Welcome to Comcast Help & Support Forums
You can contribute an answer or post a question.
Reply
Posted by
Networking Expert
Member Since: ‎07-28-2003
Posts: 24,238

How to Secure a Wireless Router

[ Edited ]

Comcast's High Speed Internet service is a wonderful thing, and many of us have come to depend on it for many things, from sending email to friends and family, to playing games, to managing our finances, to working at our jobs at home. In households where there is more than one computer, it's becoming more and more common to see routers used to network these computers together to share the same Internet connection. Wireless routers are a very popular choice, especially with laptop users and in those places where it's impractical to run an ethernet cable. But along with them comes some extra security concerns specific to wireless that should be addressed so the user's computers and network are not exposed to needless risk from the more unsavory elements in the Internet community. Since you do not need direct physical access to use a wireless router, how do you ensure that only you and those you approve can use your router? Thankfully, that's an easy question to answer. The router itself can help you with this, it has many configurable options that allow you to control its wireless function so that you can be as secure as you like.

I'll walk through a typical wireless router setup using the Linksys WRT54G as my example. I'll describe the various options that effect wireless security and you can decide what settings are right for your particular situation. Wireless routers come in all shapes and sizes and they don't all share the same options, so I may describe an option your router doesn't have, or you may have an option mine lacks. When in doubt, RTFM. Let me say that again, READ THE DARN MANUAL! Phew, glad I got that off my chest. Your router's manual is an invaluable source of information about your specific model, use it.

At the bottom are links to other posts which describe connecting to a secured router from XP, Vista, and a Mac.

Here come the details, so take a deep breath and dive right in...

Router Configuration
To change these router options, we're going to be using the WRT54G's Web based Setup pages. Most routers have a tiny built-in webserver you can just point your favorite browser at, login, and make whatever changes you need. On my router, I simply use http://192.168.1.1 (which is just the router's LAN side IP address). This is pretty standard on most Linksys routers. Other manufacturers might use http://192.168.0.1 or http://192.168.2.1, or http://10.0.0.1, for example. Consult your pesky documentation for what you should use on your router. Once connected, you should be presented with a login dialog that looks similar to this. Enter the router's administration password and press OK. The default password on Linksys routers is usually "admin" with no userid. You should then see your router's home page. Take a few minutes, poke around and familiarize yourself with the way your router's website works and where the various pages and options are. One important thing to note with Linksys routers, once you make a change to an option, be VERY CERTAIN to click on Save Settings at the bottom of the page or you will never actually turn that option on. So anywhere I say change an option, remember to hit Save before you continue to another page or the change will be lost. You have been warned :smileyhappy:.

Now let's get right down to the security changes:

1. Change the router's administration password. Strictly speaking this option has nothing to do with the wireless function itself but since it's such basic security, it bears repeating. Your router comes with a default password, but everyone knows what this password is, so it's no protection at all. Change it to something only you know. On the WRT54G, go to the Administration --> Management page, enter the Router Password and confirm it. Then press the Save Settings button at the bottom of the page. You will be presented with a logon dialog again, just use the new password.

2. Disable the ability to get to the router's web setup pages from a wireless system. This is probably of minor usefulness, but I like to be as thorough as possible. Disabling this option means you have to use a system directly connected to the router (or through the Internet, more on that in a minute) in order to make changes to the router. A couple of caveats here. If you only have wireless systems, leave this enabled or you won't be able to control your router! Also, if you're doing this procedure from a wireless system, you'll need to move to a wired system to complete further changes. So think about your needs before clicking here. On the WRT54G, this option is "Wireless Web Access" on the Administration --> Management page. Don't forget Save Settings to lock the change in.

3. Disable the ability to control to the router from the Internet. By default this option ("Remote Management") should be disabled and you should leave it that way unless you have a specific need to allow this. Valid reasons include: you're away from home and need to adjust the VPN passthrough settings, or you want someone on the Internet to help you do some troubleshooting, etc. Bear in mind that you have no control over WHO on the Internet is allowed to connect, other than controlling the password. Think long and hard before enabling this option. If you do, consider using HTTPS so that information going back and forth to the connected user is encrypted and protected from prying eyes. You will find this option on Administration --> Management page.

4. Disable UPnP. This is just plain evil and allows a program to configure the router without your knowledge. Unless you have some very specific need for this, disable it. Again, on the Administration --> Management page.

5. Disable SSID broadcasting. By default, most wireless routers sit around constantly shouting to anyone in range who can listen "HELLO OUT THERE! I'M RIGHT HERE AND MY NAME IS XYZ! COME USE ME!". Not very secure. What you want is an access point that sits there quietly and unobtrusively until someone comes along who already knows the access point is there AND knows its name. In order words without foreknowledge, the access point is mostly invisible. Now the more knowledgeable among you might be saying "Hold on, that's not true!" and you'd be technically correct, but this will prevent the majority of ne'er-do-wells from finding you, and that's a good thing. It's true a really smart and determined hacker will still know you're there, but that requires smarts and effort which is severely lacking in your typical script-kiddie. Now when you do this, the onus is now on you to specifically configure your various wireless clients with the proper (case sensitive) SSID for your wireless router. Since the router is no longer broadcasting, you can't bring up the XP wireless client (for example) so you can see your router. You have to add it by hand. This is a simple process, just see the instructions for your wireless client on how to do this. Change this option with Wireless SSID Broadcast set to Disable on the Wireless --> Basic Wireless Settings page and press Save Settings.  EDIT 08/24/2011: I have decided to remove this section, not because it's a bad idea (I do it here), but because it has the side effect I mention above about making it harder to connect (which is it's purpose).  With the proliferation of wireless devices (cell phones with WiFi, iPads, laptops, blue-ray players, game systems, etc), more and more folks with limited wireless knowledge find connecting to their router much harder if the router is not broadcasting.  After trying to explain unsuccessfully to countless people why their wireless network really IS there, I've decided this option is more trouble than it's worth for most folks.  So from now on, I only recommend this option for people who have a solid technical understanding of their wireless network and how turning off SSID broadcasting effects their wireless client setup.

6. Change the default SSID (or Service Set Identifier) to something unique. A wireless access point has to have a name associated with it called the SSID. All the access points (there might be more than one, but in our setup there is only one, the wireless router itself) in a single wireless network will share the same name and the same security setup. Most routers come with a default value here. For example, all Linksys wireless access points have a default SSID of "linksys" (original, huh?) You want to give your router a unique SSID that only you know. The SSID must be no more than 32 alphanumeric characters and it IS case sensitive, so that "charlie" is different and distinct from "Charlie". Supply your chosen SSID in the Wireless Network Name field on the Wireless --> Basic Wireless Settings page.

7. Enable Wireless MAC filtering. Please do not confuse MAC (media access control) address with the Apple Macintosh computer, they are two totally different things. Each wireless adapter has a unique hardware address that can be used to identify that particular wireless adapter. The router has the ability to accept or deny connections based on this MAC address. You can set this up to deny or allow access to a list of specific MAC addresses. I use the more restrictive of the two, which is only allow access to MAC addresses I have listed. On the Wireless --> Wireless MAC Filter page, select Enable for Wireless MAC Filter, select Permit only, press Save Settings, then press Edit MAC Filter List, enter your wireless adapter's MAC address in the list, press Save Settings and you're done. To find your adapter's MAC address, on XP/2K /ME, use the command ipconfig /all and find the Physical Address field for the wireless adapter. On 95/98, use winipcfg and select the wireless adapter, you're also looking for Physical Address. On Linux, use /sbin/ifconfig and you're looking for "HWaddr". On the Mac, ifconfig also works in the Terminal, and here you're looking for the "ethernet" field which is kind of misnamed, or you can also use Applications:Utilities:Network Utility and on the Info tab select the wireless adapter (on my PowerBook, it's en1) and you want the Hardware Address.  For those that have lots of people or devices coming and going and want to allow access, this option can be troublesome and I would recommend turning it off in those situations.  Also remember this a year down the road when you have a fancy new iPad that you are trying to connect and it won't work, did you remember to add the new device's MAC address to the table if you this option enabled?

8. Turn on wireless encryption. This is the single most important thing you can do to secure your wireless router. There are two main encryption methods in use at this point, the older and not very secure WEP, and the newer, more secure WPA. Unless you have some overriding reason to use WEP (like your adapter driver won't support WPA), stay far away from it. It's easily cracked and there are open source programs that do this. Last resort use only and then you must change the keys OFTEN (once a week at least). Always use WPA whenever possible. To activate WPA, go to the Wireless --> Wireless Security page, select WPA Personal for Security Mode, AES for WPA Algorithms (don't select TKIP, it's been partially cracked), and some phrase for the WPA Shared Key. The key phrase must be between 8 and 63 characters long.  the more random the better.  Short phrases made up of common words found in the dictionary are not good choises since there are brute force dictionary attacks that can crask WPA if you choose such a weak passphrase.  If you have WPA2 Personal avaliable to you, that's a better choice than WPA Personal since it requires AES. Press Save Settings to save the changes.

Mac OS X Wireless Client Configuration

How to Connect to a Secured Wireless Router - Mac OS X

If you are configuring a laptop like a PowerBook and use more than one wireless access point (or WAP) regularly, you can create new locations using the Apple -> Location -> Network Preferences -> Edit Locations option. For example, you can have a Home and a Work location, each of which has their own default secured network, or maybe you often meet friends at Starbuck's, you can create a location for that network as well. You switch locations easily by using the Apple menu on the menu bar, Apple -> Location and select the location you want. Makes going back and forth from your home network to the network at the office (or anywhere else for that matter) very simple.

XP Wireless Client Configuration

 

How to Connect to a Secured Wireless Router - Windows XP

Windows Vista Client Configuration

How to connect to a Secured Wireless Router - Windows Vista



26-Apr-2005 Added Mac OS X Panther client instructions
02-Mar-2008 Added Vista setup link
07-Nov-2008 Changed TKIP to AES as the preferred encryption algorithm

08-Nov-2008 Removed old Mac instructions, replaced with link to post with Mac instructions

18-Nov-2008 Added XP instructions link, finally!

24-Aug-2011 Changed my stance on #5 SSID broadcasting

 

Message Edited by Baric on 11-18-2008 03:28 AM
Posted by
Networking Expert
Member Since: ‎07-28-2003
Posts: 24,238

Re: ctRe: How to Secure a Wireless Router

[ Edited ]

jnorth601 wrote:

I ordered a wireless modem a few weeks ago and haven't recieved it yet. I have called all the numbers and everyone direct me back to here. What is the problem.? Is there a live person any where that will talk to me htat knows where or why my FREE wireless router has not come. I have been very displease with the service I have recieved so far with this program xfinity.



We are customers just like you, we can't help you with that kind of information, you have to talk directly to Comcast.   Personally, I think you should just go buy one and be done with it.

Posted by
Contributor
Member Since: ‎10-24-2011
Posts: 5

Re: ctRe: How to Secure a Wireless Router


@jnorth601 just call  in and ask for the sik infromation should be a ups tracxking nubmer that the rep can check for you at the time of call

Posted by
New Visitor
Member Since: ‎02-21-2012
Posts: 1

Re: How to Secure a Wireless Router

I can't turn wireless off from 10 PM to 5 AM the router does not allow me to, so your "manual comment" still does not help me thank you! I have children who won't sleep if wireless internet is available. I could control this with my previous router the Netgear N300. The Arris router does not do this. What do I do now?

Posted by
Networking Expert
Member Since: ‎07-28-2003
Posts: 24,238

Re: How to Secure a Wireless Router


skuhn1204 wrote:

I can't turn wireless off from 10 PM to 5 AM the router does not allow me to, so your "manual comment" still does not help me thank you! I have children who won't sleep if wireless internet is available. I could control this with my previous router the Netgear N300. The Arris router does not do this. What do I do now?


What router do you have exactly?  These instructions are specifically for the Linksys WRT54G which was a widely used router at the time.  Almost all modern routers have the same types of control restrictions, but since you don't say what router you ahve, I can't be more specific.

 

If you mean the Arris TG852G-CT Xfinity Wireless Gateway, then consult the manual, page 31. Add Blocked Service. amd block everything.  Or page 32 for Managed Devices to do it on a system by system basis. Etc.

 

Posted by
New Visitor
Member Since: ‎06-30-2012
Posts: 3

Re: How to Secure a Wireless Router

[ Edited ]

Here is what you should do when you get a new wifi router:

 

1. Upgrade to the latest firmware for your router and read the release notes for the changes!

 

2. Change the default username/password to at least 8 characters to include numbers/letters/and special characters such as "@" and "$". 

 

3. Change the default SSID name from the vendor specific to a minimum of 16 characters to include letters/numbers/special characters. The SSID is actually used in the hashing(encryption) of your wireless data. The longer and more complex the SSID is the more difficult it is to brute force the network key. There are websites out there that store the hash values for default SSIDs for every major brand of wireless routers which makes it easier to brute force the key.

 

4. Disable WPS, WPS is the system that allows you to press a button on some routers and just enter the code on the bottom of it in your computer to gain access to the network. The problem here is that WPS is easily brute forced. On average many routers can be compromised in around 3 to 4 hours.  Some routers actually do not disable WPS when you check the box to do so and remain vulnerable to attack. 

 

5. Assign static IPs to your devices and disable the routers DHCP server. 

 

6.If possible, create access rules based on ip/mac address to only allow the computers/devices you have given static IPs to, to have network access. The default is to allow everything out and only block the incoming. You can block both in and out to be more secure.

 

7. Use a private DNS server such as Open DNS. Not only is it unethical for your isp to hijack your dns results but who knows what they are doing with your query info. 

 

8. Set wireless encryption to at a minimum WPA 2 personnel TKIP. The best option is currently WPA 2 Personnel AES. If possible, use WPA 2 Personnel AES. Some routers and wifi cards do not support it. If your client only supports WEP you are open to attack. The average time to break a WEP key is under 10 minutes. 

 

The following are only annoyances to those that want to break into your wifi and will not and I repeat WILL NOT offer you any protection against those that want to break in.

 

9. Disable SSID Broadcast. This will prevent your network from showing up in a network list. But will not stop wifi scanners from seeing your network. 

 

10. Enable MAC filtering. This will only allow the mac addresses of those devices which you list to access the wifi. The problem here is that the person(s) breaking into your wifi can spoof their devices mac address to match one that is on your wifi already. This just keeps the script kiddies out.

 

11. Change your wireless key at a minimum once a month. Once your key has been comprimised, it may be shared for others to use your connection without your knowledge. 

 

12. Disable Upnp

 

13. Disable remote access

 

14. Disable Automatic updates(Cisco/Linksys routers). Cisco recently pushed out updates that forced users into a cloud based management for their App Enabled routers. This service is insecure as everything is sent plaint text and leaves your router open to attack. 

 

15. Disable access to the routers management interface from wireless, unless all you have is wireless devices. If possible, create a access rule to to only allow 1 ip address to access the web management for the router.

 

16. Go through every page of your routers web interface and disable services you do not need.

 

17. un plug the router when your not home or not using it. The only secure network is the one not connected to any computers.....

Posted by
New Visitor
Member Since: ‎12-16-2012
Posts: 2

Re: How to Secure a Wireless Router

I need instructions on how to access security key for my wireless connection for Windows  XP

 

Posted by
Contributor
Member Since: ‎04-03-2007
Posts: 14

Re: How to Secure a Wireless Router

Sorry, but there was 0, not a thing, not even a maybe, similar to the Home Page of my Belkin F9K1102 v2 in the first two steps of the example/explaination taged to this reply.  I had high hopes but ,,,,

Posted by
New Visitor
Member Since: ‎02-27-2013
Posts: 3

Re: How to Secure a Wireless Router

NO ROUTER MANUAL has been supplied from ComCast to go with the router they installed for my internet service.  I cannot find a brand name or model number on the Xfinity router.  I'd love to have such instructions but you would have to tell me where to find them, and even how to find out what kind of router I have.

Posted by
New Visitor
Member Since: ‎02-27-2013
Posts: 3

Re: How to Secure a Wireless Router

How do I find my router's home page?  I want to set up parental time controls to shut down the router overnight to keep my son offline when he should be sleeping.

 

Trust me, I WOULD LOVE TO CONSULT DOCUMENTATION---but nothing was provided to me from Comcast or Xfinity.  Just the router alone.  There is not even a brand name on the device.  No instructions.  Not one single document except an Xfinity 4-page brochure which does not even mention that there is a homepage or any settings for the router, much less how to access or change them.

 

None of the hyperlinks in this paragraph work except "this" and " your router's home page"

 

Router Configuration
To change these router options, we're going to be using the WRT54G's Web based Setup pages. Most routers have a tiny built-in webserver you can just point your favorite browser at, login, and make whatever changes you need. On my router, I simply use http://192.168.1.1 (which is just the router's LAN side IP address). This is pretty standard on most Linksys routers. Other manufacturers might use http://192.168.0.1 or http://192.168.2.1, or http://10.0.0.1, for example. Consult your pesky documentation for what you should use on your router. Once connected, you should be presented with a login dialog that looks similar to Router Configuration
To change these router options, we're going to be using the WRT54G's Web based Setup pages. Most routers have a tiny built-in webserver you can just point your favorite browser at, login, and make whatever changes you need. On my router, I simply use http://192.168.1.1 (which is just the router's LAN side IP address). This is pretty standard on most Linksys routers. Other manufacturers might use http://192.168.0.1 or http://192.168.2.1, or http://10.0.0.1, for example. Consult your pesky documentation for what you should use on your router. Once connected, you should be presented with a login dialog that looks similar to this. Enter the router's administration password and press OK. The default password on Linksys routers is usually "admin" with no userid. You should then see your router's home page. Take a few minutes, poke around and familiarize yourself with the way your router's website works and where the various pages and options are. One important thing to note with Linksys routers, once you make a change to an option, be VERY CERTAIN to click on Save Settings at the bottom of the page or you will never actually turn that option on. So anywhere I say change an option, remember to hit Save before you continue to another page or the change will be lost. Enter the router's administration password and press OK. The default password on Linksys routers is usually "admin" with no userid. You should then see your router's home page. Take a few minutes, poke around and familiarize yourself with the way your router's website works and where the various pages and options are. One important thing to note with Linksys routers, once you make a change to an option, be VERY CERTAIN to click on Save Settings at the bottom of the page or you will never actually turn that option on. So anywhere I say change an option, remember to hit Save before you continue to another page or the change will be lost.

Posted by
Networking Expert
Member Since: ‎07-28-2003
Posts: 24,238

Re: How to Secure a Wireless Router

If you are using a Comcast supplied Xfinity Gateway, then there is a sticker on it that has all the access details.  By default, the gateway sits at http://10.0.0.1.  If that doesn't work, then either you are using some other gateway or the default address has been changed.  In any case, this thread is VERY SPECIFIC, it's about using a Linksys WRT54G and the example sare ALL about that particular model.  It was written many years ago, long before Comcast came up with their crappy gateways.

 

The link to the User Guide for the Comcast Xfinity Wireless Gateways is:

 

http://media2.comcast.net/anon.comcastonline2/support/userguides/Wireless_Gateway_User_Guide_030811....

Posted by
New Visitor
Member Since: ‎03-18-2013
Posts: 1

Re: ctRe: How to Secure a Wireless Router

If you buy a router, in the long run, you will save money as they do charge a rental fee. You should find a web site that will walk you through it, and the instructions that come with the new ones are pretty good. Of course I do not know at what level your understanding is, but you can set one up without security quite easily. That is only if you are far from anyone else. In almost, if not all, you should set it up with security. Most Routers have an option for the router to set it up, just use a flash drive to, once you have your first computer set up, to take everything you need (information) to your next computer, and so forth, etc.

Posted by
Connection Expert
Member Since: ‎12-24-2003
Posts: 46,209

Re: ctRe: How to Secure a Wireless Router


DimNull wrote:

If you buy a router, in the long run, you will save money as they do charge a rental fee.


FWIW, they no longer supply straight routers but they do lease combo modem / router gateway devices. NOT RECOMMENDED AT THIS TIME !!! THEY ARE GARBAGE !!!

Posted by
Recognized Contributor
Member Since: ‎03-15-2013
Posts: 146

Re: ctRe: How to Secure a Wireless Router

My gateway modem works just fine but I had to change a couple of settings on it for the connection to be stable. For the average consumer though it would be bad, so I don't necessarily recommend it either if you already have a good router to use.

Posted by
Connection Expert
Member Since: ‎12-24-2003
Posts: 46,209

Re: ctRe: How to Secure a Wireless Router

Standard spiel;

 

Just look around the forums and you'll see that there are boatloads of issues with the current crop of CC supplied gateways !!

There is always an inherent disadvantage with these. Combo gateway devices are always a compromise in both quality and performance compared to separate units. Also, only the ISP can update the firmware so you are always a prisoner of that / them. And the firmware is typically crippled by the ISP's customizing of it and they typically eliminate valuable features.

One of the biggest issues with them is that it is far more difficult to diagnose connectivity issues when it comes to troubleshooting. You can't narrow things down by using the process of elimination by removing just the router from the path. And if either segment fails / malfunctions, you have a total failure. I think that CC made a big mistake when they changed their policy and decided to start supplying them instead of dedicated devices. The suits seem to think that this will save them money for support costs but I think that they are getting far more support calls/complaints than ever... We certainly are seeing far more complaints in forums now !

Get separate units and keep the control of your home network in your hands instead of theirs, you'll be much happier !

Posted by
Contributor
Member Since: ‎03-18-2013
Posts: 7

Re: ctRe: How to Secure a Wireless Router

On the best modem, Cox, which I have in AZ winter home, does not rent, you go out and buy it and its easy- At Target, Walmart, office Max, Best buy etc.

 

I wish Comcasy did the same.

 

 

 

Posted by
Contributor
Member Since: ‎03-19-2013
Posts: 6

Re: How to Secure a Wireless Router

[ Edited ]

your link to the gateway manual is what I needed, thank you!

Posted by
Regular Contributor
Member Since: ‎01-08-2013
Posts: 33

Re: How to Secure a Wireless Router

[ Edited ]

Until the last couple weeks I ran the shields up program from this site.

GRCPort Authority

https://www.grc.com/default.htm

 

 

and it would always come up stealth on my ports.  Now ports 80, 23, and 443 are listed as closed

 

I wonder what changed on my router or Comcast.  I checked other sites and I get the same result.

I have my SMCD3GNV router firewall set at Maximum Security (High)

 

I also would like to know if there is a way to set Wireless MAC filtering on my  SMC SMCD3GNV router

Posted by
Regular Contributor
Member Since: ‎03-18-2005
Posts: 71

Re: How to Secure a Wireless Router

Please note thaat Win 8.1 with MSIE 11 will not allow you to enter the gateway. You require FireFox or other browser.

Peter

Posted by
Regular Contributor
Member Since: ‎03-18-2005
Posts: 71

Re: How to Secure a Wireless Router

I miss my Belkin but the tech brought a gateway instead of a modem by the house.

I loved that little router.

Advanced
You must be signed in to add attachments