In order to configure your wireless router, you first need to access it via its private IP address within the local network. Each router has a so-called public IP address that identifies it from the outside to all other PCs that communicate with it, and this IP address is unique for each device directly connecting to the internet (such as the router in question). Think of it as the public phone number of a company, one that you’d have to call before you get to the particular person in question. On the other hand, within your local network, the router assigns a separate, private IP address (from the following pools: 192.168.*.*, 172.16-31.*.* and 10.*.*.*, “*” being any number from 0 to 255) to identify separate client devices (usually PCs) within the network itself. Following the previous analogy, these would be the separate phones in each office that the operator can reach by code when a call from the outside is received. Since the vast majority of routers have an HTML configuration interface, the settings are accessed from a web browser. Instead of a typical web address, we’ll type in the default private IP address of our router (usually 192.168.0.1). Afterwards, an interface will be displayed, asking for a username and password (usually “admin” and “admin” by default). This information is always contained in the user manual that comes with the router itself. Once you’ve logged in, the main router configuration window is displayed.
There are several ways to restrict access to your wireless router, and you’ll be able to use several in conjunction on most occasions. The first thing you can do is to turn off public broadcasting of the network’s SSID (simply put, its public name), under the option called “SSID Broadcasting”. Once this is done, your network won’t be appearing in the list of available wireless networks when a network adapter has scanned for them. However, this goes for both intruders and your own PCs, so you’ll have to enter the network’s name manually in order to connect to it. Bear in mind that the network name (SSID) is always case-sensitive, which means that “mynetwork” isn’t the same as “MyNetwork”. This feature isn’t sufficient on its own, however, as it still enables access to anyone that finds out the name of the network (for example, by seeing it before it becomes hidden); it’s just the first step and a desirable precaution, handy for use with other types of protection.
Each network device (card), whether it’s located in a PC, mobile phone or any other device, has a unique ID, called the MAC address (in the following formats - 00-16-A5-8F-A0-75 or 00:16:A5:8F:A0:75). In turn, each router has a configurable list of allowed (or banned) MAC addresses, ergo devices, so that the user can selectively allow only particular devices to connect to the network. In practice, if you opt for this protection method, you’ll manually enter MAC addresses for all allowed devices on the network, therefore automatically banning all others from using the network/internet. You can find the MAC address of a particular PC in Windows by going to Start -> Run, entering “cmd” (no quotes), pressing enter, and then typing in “ipconfig /all” (no quotes). What you’ll get is a list of all network devices and their MAC addresses (also known as Physical Addresses) in the PC sorted by name. Once you’ve located the MAC address of the network adapter in question, you can copy it to the router’s configuration window and select “allow” (or “deny” if needed). This protection method is very secure, albeit not impenetrable, since the network-savvy could theoretically get past it by cloning the MAC address. If such a person finds out a single MAC address from your “white list” in some way, he/she will be able to use special software to “clone” it, which means to send a fake MAC address to your router, impersonating your own PC. However, the vast majority of PC users will find this protection method to be entirely sufficient.
Another protection method on wireless networks is encryption - controlling the data that’s being sent/received on the data level itself. There are several algorithms used to control network traffic, with the most popular choices being the somewhat obsolete WEP, as well as the more modern WPA/WPA2 and WPA-PSK/WPA2-PSK. Without delving into details on how each of these works, let’s just say that, once activated, they prevent access to the router to anyone that doesn’t know the exact key needed to connect to the network. The WEP key is a password of sorts, allowing access to the network, and you can have up to four such separate keys active at the same time. The keys are input either in the hexadecimal format (consisting of digits 0-9 and letters A-F), or, on more recent models, ordinary letters. The encryption can be 64-bit (10 hexadecimal characters or 5 ordinary letters), 128-bit (26 hexadecimal characters or 13 letters) or even 152-bit (32 hexadecimal characters or 16 letters). More bits mean better protection, but also a longer password to remember. WPA(2) offers stronger encryption algorithms, such as AES and TKIP, with additional authentication control via a separate RADIUS server, the parameters of which need also be entered (IP address, port and password). WPA(2)-PSK works the same way, except that the authentication process is regulated by the router itself by PSK (Pre-Shared Key) - a key of 8-63 characters in length, which is basically the password used to connect to the router.
Another step in further securing your router is to turn off its DHCP function. This service automatically assigns private IP addresses to all clients that connect to the router, whether wirelessly or via a LAN cable. If you turn off DHCP, you’ll have to manually assign a private IP address to each device in your network, which may be a bit bothersome, but makes it nearly impossible to access the router in an unauthorised manner.
After you’ve made changes to any of the aforementioned settings, it’s recommendable that you restart the router, in order to make sure that all security changes have been applied properly; in fact, in some cases, the router will itself ask for permission to reboot. Despite their occasional weaknesses, all of the aforementioned security protocols are able to prevent unauthorised access on their own, even just turning SSID broadcast off. As far as more serious (some would say paranoid) users are concerned, the combination of all three is the best, since it would take an excessive amount of time and professional tools to penetrate them in conjunction, and let’s face it, no one’s internet is good enough a motive for such a thing.