14 min read

1. Introduction

Wireless networks are easier to tamper with, they also have no boundaries, and internet connection sharing can lead to unwanted guests. This makes it vital to secure a wireless network. The consequences of not doing so and the methods for securing a wireless network are a focal point in this day and age. This is because the data or information that can be transferred on a wireless network can be crucial. It could include private conversations, sending work home, transferring files, etc. Security issues on a wireless network can lead to being a victim of identity theft or a virus. Measures must be taken to prevent this from occurring.Wireless technology has grown and spread with increasing speed over the last decade. Wireless internet has made life more convenient. It allows for access to information and the ability to communicate from anywhere. Wireless networks have no boundaries. They can go through walls, floors, and ceilings. Multiple computers can access a wireless network, which means that multiple users can share one internet connection. This can make the installation of a wireless network more appealing than installing a wired network in homes with more than one computer.

Experience Enhanced Security with ExpressVPN's Express Aircove | Wi-Fi 6 VPN Router for Home to Protect Unlimited Devices and with a FREE 30-Day ExpressVPN Trial, an International Version and recommended partner-solution offered by USA Cybersecurity.

At USA Cybersecurity, we prioritize your online safety. That’s why we recommend and offer ExpressVPN's Express Aircove, a top-tier VPN device renowned for its exceptional security features, lightning-fast speeds, and unbeatable reliability. Whether you're working from home, browsing on the go, or simply looking to protect your online privacy, ExpressVPN's Express Cove provides the robust protection you need against cyber threats. Discover how ExpressVPN can elevate your internet experience by ensuring your data remains secure and your online activities stay private. With servers in 94 countries, ExpressVPN allows you to access content securely from anywhere in the world, without compromising on speed or performance. Ready to take your cybersecurity to the recommended next level? Click here to learn more about ExpressVPN Express Aircove and explore its features. Join the millions who trust ExpressVPN for their daily online protection now!

1.1. Importance of Securing WiFi Networks

WiFi is a great technology that simplifies your digital life. With the explosion of public wireless hotspots, everyone can use it with their notebook computer, mobile phone, game console, digital audio player, etc., and connect to the internet for an array of tasks including multimedia, instant messaging, and information access. Unfortunately, many people are setting up their home wireless network without understanding the possible security implications. When a wireless network is set up, often the user will assume that the data is encrypted by default; sadly, this is not the case. An access point is similar to a hub. All the data is transmitted in the clear and can easily be intercepted. While a standard wired network can easily be transformed into a secured wire network by disabling ports and adding a content filter, a secured wireless network requires strong encryption. This same level of security may be difficult and time-consuming to find and set up, so the general solution is to unplug the access point and use a wire whenever security is needed. This can be a major inconvenience since the whole point of having the wireless access is the mobility. Any cases where the user does not switch back to the wireless network once google on the couch, instantly becomes a security risk. People using any form of unsecured wireless network can easily be victims of data theft, identity theft, and have their internet service abused. An attacker who is in range and within the broadcast area of an access point can easily capture the data and examine it at a later time using a packet sniffer. This software is easily obtained and there are many versions available for purchase, the most popular being OmniPeek and Ethereal. A packet sniffer is a tool that can scan the data passing through a network and filter it by various layers of the network stack. It can reconstruct data from different protocols and is a very effective method of eavesdropping. Any information that is not encrypted is at risk of being read by an attacker who is packet sniffing. This information includes account passwords, email logins, messages, chat conversations, and anything that is being downloaded. An attacker can then use this information for various malicious activities. Data theft is another common form of attack. Since the data is stored on another server offsite, there is no trace of any data being stolen. Identity theft occurs when an attacker uses personal information to impersonate the victim, usually for financial gain. Any data can be intercepted or stolen, and because the victim has no idea that the security of the data he/she was submitting was compromised, it can cause confusion or attribute blame to the wrong things. An unsecured wireless access point can also be a cause of abuse for others. Any person who simply wants to connect to the internet can use the unsecured access point instead of their own paid service. An IP address can easily be spoofed to make it seem like the problem is originating from someone else. This access can be a major headache for the owner of the access point. Any bandwidth that is used can cause slowdowns or deny service from his own internet connection. If any abuse occurring from one who is accessing the point is traced back, it may be thought that the owner of the access point was the culprit. He/she has no way of proving that it was not an act. Any of these problems are a major concern, and the only surefire way of preventing them is to secure the wireless network.

1.2. Potential Risks of Unsecured WiFi Networks

Encryption is a means to an end in terms of protecting data, and with the case of wireless networking, a necessary ingredient that has yet to grace the palate of the general user and small business owner. Most wireless networking hardware has the ability to utilize encryption in the form of the WEP or WPA key. Although it is available, it is often the case that it is not an activated feature due to its complexity for the layman user and also its effect on network performance. This is definitely a bad decision considering the key is instrumental in securing the wireless network. An encrypted network requires a matching key on the client and access point for it to connect and allows data to be translated into a secret code before transmission. Without the key, the data is meaningless. An unencrypted network is the equivalent of sending a postcard written in pencil through a busy and crowded post office. Onlookers are easily able to see the contents, and there is nothing stopping them from altering the message before the recipient receives it.While wireless networking is a good tool for productivity, flexibility, and lower deployment costs, it is also vulnerable to security issues. One of the main reasons is a relatively complex issue of radio transmission and the data being available to intercept and also due to the newness of the technology. What this means is that an individual may illegally connect to an organization's wireless network and the Internet without the company's knowledge. This is usually done with the intent of either gaining access to sensitive data or to cause some sort of network service degradation. In some cases, the individual may just want to leech Internet access, and in worst-case scenarios, some person's motives may be to commit Internet-based crimes on an organization's network using the offending individual's IP address.Wireless networks create an unlicensed data transmission system, which makes it possible to connect any computer systems, and in fact, all IT-based devices, to a network without using a hardwired link, within a building, home, or even through open space. With the latest technology, wireless networks are now replacing the traditional wired networks at an astonishing speed. Consumers are opting for the ease of access and also the decreasing cost in the hardware. With the current global movement toward a technological-based society, it is pure that wireless networks will be more ingrained into everyday life. It is clear that with the current rate of momentum, wireless networks will eventually become the predominant way of network interconnectivity. The ease of use and seamless integration into its environment is not only an attraction for the home user but also a great benefit to the companies and institutions that choose to use it.

2. Setting Up a Secure WiFi Network

The default settings on your wireless router usually will not have the best security features enabled. Check the manual on your router to determine how to enter the setup menu for the device. You may have to connect a computer to the router via Ethernet cable. Amp up the router's security by changing the default admin username and password to something other than "admin" and "password." Common SSID names that manufacturers use are "linksys" and "netgear." Change your network name to something that is unique so when your computer looks for a network to connect, it knows the correct one to login to. Steps 2.1 and 2.2 are part of hardening the router and are quite easy and can be used on any type of wireless access point.Start at your access point.Now that you know the dangers that exist, you should know what you can do to improve the situation. For the general public, it is at your homes or at small businesses where you go online but the major security risks involved are at public Wi-Fi hotspots and these concerns are more for businesses establishments. How does one know one is safe? A secure WiFi network that is properly set up is the hardest to infiltrate. Follow these following instructions in securing your network.

2.1. Changing Default Router Settings

Most wireless routers all arrive from the manufacturer with the exact same settings. This means that by default anyone can log on to your router from anywhere in the world and make any changes they see fit. This can pose many potential security hazards. Your first step should be to secure your router. This can be done by logging on to your router. The location, type of login, and settings you can change on your router vary depending on the kind of router you have. It is best you consult your router's manual or the manufacturer's website. From here, there are a number of things you can do to secure it. Typically, the first page that loads will be a page prompting you for a username and password. By default, many manufacturers have the same login information on all their equipment. This is a serious security risk, and you should immediately change this information to something only you know. After this, there are a variety of settings you can change. Some of the most important ones include the SSID, the method of encryption, and the pre-shared key. Changing the SSID name will make your network less visible to the public. This means that anyone looking to hop on a free wireless connection will be less likely to target your network. Changing the method of encryption and the pre-shared key go hand in hand. The best available method of encryption is WPA2. If your router or wireless devices do not support this, WPA is an ok alternative. Under no circumstances should you use WEP, as it is very weak and can be cracked in a very short amount of time. After changing the method of encryption, you will need to change the pre-shared key. This is the key that you will use to log your devices on to the wireless network. Make this something that is not easily guessed but something that you will remember.

2.2. Creating a Strong WiFi Password

There are two stages of creating a strong password. Firstly, create your wireless password using a minimum of 20 characters - a mix of letters, numbers, and special characters. Using a longer password makes it more difficult for hackers to crack it using password cracking tools. The second stage is to change the Service Set Identifier (SSID) name to something that does not represent who you are. The SSID is the name of your wireless network – when you click to connect to a network, the name that you click on is the SSID. If your SSID shows something like "John's Network," it's possible someone could use the default password to try and connect to your network. Changing the SSID provides a little extra security through obscurity. To change the SSID and password, connect an Ethernet cable from your laptop to the router. Then in your internet browser, type and enter the default username and password for your router (which is usually admin for both). Check your router's instruction manual if this does not work. You should then be able to use the router's web-based utility to change your password and SSID. Note that the location of this page may vary depending on the brand and model of the router. Ensure that you remember your new password, as if you forget it, you will have to reset the router to its default settings by holding down the reset button at the back of it for twenty seconds, and then it will be back to square one. Finally, to check if your password changes have been successful, try connecting to your wireless network from the laptop and check if it asks for the new password.

2.3. Enabling Network Encryption

Last but not least, stay updated with security algorithm and periodically update the wireless security settings. Periodic settings update will increase the security and your network will be less susceptible to various attacks.Set the key management features to use Pre-Shared Key (PSK). PSK is a term for using a single password for both the user and the access point. By entering the password, encryption keys and an initial MIC (integrity check value) are generated from PBKDF2 algorithm and the pair is stored in the suppliant and authenticator. An 8-63 ASCII character length of any chosen password is recommended, this would provide security and usability balance. With a keyboard entry, some users are having difficulty in typing hexadecimal characters. The PBKDF2 then will derive 256-bit keying material to encrypt the data.In formulating security protocol selection capabilities, enable only WEP, WPA, and WPA2. TKIP is an encryption algorithm for WPA which replaces WEP with much stronger protection but with the same goal. While AES is a stronger encryption algorithm compared to TKIP, in Wi-Fi network environment AES could not be implemented, especially with communication of WPA2. So the policy would be using WPA with TKIP for its interoperability and strong enough protection.When using a default configuration of the network, changing encryption settings is the main point of securing the communication. Users of the wireless environment need to be aware that their communication is broadcasted over open air and it could easily be intercepted. By using different encryption algorithms, the confidentiality of transmitted data can be increased. On the other hand, implementing data privacy features will increase the latency in sending and receiving packets and it will also require more CPU usage.

3. Additional Security Measures

Using a VPN accepts inbound connections from secured external hosts to create a secure point-to-point tunnel. The VPN can exist between a host and a router, two routers, or two hosts. A Windows VPN can be configured in the control panel under network connections and choosing "create a new connection". This is good for the case of where a business associate might need to do work on your network but his location is not secure. He can VPN to your router and work on the network without fear that someone may be packet sniffing and looking to steal his private data. This method also works well in the instance that RDP or VNC services are needed for the traveler but they are not considered safe to run over the internet. A VPN is also recommended if you are doing work from a location that is not home and not secure. This will create a secured tunnel to your home network and route all traffic from the secured external host through your network, effectively keeping you on your own network as if you were at home.Keeping your router's firmware updated is critical, especially with the growing number of security issues being discovered in the last few years. When a vulnerability is found, the router manufacturer usually fixes the problem by creating a "patch" in the form of new firmware files. Unfortunately, getting this firmware installed can be daunting if you don't know where to find the right stuff. Open-source router firmware can help, but if you aren't on top of it, you could still be at risk. If you are a novice to intermediate computer user, then use the firmware available on your router manufacturer's website. Look for your model and download the file; most likely it will be a zip file. Now, before you perform the upgrade, make sure to read the instructions on how to do so on the same page, usually the instructions are near the download link. Note: Do not upgrade the firmware over a wireless connection as this can cause damage if the connection is lost during the process. This means you should do the above from a computer connected via Ethernet to the router.MAC Address filtering is a way to control which devices are allowed to connect to the router. A MAC address is a unique identifier for network interfaces and is also referred to as the physical address. It is made up of twelve characters and numbers and does not change over time. It should not be confused with an IP address as it is fundamentally different. The MAC address can be found in the router's DHCP table, connected device table, in the router's system logs, or by attempting to establish a connection and looking for a failure along with an error code. This should be a last line of defense because spoofing a MAC address is fairly easy.Disabling remote administration is a good thing unless you absolutely need it. It is a very powerful tool and not setting a password will allow other people to change your settings as well. If this is a feature that you must have, currently it is recommended to only enable it when you need it and disable it afterwards. Do not say this feature is available from the WAN or internet unless you absolutely have to say so.

3.1. Disabling Remote Administration

Once the router has been securely installed, physically, in a safe and secure location that prevents unauthorized physical access, the administrator should proceed with caution when enabling remote administration. The risks associated with allowing remote access to the router far outweigh the benefits one derives from the feature. The first and foremost risk is the security of the data and the configuration settings. If an SSL connection is not available, the transmission of the data and the login credentials will be sent in clear text. Public networks should be absolutely avoided when accessing the router remotely. This includes the use of standard telnet or SSH. The best case scenario would be the use of a secure VPN when one is available. This would entail connecting to the VPN, then accessing the router with the local IP address. Disabling remote administration is crucial because most of the attacks against a network will occur against the weakest link. These days, routers are the output of many a hacking tool, and a common but often overlooked security risk is the attack against the router. If a compromise can be established from a PC on the internet to the admin page of a router, the entire network can be at the mercy of the attacker. The Trend Micro Home Network Security program is an excellent example of a program that can perform a security audit on the router and offer advice for setting changes and security based on the results.

3.2. Implementing MAC Address Filtering

Mac address filtering is an access control method where the router is configured to only allow selected devices to connect to the network. Mac address is a unique identifier for all network devices, we could either allow or disallow the device by entering the mac address to a table in the router setting. This is a much secure process to prevent uninvited guests from connecting to the wireless network as hacking a mac address is more difficult compared to IP address because mac addresses are not typically found on the internet. However the effectiveness of this method is still debatable because a hacker could still perform mac spoofing or simply intercept a connected device's mac address and join the network with that address. This method is generally more bother than its worth for home network users but could provide a secure solution for a small business.

3.3. Updating Router Firmware Regularly

Updating a router's firmware can ensure that the router is equipped with the latest security enhancements. Earlier versions of router firmware may have multiple security exploits that will not be covered by the router's current security model. With recent reports by security companies of firmware exploits in routers provided by large manufacturers as well as distributed by ISPs, the responsibility is increasingly falling on the consumer to engage with updating router firmware to protect themselves. Router firmware should be updated with a wired connection to the router unless it does this automatically. This minimizes the chance of an update being interrupted, leaving the firmware in a corrupt state. Recent work has been done by home router manufacturers to make this process less painful, automatically checking for new firmware on a schedule chosen by the user, and so forth, but it is wise for consumers to take a look at the current status of their router's firmware every few months to make sure they aren't missing an important security update.

3.4. Using a Virtual Private Network (VPN)

Now that you have an idea as to exactly what leaving your WiFi open can do and the implications it may have, you need to do all you can to ensure that your privacy is protected. WiFi security is undoubtedly more difficult to intrude on than open connections, but with the right devices and solutions, someone can still break into your secure network. The one thing that you can do to further ensure that your data is never compromised is to follow the steps of using a Virtual Private Network or a personal proxy server. Although it is true that putting the methods in place mentioned previously will ensure that you have a very low possibility of seepage from awkward internet men, it never hurts to go the extra mile in ensuring that your privacy is never pierced. A VPN will make sure the highest possible level of security.A VPN includes an additional level of security. Your information is safeguarded from the start to the end of your journey and it makes an enormous job for hackers or snoopers to figure this information out. The very best aspect of a VPN is that despite the degree of security it supplies, it is a transparent service. VPNs are offered for home users or organizations and the setup on them is rather simple, with lots of service providers offering the software and tools required, and some that do it for you. When thinking about how to protect your network, it is tough to consider anything much better than a VPN. As soon as you have actually bought the service and have it up and running, you can have the assurance understanding that any info sent over your connection is secured and safe. This means that you can go on with your normal routine, get in touch with your bank account, or pay your bills while understanding that no one is watching or aiming to take a peek at exactly what you're doing.A VPN, or a virtual personal network, adds an additional level of security to your net connection. Understanding how it works is difficult, but essentially, a VPN creates a secure and personal connection between you and the website you go to. It does this by directing your connection through a server situated in other places. This server then changes your IP address and supplies the protected and personal connection to the site visited. This change of IP address makes it possible for an included level of privacy, due to the fact that it implies that the website you check out has no record of your real IP address. A VPN will likewise secure your information both ways, meaning that the information is encrypted both from you to the website you go to and from the website you go to back to you.

4. Best Practices for WiFi Network Security

It's important to see where and how you can improve your security. Monitoring your network can catch a lot of the simpler attempts to intrude upon your network. Many routers come with tracking tools. For example, NETGEAR genie has a network map that displays what's on the network, and several systems generate logs of when each device connects, disconnects, or attempts to connect. It's a good idea to scan the devices connected to your network from time to time to ensure no unwanted devices are using your bandwidth. A good measure to see who is using what amount of bandwidth is to compare the bandwidth with your internet bill. If you are the only one using it and it's being all used up, you know something is definitely not right. This would require a more in-depth inspection, possibly using an application that can track every program's network usage on a device. This way you can find what's using up all your bandwidth and can take proper action to remove the unwanted program or, if it's a malicious program, remove the infection. If your router has an option for a firmware update, it's a good idea to update this as it can fix bugs within the current firmware and generally improve your security measures. This is usually something that's easy to overlook so setting a recurring reminder could be beneficial. Finally, be wary of the activity outside your property. It's possible that someone could be attempting to gain access to your network for the sole purpose of leeching your bandwidth. If you notice any unfamiliar persons parked outside your property, it may be worth questioning their reasons for being there.

4.1. Regularly Monitoring Network Activity

To ensure that the measures in this paper are effective, implementing a regular network monitoring system is essential. This can be done using intrusion detection systems, "managed" switches that use the SNMP protocol, and systems that track the MAC addresses of machines. When using the SNMP protocol, it permits the host to collect data from network equipment, and is a valuable tool for network monitoring. Unfortunately, the default SNMP security model is not very secure. SNMP version 1 and its predecessor, Public Data Network X.25 and with it the SNMP community-string based security framework, have suffered from a lack of adequate security. Thus, using these would be vulnerable to an adversary who has knowledge of network structure, potentially giving them the ability to generate counterfeit SNMP requests to devices. SIM (Security Information Management) is a term for tools and services that offer real-time analysis of security alerts generated by network hardware and applications. This is a good way for administrators to know exactly what is happening on the network in the context of a security event.

4.2. Educating Users about Security Practices

An effective way to begin educating home users about security is to start with the basics of security and work from there. Teach users about the importance of security and why certain security measures are being taken. Most people will do something if they understand why they are doing it. An administrator should inform the users of any known security threats and the implications of these threats. For example, if there is a worm spreading around, sending an email to the users explaining the threat and how to deal with it is a good idea. Publishing this information on a website and creating pop-up messages is also effective. Users should be encouraged to ask questions about security and should not be made to feel stupid if they do not understand security issues at first. This is a critical point; never make the user feel stupid. Doing this will only make the user resent security measures. This will require a great deal of patience at times, but in the end patience will pay off. Always try to provide a simple solution to a user's problem. A complex security measure with a complex problem is acceptable, but creating a complex problem for a user with a simple security measure is not. Try to deliver security solutions in a non-disruptive way. This is especially important if you are dealing with a network other than your own. Always get permission from the network owner before making a major security change.Educating users about security practices is the most effective way to keep a network secured. No matter how small or large a network is, whether in a home or small business, this is an often overlooked but a very critical task. People are the weakest link in any security system. This does not mean that people are stupid; it means that people are people. People will make mistakes, because they are not necessarily thinking about security. A user may download a program that looks fun or interesting, but is bundled with spyware. A user might disable a security feature because it is annoying them, or they might pick a really easy to remember but really easy to guess password. A user might lose their device. All of these actions can compromise a network, yet the user may not even realize what they did.

4.3. Keeping Devices and Software Updated

Adhering to these practices will generally keep software and systems up to date. Once updates have been applied, it is important to ensure that they do not adversely affect the software or system. This usually can be done by checking the updates against the vendors website or by doing a quick internet search to ensure that there have not been issues reported by other users. If updates cause issues beyond acceptable functionality, older versions should be installed until the issues can be resolved with a future update.This may seem like a very small issue that is usually overlooked, but it is vital to keeping a system secure. Most software vendors release updates which fix security vulnerabilities and improve the overall functionality of the software. Like software, operating system vendors like Microsoft, Apple, and Linux release updates that fix security vulnerabilities, so forgoing these updates can be a costly mistake. By not keeping software up to date, the probability of security flaws in the software being exploited increases. It is recommended that users turn on the automatic update feature that is built into most software and operating systems to ensure that updates are applied when released. Automatic updates are the simplest way to keep software and system up to date. If an automatic update feature is not available, check the vendors website frequently for updates. Another measure that can be taken to ensure software integrity without turning on automatic updates is to subscribe to the mailing list of the software vendors, as they will often send emails alerting users of updates and security issues.