Routers and Wireless security
With the rapid increase of all-in-one combined ADSL modems/routers/wireless access points a few hints and tips on securing these would seem appropriate. The following list is a general guide for what to look for. Some options may not be available on all routers whilst others may have more. The key is to understand what AND why you are doing what you are doing. If you are unsure about any changes you might make you can always make a note of the settings beforehand just in case or ask on the forums.
All routers come with a default administrative username and password the details of which are readily available on the Internet for all models. Change this immediately. A strong password will contain random numbers and letters and will be at least 10 characters long but even 2 small words with a couple of numbers in between goes a long way. If you lose or forget this you “should” be able to do a hard reset of the router to set it back to shipping condition.
Be careful with virtual servers (port mappings/reserved mappings). If you’re not running an FTP server there is no need to set up a virtual server on port 21 for example. If you are trying to set up a service but aren’t sure what ports it uses then do a little research first. If you have been running a service and no longer need it then remove or disable the virtual server. Don’t leave an open door.
Triggers (possibly called something else on your router). These are often required by online games or instant messaging programs. If a security trigger is set for port 1720 then data going out on that port triggers the trigger and then ANY traffic back on ANY port from the destination (that destination ONLY) will be forwarded to the local client. Once the link is broken by either party then the trigger is reset and further traffic from the destination at a later date is blocked. Enable them if you need them for a specific purpose and then disable them until they are needed again.
This next one is not always the easiest to do but can reap benefits with the introduction of new features. Check for the latest firmware for your router. This will be available from the manufacturers website and will include bug fixes and possibly new features leading to a more stable and secure connection.
On a small network, and let’s face it not many of us have more than 3 or 4 PCs/laptops at home then do we really need a DHCP server? The answer is no (with the exception outlined below) so turn off your DHCP server and assign static IP addresses to your PCs. Should someone manage to connect to your router they will not receive all the connection details making their life that much harder.
So now for the exception and the solution. The company laptop is great. You can use it at work, bring it home and still surf the Internet, email etc using your broadband connection. This happens either by using DHCP or by manually setting the IP address every time you use it at home which is a bind. If you must use DHCP for this reason then use MAC address filters to secure your network. A MAC address is a unique value hardcoded onto every network card by the manufacturer and cannot be changed so setting filters to only allow the MAC addresses for the cards you use is a great way to secure your network.
Wireless security is very important as unsecured this is probably the easiest way into a router. Make sure that authentication is enabled and check which type. For 802.11b or 802.11g you should try to use WPA if possible with a complex passphrase. If this is not possible then at least use 128 bit WEP (Wireless Encryption Protocol). Whilst WEP is fairly weak it is better than nothing. Use a strong encryption key (random letters and numbers) and change it regularly.
Make sure you change the SSID (Service Set Identification) and block this from being broadcast if possible. The SSID is basically a friendly name you assign to your wireless connection. If this is being broadcast then anyone within signal range will know that your wireless connection exists, thus making it easier for them to try to use the connection.
If you only use your wireless connection at weekends for example or if you have a wireless capable router but no wireless devices yet then disable the wireless capability until you need it.
Be proactive. Check the routers log files to look for any suspicious activity. Ensure that Remote Management is not enabled and that you block pings from the WAN side of the router. If your PC is running UPnP then disable that too. It can unnecessarily opens ports when you may not need them.
This guide was written with the intention to help you. Please do not rely on this guide being 100% accurate, as different types of setup’s may not conform to the above guide. If you have any questions regarding this guide, please contact us. Please note we take no responsibility for any circumstances that may arise as a result of changes an individual makes to their systems as a result of this guide.