Best security messures when using Wi-fi?

[WinningWith7]

I now use wi-fi which i never allowed before because of security concerns. I am connected to the router via ethernet but am concerned about the wi-fi router itself being hacked or some security issues arising on the many devices connected to the router like other computers, laptops or mobiles which would then pass onto my device. I use anti-virus, anti-malware and a VPN. I have not allowed remote connections and have disabled file sharing. And i have a 30-key password



Are there any router-based options i should or should not have?



What about any other windows based settings like disabling "admin shares", NTFS sharing etc


What if i was to get a network switch so that any of my devices are "on a different network" or subnet from every other device to act as an additional firewall?

 

[Barman58]

Assuming that the "Many devices" are your own or at least known by you - one method is to check and make a note of the MAC addresses of all devices and block access to your router by any device except those in the list that most routers keep of acceptable devices.

This system of MAC Address filtering does need some manual setup, in that for a device to be able to connect to the router it must first be added to the list - this does mean that any new devices that you wish to be able to connect to the router must be manually added to the list, this includes all devices connecting by either Ethernet or WiFi, including things like phones, TVs, Printers as well as computers.

This system is even more secured by actually allocating an IP address to each device based on it MAC (MAC addresses are unique worldwide, with only very few exceptions), this means that you can check your router and should be able to identify each device using the router to a specific network port, (a laptop would have a different MAC and thus IP allocated to it's WiFi and Ethernet connection),

If you also set the address pool to match the number of devices then there are no spare IPs that a snooper could use.

I would also use the basics of ...

Changing the IP address range in use from the default to some other random ranges
Change the routers WiFi Name, (SSID), and password. and set the SSID to not be broadcast (you need to know both the name and password to attach wirelessly)
Change the Admin Name, (if possible), and Password.

I also advise that you use random groups of characters for all the names and passwords you change, (and write these down in a safe place)

Without knowing the details of your actual router I cannot give specifics but the things I am suggesting should all be available even in the ISP supplied routers

The Admin shares $c: etc were all removed with Windows 7 so should not be there

A switch would not give you the break point in the network you are looking for but a small cheap basic router would be a possibility

 

[samuria]

Most routers have a setting user isolation or similar under wireless settings which means should anyone connect via wireless they can't connect to anything local on the lan

 

[file3456]

MAC address filtering and hiding the SSID is not going to protect you. If a hacker wanted to bust into your WIFI network he'd more than likely use Kali and hiding the SSID or using MAC address filtering won't do jack. It's really a false sense of security. And MAC address filtering was not meant for security at all. AP isolation can help and it's a layer.

Make sure you are using WPA2. Keep your router firmware updated. Better yet, if it supports DD-WRT or if you have an ASUS router there's ASUS Merlin. Do not allow remote administration. Set a different password for router login.

Recently there was a WIFI CVE and it required patches to the devices themselves. Severe WiFi security flaw puts millions of devices at risk

If you use public WIFI like at a hotel, then use a VPN and change the DNS IP address in your network adapter to that of Google's or OpenDNS.

 

[WinningWith7]

Great options and answers there guys, thanks for the help

 

[mrjimphelps]

MAC address filtering will keep out most people; it will not prevent a knowledgeable hacker from getting through. If the person you want to keep out is not very technically inclined, then MAC address filtering will work. For example, when my son was a teenager, I used MAC address filtering at times to keep him off of the internet. It worked with him because he didn't know how to overcome it.

As far as hiding your SSID, a better approach in my opinion is to use a generic, non-descript name for your SSID. For example, I would not use my name as my SSID; but I might use something like "footballfan", because that won't identify me - there are hundreds of football fans everywhere you go. However, if you use your team's name (e.g. "NewYorkJets"), and you have a New York Jets sticker on your car, your neighbors will know that that is your wifi network. Hiding the SSID makes it a hassle if a friend wants to connect to your wifi; however, a non-descript name makes it easy for your friend to connect.

 

[tidybear12]

Hi Winningwith7! On the subject of getting impacted by whatever another device on your network might have been exposed to (virus-wise, etc.), it appears that the safest setting on a network is actually the "Public Network", not "Home." In other words, it's the same you would use if you were in a public place. (I know, it sounds counter-intuitive, but a home network isn't a cozy, safe little thing.) Also disable file sharing etc. in Network and Sharing -> change advanced sharing settings.


Also, use a VPN even at home.


And, my humble opinion as far as MAC addresses - I was grappling with this just last week when setting up a new router. It's true that MAC filtering won't keep out a skilled hacker. But it will keep out the opportunistic one who doesn't know all that much. The truth of the matter is - and this from someone who is always thinking about security issues - why would someone hack into your router in the first place? It can't possibly be for free WiFi which is now ubiquitous. So it would be for identity theft? There is no need for that. All our information is already floating around on the dark web. For a few bucks he can purchase thousands of identities, possibly with credit card numbers. (Recall that consumers info has been stolen multiple times by break ins into Target and other big stores, Social Security, Experian, etc.)

So, the only reason would be for a challenge. If it's that kind of person, he already knows how to deal with MAC addresses and that won't keep him out.

If it's personal and the hacker is someone you know, make sure he can't identify you from your SSID. Believe it or not, there are people on my bloc that I can identify just by their SSID because of cute, but extreme personalization.


And for when a friend comes over and needs to use your WiFi, you can set up a guest IP address in your router, or some routers, anyway. This is in case there is some kind of malware on her device.


F22 Simpilot - quick question: Why change IP of adapter to OpenDNS or Google's?

 

[file3456]

F22 Simpilot - quick question: Why change IP of adapter to OpenDNS or Google's?

DNS cache poisoning. I read about that on a website for users that were to attend DEFCON that if they use hotel's public WIFI they shouldn't use the default DNS servers, but rather OpenDNS or Google.

 

[edassange]

In addition to the above, if your router permits it, disable WPS:
How to Disable WPS In Order to Protect Your Network

And if your router permits it, disable remote access.