- Replace routers at least once every five years. This helps keep you secure by not falling behind on updates and patches, since new vulnerabilities are patched for newer devices, but older devices’ software may not keep being maintained.
- Adopt the latest wireless technology when possible. Now that 802.11ax, aka WiFi 6, is becoming available, newer security technology will come along with it—namely WPA3, the latest in WiFi authentication.
- Run ethernet cable to multiple WiFi access points instead of relying on one central WiFi radio.
- Be sure to update your firmware on your router/modem. If your router has updates available for it, you need to install them regularly. These updates are improvements in the router’s software that patch specific threats and keep your network safe from attack.
- Reboot your router and/or modem occasionally. We’ve written about restarting devices to defeat malware stored in memory before, but a reboot could also help speed up your devices. Routers and modems have operating systems just like workstations, and after a lot of uptime, they could be running slowly and need to start afresh.
- Make use of a guest network. Lots of wireless routers give you the option to set up a guest network that has a different SSID and password than your main network. Using the tools in your router’s web interface, you can set up this secondary network to give to visitors so that they aren’t able to connect to the devices on your main network. You can imagine a scenario where a friend who is visiting has a compromised phone, and by connecting to your network they would also be connecting malware to your network infrastructure. At the very least, having a separate password helps keep your “real” password private, which is very important for keeping your network secure.
- Set up a 2.4 gHz and 5 gHz network. If your router has the option, you can run both frequencies to cover all of your devices. 2.4 gHz is starting to become a legacy feature, but its longer range can still make it useful in some scenarios. When using both, devices will (hopefully) connect to whichever is the better connection. Typically, this means that you’ll connect to high-speed, 5 gHz access points when close enough to them, and 2.4 gHz when you’re further away.
- Monitor radio channels near your access points to find the least noisy one. If you live in a densely populated area, your network might be competing for airtime with all of your neighbors’ networks. If your router and your neighbors’ router are on the same channel then you can experience slowdowns and disconnections. You’ll want to find a channel that is less (likely to be) populated. I use a program called linSSID (on Linux) to look at the most populated channels and set my router to channels in between the populated ones. Some routers are set to jump automatically to channels that are more clear, but if you look at all of the radios in your area, you’ll find that most of the 2.4 gHz networks are clogging up channels 1, 6, and 11. On a 5 gHz network, finding an unpopulated channel can help keep your devices connected more consistently to your network, and can improve their speed. However, due to the overlapping channels in the design of 2.4 gHz WiFi, each channel experiences some interference from nearby channels; if they’re all in use, choose one that is less popular than the others.
- Use Wifi heatmap software to get an idea of your network’s coverage. Using software AR WiFi Analyzer, Netstumbler, or Lizard Systems, you can build a precise map of your network’s range and coverage. If you have multiple access points, you can see if there are any gaps in your setup. If you want an old-school alternative to a heat map for testing your range, you can simply “ping” an IP address with the ping command in the console of your choice, and go for a walk with your device. When it stops responding, you’re out of range.
- Check your device logs to make sure you don’t have any intruders or freeriders. On most routers, you’ll find a feature in the router’s web interface (which you can visit by putting your gateway’s address into the browser) that shows which devices are connected to your WiFi. Typically, there will be a name for the device, and MAC address (sometimes called “physical address”). It’s really important that you recognize each device that appears in these logs, since devices that appear here are connected to your network and have access to your internet connection and network resources on your devices, such as shared folders. Make a note of all of the devices that you find, and make sure you can match them to the devices you expect to be on your network. More advanced routers can even give you a breakdown of the bandwidth that each device uses (so you can see if something is using a suspiciously high amount of bandwidth) and shows you which access point they are connected to (if you have multiple).
- Consider using an alternative DNS server to keep information about the sites you browse private. Domain Name Service is the part of the internet’s infrastructure that works like a phone book for websites; it can log all of the websites that you visit, since it translates addresses from text (like www.crowncomputers.com) into an IP address. Your default DNS server is usually run by your ISP, which gives them the possibility of logging all of your activity. Alternatives do exist, though, like Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8, so, if you trust those companies more, you can use those. You can set them as your router’s DNS server, if possible, and if it’s not possible with your router’s software, then you can set each of your devices to use them in their network settings. They also have the added benefit of being a little faster to respond than your ISP’s resolvers. If you want to keep the addresses of the sites that you visit totally private from third parties, you can set up your own recursive DNS resolver with Unbound.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team