Skip to main content

Wireless Routers 101

Wireless Router Security

There are two types of firewalls: hardware and software. Microsoft's Windows operating system has a software firewall built into it. Third-party firewalls can be installed as well. Unfortunately, these only protect the device they're installed on. While they're an essential part of a Windows-based PC, the rest of your network is otherwise exposed.

An essential function of the router is its hardware firewall, known as a network perimeter firewall. The router serves to block incoming traffic that was not requested, thereby operating as an initial line of defense. In an enterprise setup, the hardware firewall is a dedicated box; in a residential router, it's integrated.

A router is also designed to look for the address source in packets traveling over the network, relating them to address requests. When the packets aren't requested, the firewall rejects them. In addition, a router can apply filtering policies, using rules to allow and restrict packets before they traverse the home network. The rules consider the source of a packet's IP address and its destination. Moreover, packets are matched to the port they should be on. This is all done at the router to keep unwanted data off the home network.

The wireless router is responsible for the Wi-Fi signal's security, too. There are various protocols for this, including WEP, WPA and WPA2. WEP, which stands for Wired Equivalent Privacy, is the oldest standard, dating back to 1999. It uses 64-bit, and subsequently 128-bit encryption. As a result of its fixed key, WEP is widely considered quite insecure. Back in 2005, the FBI showed how WEP could be broken in minutes using publicly available software.

WEP was supplanted by WPA (Wi-Fi Protected Access) featuring 256-bit encryption. Addressing the significant shortcoming of WEP, a fixed key, WPA's improvement was based on the Temporal Key Integrity Program (TKIP). This security protocol uses a per-packet key system that offers a significant upgrade over WEP. WPA for home routers is implemented as WPA-PSK, which uses a pre-shared key (PSK, better known as the Wi-Fi password that folks tend to lose and forget). While the security of WPA-PSK via TKIP was definitely better than WEP, it also proved vulnerable to attack and is not considered secure.

Introduced in 2006, WPA2 (Wi-Fi Protected Access 2) is the more robust security specification. Like its predecessor, WPA2 uses a pre-shared key. However, unlike WPA's TKIP, WPA2 utilizes AES (Advanced Encryption Standard), a standard approved by the NSA for use with top secret information.

Any modern router will support all of these security standards for the purpose of compatibility, as none of them are new, but ideally, you want to configure your router to employ WPA2/AES. There is no WPA3 on the horizon because WPA2 is still considered secure. However, there are published methods for compromising it, so accept that no network is impenetrable.

All of these Wi-Fi security standards rely on your choice of a strong password. It used to be that an eight-character sequence was considered sufficient. But given the compute power available today (particularly from GPUs), even longer passwords are sometimes recommended. Use a combination of numbers, uppercase and lowercase letters, and special characters. The password should also avoid dictionary words or easy substitutions, such as "p@$$word," or simple additions—for example, "password123" or "passwordabc."

While most enthusiasts know to change the router's Wi-Fi password from its factory default, not everyone knows to change the router's admin password, thus inviting anyone to come along and manipulate the router's settings. Use a different password for the Wi-Fi network and router log-in page.

In the event that you lose your password, don't fret. Simply reset the router to its factory state, reverting the log-in information to its default. Manufacturers have different methods for doing this, but many routers have a physical reset button, usually located on the rear of the device. After resetting, all custom settings are lost, and you'll need to set a new password.

Wi-Fi Protected Setup (WPS) is another popular feature on higher-end routers. Rather than manually typing in a password, WPS lets you press a button on the router and adapter, triggering a brief discovery period. Another approach is the WPS PIN method, which facilitates discovery through the entry of a short code on either the router or client. It's vulnerable to brute-force attack, though, so many enthusiasts recommend simply disabling WPS altogether.

  • JohnMD1022
    "My own personal recommendation would be to look for ... management through a smartphone app."

    I do own, nor do I plan to get a smart phone. I have no need for one. There are many others like me.
    Reply
  • redgarl
    Great article, I actually read the whole thing.
    Reply
  • dstarr3
    "My own personal recommendation would be to look for ... management through a smartphone app."

    I do own, nor do I plan to get a smart phone. I have no need for one. There are many others like me.

    Do they all post irrelevant comments on tech articles?
    Reply
  • chalabam
    Most sites like this one award routers for his raw speed, but when you load them with a simple bittorrent client, they all crash and burn, losing the connections, or being unresponsive.
    Reply
  • Kewlx25
    "My own personal recommendation would be to look for ... management through a smartphone app."

    I do own, nor do I plan to get a smart phone. I have no need for one. There are many others like me.

    Local cellphone companies are dropped non-smartphone support next year. Something about a Federal regulation that states you can't treat data and voice separately, so they're going top do everything over data, which means your phone needs to support VOIP and non-smartphpones can't do that.

    Get a smart phone for $60/m or pay $40/month for a land-line. I can also use my phone as a 2-factor device for most of my online services.
    Reply
  • zodiacfml
    Not a bad article compared to the previous LAN article. I need to clarify some things though. DMZ in home Wi-Fi routers are is not on a separate network but a feature that allows all traffic to be received by the DMZ'ed computer which is an easy and fast way to open a server to the internet.

    MIMO piece needs to be overhauled. There is no concept of MIMO built for single user, it is just Wi-Fi is inherently a broadcast type of networking where each device in the system waits for its turn to transmit/broadcast a signal.

    Beamforming piece should precede MU-MIMO as beamforming is the technology that enables MU-MIMO. MU-MIMO is useful for reusing the same frequency/channel up to four times as though as one client has it its own dedicated Wi-Fi access point/router. The number of antennas though doesn't tell the maximum, the optimal number MU-MIMO devices is three only on a four antenna MU-MIMO. It has to be added that MU-MIMO feature should also be supported by the client device though flagship smartphones in 2016 will have MU-MIMO. One small drawback is it is limited to download or from router to device only. Uploads will be limited to plain old Wi-Fi broadcast technology.

    The device to get though should at least be an "AC" capable Wi-Fi router even if it has one spatial stream or one antenna as they are available and affordable. Two antennas might be beneficial to tablets and some laptops while three benefits a Macbook Pro or wireless bridging to another router.
    Reply
  • Dsmith_Topgun
    who the hell is netis and why are we suggesting equipment with known vunerabilities http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
    Reply
  • reviewerx
    Personally, I think one of the best security features is the ability to only allow specific MAC addresses to connect. This limits your users to known devices only. Kind of surprised that it is not mentioned here.
    Reply
  • BrushyBill
    Deleted double post
    Reply
  • BrushyBill
    "My own personal recommendation would be to look for ... management through a smartphone app."

    I do own, nor do I plan to get a smart phone. I have no need for one. There are many others like me.

    Local cellphone companies are dropped non-smartphone support next year. Something about a Federal regulation that states you can't treat data and voice separately, so they're going top do everything over data, which means your phone needs to support VOIP and non-smartphpones can't do that.

    Get a smart phone for $60/m or pay $40/month for a land-line. I can also use my phone as a 2-factor device for most of my online services.


    Landline for me. We don't get Cell service out here where I live. The beauty and pain from living way out in the wilderness. Extremely relaxing but we lose services like this.
    Reply