The WiFi router is the heart of the network at home: it’s the one which connects all devices between them and the internet. However, it isn’t inviolable and like any good "heart" it can even be a weak point if it isn’t properly protected!
So that’s why I propose today to show you some simple security measures to limit external connection attempts on your network. Each of the proposed solutions is effective to protect your network, but you should keep in mind that none allows total protection ... I’ll describe here the usefulness of these measures but I won’t explain how to put them into practice because it largely depends on your WiFi router.
1. Use a VPN: Be hidden on internet!
VPNs or "Virtual Private Network" are tools which connect two different locals networks with a tunnel protocol. This tunnel will seem like a simple point-to-point link and spyware won't see it.
VPNs are used in two different ways:
• VPN on PC: VPN on PC can encapsulate all the data that transit on your PC, or just the data of a selected application. These are the most used VPNs but their using limitations will quickly make them obsolete.
• VPN on router: It’s also possible to install a VPN directly on your router! The difference? The router can apply VPN tunnel usage for ALL home-connected devices... even those that doesn’t allow direct VPN installation (such as connected watches or home consoles). The encapsulation of data is done at the router and not at the device, you just have to connect your device on your router to use the VPN on it.
2. Hide the SSID network: Connect to a ghost network!
The SSID of the network is the small name of your router that you see when you connect. It is therefore possible to customize it to facilitate its identification but it is also possible to hide it to make the network more difficult to locate.
If you make this change, the name of your network will no longer appear in the list of "available networks" when you try to connect a new device ... And this is the interest of this protection: because if you want to connect to the network you won't only have to enter the password as usual, but you also have to enter the new SSID of the network to identify it.
Unfortunately, as I told you at the beginning of the article, this measure is not enough to protect your network. There are indeed programs called "sniffers" that can monitor the activity on nearby networks. With such a program it’s possible to recover the SSID network and to make this additional protection useless.
The idea is therefore to manage the SSID name in addition to traditional practices: powerful password, etc.
3. Disable DHCP: The router's border crossing!
Did you know it? There is a program in your router that have the role of "border crossing": DHCP
A border post in my router, how? As you can imagine, there are no miniature customs officers in the box, however there is a program called Dynamic Host Configuration Protocol (DHCP) that allows an automatic IP parameters configuration to the devices connected on the network. To put it simply: DHCP distributes IP addresses (essential for browsing the internet) to the different devices connected to the router's network.
But if I turn it off, is it the Shengen space and everyone goes in and out of my network as he wants, right? In fact, not at all: it's even the opposite that happens ... You can’t use your router without a system that distribute IP. And if you disable the DHCP, it will suspend the automatic allocation of IP addresses and you will have to assign the IP addresses by hand.
For this you must make a list of ALL the devices that you want to connect to the network and associate to them an available IP of the router.
You want to make life impossible for hackers? Put for example some special French characters in your SSID password "ç, à, é, è ..." These characters specific to the French language are less likely to appear in the dictionaries of English-speaking pirates ...
4. Filter MAC addresses: Only your devices can connect!
Each connected device (able to use internet) has a MAC address to identify and authorize it the internet connection.
There is a feature on all recent WiFi routers to apply a filter to the MAC addresses that connect to the network. The principle is very simple: You collect the MAC addresses of all devices that you want to connect to the internet and you enter this list in the white-list of the router (and you black-list all the other MAC addresses of the network). If an outsider tries to connect to the network: his device will be denied. Provided that you don’t neglect the case of MAC spoofing which can usurp the MAC address.
I had implemented this extra security at my home, but it has a major disadvantage: the guests. Given that only YOUR devices can connect to your network, you will need to add an additional MAC address in the White List each time someone wants to connect. For more security you should then also remove the MAC address from the White list once your guest has finished using the Internet ...
A conclusion that can change everything
Good practices are certainly obstacles to hacking and useful safety barriers. But common sense and mistrust will always prevail over the tools or technical measures you use.
Last important note, some points may also make the network more difficult to use when you have guests wishing to connect to your network. This is the classic problem between security and ergonomics. It's up to you to make the right choice.
I hope this article will have helped you to find the security features missing on your router to navigate with a peacefuler mind.