Photos: How to secure your home wireless network

This slide show assumes that you have a working wireless router. For our network we'll be using a Linksys Wireless-G WRT54GS router plugged into a Dell XPS 600 desktop along with a wireless-enabled Acer Travelmate 8200 laptop, both machines running Windows XP SP2. Over the next few slides we'll discuss how to:

• Change the router's default admin password
  
• Change the router's network name SSID
  
• Enable encryption (WEP and WPA)
  
• Filter devices via MAC addresses

  To learn secure your wireless laptop on public hotspots, see my How to secure your wireless laptop slide show as well.

To get started, we'll open an Internet browser on the Dell desktop and type the router's address 192.168.1.1 into the address bar. We should now see the router's prompt for a user name and password. We'll enter the name of our home network, and use the default Linksys password: admin.

The default passwords for network routers are not a secret; they're posted on the Internet. To change your default password, select the Administration link from the top toolbar. Where it says Local Remote Access, type a new password, and then enter that password a second time. Remember the password. Leave the other settings on this page as they are. Click the Save Settings button at the bottom and continue to the next slide.

Now select the Wireless link from the top toolbar. Under Basic Settings we find the default Wireless Network Name or service set identifier (SSID) of WRT54GS. We need to change that. In this example, we'll use CNETRocks. This is optional: You might also want to stop broadcasting this new SSID to others. By not broadcasting the SSID, you make yourself invisible to neighbors and criminals. This might be desirable in an apartment building or on a crowded residential street.

Continuing with the Wireless link from the top toolbar, select Wireless Security. For Security Mode, chances are it says Disabled. Open the menu. Our options are WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise, RADIUS, and WEP. These are not in order from weakest to strongest. Having no encryption is bad; criminals can capture and read all the data transmitted between our laptop and our router. Having Wired Equivalent Privacy (WEP) is better. Let's a take a closer look.

Most wireless cards support Wired Equivalent Privacy (WEP) encryption, so, at a minimum, this should be your choice. However, bad guys can now crack WEP. Even so, having WEP is better than not having any encryption. If a criminal sees some encryption, even WEP, chances are he'll pursue someone else without it. Choose WEP, enter a pass phrase (such as CNET#1) then hit Generate; Linksys creates all the WEP keys for you. Remember to Save Settings before continuing. If you have newer hardware around the house, you'll want the more secure WPA instead. Read on.

If WEP is good, WPA is much better because it attempts to fix some of the known flaws found within the older WEP encryption protocol. Although Linksys gives us the option of WPA, we'll want the newer, stronger WPA2 Personal encryption instead. You will not want the Enterprise versions for home use. Here, enter a pass phrase (a sentence fragment like "CNETNetworks#1"), and Linksys will make the secure conversion for you. Remember to Save Settings before continuing.

Another, optional, layer of wireless router security is to set MAC address filter. Every device has a unique code that identifies it, so you can set your router to allow only known MAC addresses, or to exclude known MAC addresses. Let's power up the laptop and find its MAC address. At a command prompt (All Programs, Accessories, Command Prompt), type ipconfig/all and hit Enter. This will display a long string of information. Find your wireless LAN card and the Physical Address associated with it (usually xx-xx-xx-xx-xx-xx). Write down this number and return to the desktop connected to your router.

Continuing with the Wireless link from the top toolbar, select Wireless MAC Filter. First, enable this option. Second, you now have two options--block known MAC address you don't want to connect (say, neighbors), or allow only MAC address you do want to connect. There's a downside to the latter choice: if you ever plan on sharing your router with others, you'll need to know the new friend's MAC address and update the filter list. It's not hard to do, just something to be aware of before enabling this option. For this example, we'll only allow our laptop's MAC address onto our network. Remember to Save Settings before continuing.

Select Edit MAC Filter List. In the top position, enter the MAC address you wrote down. Linksys asks that this address be added with colons, not dashes (xx:xx:xx:xx:xx:xx). Remember to Save Settings. We are done with the router, so close the browser tab. Now let's connect the laptop to our secure wireless network.

On the laptop, click the wireless network icon in the Task tray. A popup linking to a display of nearby wireless networks should appear in the lower right hand corner of the desktop. In our example, we're going to click CNETrocks. Within the CNETrocks listing, see a tiny paddle lock symbol and a parenthetical WPA after the network name. That means we're going to need a password to connect. When our laptop associates with our encrypted router, it'll prompt us for the router's pass phrase. Microsoft Windows will do the rest.