Wireless networks are now common in both domestic and commercial installations. Although wireless networking offers benefits such as portability and connection simplicity, the rich selection of security options can present a challenge for the average user, leading to insecure networks and potential data loss.

In practice picking WPA2/AES and a strong network password is probably the best you can do.

 Why bother

You should secure your wireless network for two main reasons:

  1. An insecure wireless network that connects to the internet can be hijacked and someone else will use your download allowances. Although bandwidth isn't that expensive, it can be a rude shock to find yourself limited to 64kbps for the rest of the month when you've gotten used to 4Mpbs. In addition, you might be held liable for the actions of a bandwidth hitch-hiker (or at least suspected of being so).
  2. An insecure network opens all your computers to direct attack, which might compromise your private data, such as credit card details.

Really bad ideas

Having no wireless network security is an indescribably bad idea.

Things that don't work

Weak encryption settings

The old WEP (Wired Equivalent Privacy)[1] protocol doesn't provide good security and was dropped from the industry standard (IEEE) in 2004.

The newer TKIP (Temporal Key Integrity Protocol)[2] is better, but not really good enough and may also be dropped 'soon'.

AES is the current 'strong' encryption standard - you might have an option to use 'AES + TKIP' - this sounds like it might give you the best of both, but actually gives you the worst (ie TKIP). Don't use it.

Hiding SSID

Most wireless base stations (routers, access points etc) support hiding the network name or SSID (service set identification). Although this does suppress advertising your network name from well-behaved devices, it doesn't really hide your network.

Any of your own devices that are connected to your hidden SSID network are effectively shouting to the world "I'm talking to network x"; even with standard hardware and freely available software, your network is visible to anyone who looks hard.

Hiding SSID will also block some of your own devices from connecting to your network (reportedly at least some iPhones).

You make life hard for your friends and barely slow down your enemies; don't bother.

MAC address restrictions

This means the Media Access Control address of the network adapter. With many wireless routers you can specify which devices (by MAC address) are allowed on the network.

This sounds really good, you get to say exactly what devices can connect using a value that's built-in at the hardware level. Sadly, some network adapters allow you to override this value. The same software that snooped your hidden SSID will also find the MAC addresses of devices that are allowed on the network.

Weak Passwords

A network password that is the same as:

  • Your network name,
  • Your family name,
  • Your dog's name,

is vulnerable to a brute-force attack by the anyone with some motive and a little patience (like that annoying teenager next door).

Your network password should follow the same strength rules as your other important passwords [3].

What to do

Use WPA2 security with AES encryption and a strong password. It's that simple.

What if my router doesn't support this

Realistically, it's time to buy a new one. Basic wireless routers and ADSL modems with wireless networking sell for under $100.

What if my computer doesn't support this

Either stick to a hard-wired connection for this device or buy a new network adapter (which might be a USB device).

Securing your data - just in case

In any case, you should secure your data. Your network defences are just the first barrier against the bad guys; you should also secure your computers and, perhaps most importantly, have regular, reliable backups.

References

[1] Wikipedia article on WEP

[2] Wikipedia article on TKIP 

[3] Wikipedia article on password strength