How to properly secure home network?

Hello, I have read that disabling the SSID and enabling MAC filtering are ways to enhance security but then read a post on here that those are not truly secure. How would a person truly secure their home internet network from potential intruders? Thanks

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

dhay13

disabling SSID and using MAC filtering helps but is definitely not a solution security. think of the choice of either hiding a $100 bill in your house or locking that $100 bill up in a safe. similar concept.

enable WPA2 encryption with a strong password. disabling the SSID and using MAC filtering will be extra layers

Deathmage

Everyone has there own wireless needs, or extremes. I just use a Sonicwall NSA 240 at home with it's own wireless vLAN connected to a Cisco 5500 Controller with 5 Cisco 1262 AP's hooked up to it.

So far I've had no problem with streaming or use of the Plex NAS over the connection.

636-555-3226

Who is your primary threat agent?

If your neighbors, just put a password on your network.

If your neighbor with a kid messing around with dangerous toys he finds online, just change your default SSID to something random, put a complex password on your network (WPA2-PSK), and disable WPS.

If a smart neighbor who wants to destroy your life (hack in, upload kiddie pr0n to your 'everyone' shared pictures folder [you might have one], then run a hidden torrent service on your computer and wait for the FBI to show up), do the same things as above.

If it's a talented person who knows what they're doing (very, very doubtful) SSID won't help as your computer still broadcasts it if someone's connected to your network (laptop, phone, smart fridge). MAC filtering won't help because I can just sniff your MAC address from your traffic and change the MAC address on my local wireless card.

You're more likely to be victimized by a burglar. And, no, the broomstick holding your sliding glass door closed won't work since I'll just lift the door off the track and walk on in. And, no, your fiberglass door on the back of your house won't work since I have a small handtorch that will burn a nice semicircle hole around the knob/lock in about 30 seconds. Life's a beach, ain't it?

alias454

Hiding your SSID has limited value as a security measure and will only keep the most unskilled people out, if even them. Plus, when the SSID broadcast is turned off, each machine beacons for the configured SSID so you may leak info out in public

. Just name it DEASurveillanceVan or something.

stryder144

Honestly, here is what I do and why:

1. The first thing I do is log into the access point and change the default password to one that is strong (north of 16 characters). If I can change it, I change the admin account name, though few of the APs that I have used (all non-enterprise) made that difficult. The reason why I do that is because you can easily search online for the default admin/password very easily. You might be asking how they would know which manufacturer produced your access point? Well, that leads me to the second thing I do.

2. I change the default SSID. Normally, the default includes the manufacturer's name (Linksys, Netgear, etc.). Even if it doesn't use the manufacturer's name, it will often be so generic and installed across all of their line of products, that you can conduct a search online and find out which maker uses that name. Assuming that the access point hasn't had its connection encrypted, you can find the default IP address for management access online, take the information obtained about the default admin/password combo, and bam! You're in! Depending on the access point, you could also change the management IP address, making it even harder to figure out.

3. The next thing I do is set up WPA2. I choose a complex passphrase, which in theory makes it really difficult for the average person to figure out. WPA2 uses AES encryption, which is a lot stronger than WEP's RC4 encryption.

If you do those three things, you will have a sufficiently secure connection. As mentioned, a beacon frame gets sent periodically, so even without an SSID being broadcast, your AP is letting the world know it is there. Assuming a sufficiently talented and patient person, they can capture your beacon frame as well as frames of data. With that information, they can break down the SSID of the AP, the source MAC address, and the destination MAC address (if it knows it). Further, they take that information and set their computer's MAC address to the source MAC address and that fools the AP into allowing access. Thus, the equivalent of rice paper walls. Sure, put enough of them together and it makes it more difficult to bust through but it doesn't stop someone from using a match to burn a hole in that wall.

apr911

SSID broadcasting really is more a question of how much "extra work" do you want your router to be doing... If you live out in the middle of nowhere with no one else for miles, you probably dont have to worry about broadcasting your SSID so much.

If you live in a massive apartment complex in the city with another complex next door, your SSID broadcast becomes a beacon for everyone who doesnt have internet access as a potential network to try to access because your network pops up when they click the "view available networks" button. This is especially true when your SSID is the default value or is really similar to others. In truth, its a negligible load on the device to deny the authentication traffic and with the advent of MIMO routers with multiple chips it wont even slow your network down but its still a "good" practice to follow when you can for the same reason its a "difficult" practice to implement...

To the uninitiated AKA your average user, a network that doesnt pop up in the "available networks list" doesnt exist. Great for those of us in the "know" but if you're setting up a network for more than just yourself, it can be confusing. Hence why my personal network is hidden but any network I setup for family or friends is broadcast.

At the end of the day, hiding the SSID is an obscurity measure which can add some "security" to a network from general users but anybody more determined will see right through it...

Think about it; if your network is open access and broadcast is enabled 100% of users can connect to it and you can be fairly certain they will... if you had that open access network hidden beyond an unbroadcasted SSID, only the 10% of the population who knows how to sniff wireless networks will know it exists and can connect to it. If you add mac-filtering on top of that, then you reduce that further down to the 5% of the population that knows how to realize that is why it was blocked and then sniff & spoof mac-addresses (which isn't hard). It still doesn't beat a secure WPA2 password for blocking unauthorized access but it eliminates a large amount of the attempts with minimal effort.

Beyond that Stryder144's recommendations are a pretty good set to follow... The only thing I would add is that the username/password/SSID/WPA2 passphrase should all be secure passwords and different from each other... You'd be surprised how many "ultra secure" networks are running with default or easily guessed passwords or that have and admin login with the same password as the network WPA2 key.

Note: I took a WAG (wild-a*s-guess) when saying 10 & 5% of the population knows how to sniff SSIDs or clone mac-addresses. This number could be grossly underestimated or grossly overestimated, especially depending on where you live (high-tech areas for example will have a disproportionately larger amount of people who can vs a more evenly balanced population)

kohr-ah

WPA2-AES, no default ssid or password and you'll be pretty much okay.

Hiding it doesn't mean a whole lot any more as if I run a sniffer your wireless router a lot of times will still respond to a probe when asked.

MAC filtering is just too much work

dhay13

or change your SSID to 'my_honeypot'

TechGromit

636-555-3226 wrote: »

If your neighbors, just put a password on your network.

If your neighbor with a kid messing around with dangerous toys he finds online, just change your default SSID to something random, put a complex password on your network (WPA2-PSK), and disable WPS.

If a smart neighbor who wants to destroy your life (hack in, upload kiddie pr0n to your 'everyone' shared pictures folder [you might have one], then run a hidden torrent service on your computer and wait for the FBI to show up), do the same things as above.

This is why I don't have neighbors.