Wi-Fi makes things easy and convenient. It also makes it convenient for bad guys to try break in to your network because the bad guys can do it outside your house.
Therefore, to secure your home network, it’s also very important to make your home Wi-Fi more secure.
If your Wi-Fi access point is also your home router, you should also secure it with the tips for securing your home router.
- Avoid using Wi-Fi Protected Setup (WPS)
- Use WPA2 with AES encryption and good passphrase
- Change SSID name and hide it
- Use 5GHz frequency band if possible
- Use guest network
- Set schedule
- extra: Mac address filtering
- extra: Use VLAN
1. Avoid using Wi-Fi Protected Setup (WPS)
It comes with a eight-digit PIN that lets you connect to Wi-Fi easily.
But it’s not secure. While it has 8 digits, it turns out that a brute-force attack on WPS only needs to decipher the first 4 digits and reduced to about 11,000 combinations.
If your router supports WPS, turn WPS off.
2. Use WPA2 with AES encryption and good passphrase
No open network. And don’t use WEP nor WPA.
Your Wi-Fi network should be protected with WPA2 with AES encryption.
The passphrase or technically called pre-shared key (PSK) should be a good one with preferably 12 or more characters.
3. Change SSID name and hide it
Don’t use default SSID. It’s usually the manufacturer’s name and it gives out information about your device that may help a bad guy to identify any vulnerabilities of the device.
Some bad guys could also setup a rogue Wi-Fi access point with these default SSID names in public area. Your mobile device may automatically connect to it if you use the same default SSID at home.
Use some irrelevant name that won’t give out any personal information or your home address.
You can also opt to hide the SSID name. But a bad guy with the right tools can find it easy.
4. Use 5GHz frequency band if possible
2.4GHz frequency band has cover a much larger range and penetrate better through walls. This sounds good for signal coverage. However, this also means someone can try to connect to your Wi-Fi far away from your home, which is not optiomal for your network securities.
So if possible, use 5GHz frequency band and place the Wi-Fi access point in the middle of your home to limit the signal coverage not to go beyond your home.
5. Use guest network
Setup a guest network is good idea to offer Internet access to your visitors while preventing them from accessing your home network.
You can also connect your Internet of Things devices (IoT devices) to the guest network for many of them may have security issues and you don’t want them to mix with your important devices in the same network.
Use a different SSID name and passphrase for the guest network.
And turn it off if not in use.
6. Set schedule
You probably don’t need Wi-Fi while you are sleeping or away from home.
Schedule your Wi-Fi to turn off when you don’t need it.
7. MAC address filtering
Each device has a unique MAC address. You can setup a white-list of MAC addresses to allow access only to these MAC addresses.
Please note that this is not a foolproof protection. A skilled attacker with the right tools can sniff and find out MAC addresses connecting to the Wi-Fi network and later on use MAC address spoofing techniques to bypass this filtering.
8. Use VLAN
Network segmentation using VLANs allows you to create logically isolated sub-networks. Each sub-network has no access to the other sub-networks and thus limit the damage if attackers break in and gain access to one sub-network .
Therefore, place your Wi-Fi devices, IoT devices and your critical devices in separate VLANs would help protect your important devices/data better if your Wi-Fi network is compromised or if any IoT device goes rogue.
Note: not all Wi-Fi access point supports VLAN. And you may need additional VLAN capable devices to setup your VLANs correctly.
Check out Setup Wi-Fi VLAN subnets for home network for more information on how to setup VLANs using pfSense and compatible access point.