSID Broadcast:
    Don't disable SSID broadcasting. While turning it off might hide your network from neighbors, it doesn't deter determined attackers. Plus, it might make your devices constantly seek and broadcast the SSID, increasing vulnerability. 

    Change the default service set identifier (SSID). Sometimes referred to as the “network name,” an SSID is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a Wireless Local Area Network (WLAN) must use the same SSID to communicate with each other. Because the device’s default SSID typically identifies the manufacturer or the actual device, an attacker can use this to identify the device and exploit any of its known vulnerabilities. Make your SSID unique and not tied to your identity or location, which would make it easier for the attacker to identify your home network.
  • Router Administration:
    Disable remote login to prevent unauthorized external access.
    Turn off wireless administration, requiring physical LAN cable connection for router settings changes.
  • Regular Software Updates:
    Keep router firmware and all connected devices updated.
    Updates often patch known security vulnerabilities.
  • Reduce Unnecessary Services/Software:
    Deactivate services or features you don't use on your router and connected devices.
    Remove "bloatware" or unnecessary pre-installed software from devices.
  • Adjust Default Configurations:
    Many devices come with user-friendly settings that may not be secure. Ensure you modify these defaults for enhanced security.
  • Change Default Login Credentials:
    Always change default usernames and passwords for devices.
    Default credentials can often be easily found online or are generic, making them a security risk.

Wi-Fi Safety Tips

  • Use strong and unique passwords. Choose strong passwords to help secure your devices. Additionally, do not use the same password with multiple accounts. This way, if one of your accounts is compromised, the attacker will not be able to breach any other of your accounts. (See Choosing and Protecting Passwords for more information.)
  • Run up-to-date antivirus software. A reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use. CISA recommends that all computers and mobile devices on your home network run antivirus software. Additionally, be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats. Note: because detection relies on signatures—known patterns that can identify code as malware—even the best antivirus will not provide adequate protection against new and advanced threats, such as zero-day exploits and polymorphic viruses.
  • Install a network firewall. Install a firewall at the boundary of your home network to defend against external threats. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. When properly configured, it can also serve as a barrier to internal threats, preventing unwanted or malicious software from reaching the internet. Most wireless routers come with a configurable, built-in network firewall that includes additional features—such as access controls, web filtering, and denial-of-service (DoS) defense—that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the network security of your network. Note: your internet service provider (ISP) may be able to help you determine whether your firewall has the most appropriate settings for your particular equipment and environment.
  • Install firewalls on network devices. In addition to a network firewall, consider installing a firewall on all computers connected to your network. Often referred to as host- or software-based, these firewalls inspect and filter a computer’s inbound and outbound network traffic based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with a built-in, customizable, and feature-rich firewall. Additionally, most vendors bundle their antivirus software with additional security features such as parental controls, email protection, and malicious website blocking.
  • Regularly back up your data. Make and store—using either external media or a cloud-based service—regular backup copies of all valuable information residing on your device. Consider using a third-party backup application, which can simplify and automate the process. Be sure to encrypt your backup to protect the confidentiality and integrity of your information. Data backups are crucial to minimizing the impact if that data is lost, corrupted, infected, or stolen.
  • Reduce wireless signal strength. Your Wi-Fi signal frequently propagates beyond the perimeters of your home. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, carefully consider antenna placement, antenna type, and transmission power levels. By experimenting with your router placement and signal strength levels, you can decrease the transmitting coverage of your Wi-Fi network, thus reducing this risk of compromise. Note: while this reduces your risk, a motivated attacker may still be able to intercept a signal that has limited coverage.
  • Turn the network off when not in use. While it may be impractical to turn the Wi-Fi signal off and on frequently, consider disabling it during travel or extended periods when you will not need to be online. Additionally, many routers offer the option to configure a wireless schedule that will automatically disable the Wi-Fi at specified times. When your Wi-Fi is disabled, you prevent outside attackers from being able to exploit your home network.
  • Disable Universal Plug and Play (UPnP) When Not in Use. UPnP is a convenient protocol that permits devices on a network to easily identify and communicate with each other. While UPnP simplifies device interconnectivity, it can also introduce security vulnerabilities. Some recent cyber-attacks have leveraged UPnP to circumvent router firewalls, enabling unauthorized remote control of devices and facilitating the spread of malware. It's advisable to deactivate UPnP unless its functionality is explicitly required for your network operations.
  • Monitor for unknown device connections. Use your router manufacturer’s website to monitor for unauthorized devices joining or attempting to join your network. Also, see the manufacturer’s website for tips on how to prevent unauthorized devices from connecting to your network.
  • Mitigate Email Threats. Phishing emails continue to be one of the most common initial attack vectors employed by for malware delivery and credential harvesting. Attacking the human element—considered the weakest component in every network—continues to be extremely effective. To infect a system, the attacker simply has to persuade a user to click on a link or open an attachment. The good news is that there are many indicators that you can use to quickly identify a phishing email. The best defense against these attacks is to become an educated and cautious user and familiarize yourself with the most common elements of a phishing attack. 
  • Opt for a Security-Centric DNS Provider. By default, many routers direct Domain Name System (DNS) requests to the Internet Service Provider (ISP). This means you're depending on your ISP for secure domain resolution. Given that DNS functions like the digital directory of the internet, converting website names to IP addresses, it's a prime target for cybercriminals aiming to redirect users to harmful sites. Several companies, including Google, Cloudflare, and OpenDNS (part of Cisco), offer DNS services with enhanced security measures. Many of these also support encrypted DNS technologies, adding an extra layer of protection against potential threats.
  • Consider Disabling Wi-Fi Protected Setup (WPS): WPS offers a streamlined method for devices to connect to a Wi-Fi network without entering the network password. One of its features, PIN authentication, has a known vulnerability: after attempting to guess half of the eight-digit PIN correctly, attackers receive feedback, which can aid their efforts to crack the PIN. Some routers do not implement sufficient security measures, such as locking out after a series of incorrect guesses, increasing the risk of a successful brute-force attack.



Page Footer has no content