There is no anti-virus software for routers. No matter how secure your mobile devices, desktop computers or other electronic devices might be, having an unsecured router still makes you susceptible to malicious attacks.
A router is an interface between the internet and all your computing devices. It can hence be thought of as an interpreter. If the interpreter itself is malicious, then one can only imagine the things that can go wrong.
Router Security is a less-talked-about topic but is as important as installing anti-virus software on your computer. A hacked router can let a malicious person:
• Hijack your DNS,
• Cause a denial of service attack,
• Download malicious copies of software,
• Spy on your activities,
• Slow down your internet connection,
• Hack files that are being transferred, and
• Ultimately access the computers connected via the LAN of the router.
There are many side effects of neglecting router security. It is hence crucial for every internet user to do the right thing by making router security an important concern and by applying whatever methods possible, to ensure privacy and online security.
Since it is now established that router security is essential for every internet user, let us go into the details of how you can ensure it.
Step 1: Picking the right Router
You cannot secure a router if it is not appropriately chosen. Picking the right kind of router is the first step you can take towards router security.
Most people tend to use the router provided by their Internet Service Provider (ISP). The only advantage of doing this is the fact that you can call your ISP for any issue that arises in your internet connection. The downsides to using it, however, are many:
• Devices shipped by ISPs are incompetent in their initial configuration and maintenance. A device installed with a default password is certainly not the right option for you
• Some ISPs can spy on your data for their own use or by co-operating with spy agencies and governments.
• Some ISPs do not allow you to update the firmware or change DNS servers of the router
• ISPs generally provide a single router; hence you will have no emergency backup in case of failures
• A common type of router, provided by an ISP to millions of customers is an easy target for malicious users
A consumer router is a better alternative to ISP provided routers but is still not the best option. The most secure option to choose is hence a commercial router meant for small businesses.
When choosing a router, think of the long-term benefits that you obtain by using it. While the upfront cost of the router might seem like a huge investment, it is still a better option than compromising your security.
A router can only get as secure as the features it offers. It is not recommended to buy used routers as the software might have been modified maliciously. When choosing the correct router, consider the inclusion of these security features:
WPS (Wi-Fi Protected Setup) is not as good as it sounds. It is easy to use and easy to bypass feature that allows malicious users to enter an eight-digit PIN to access the router. The PIN is printed on the router itself. Once someone gets access to your PIN, you can change the network password or network name, but the validity of the PIN still remains intact.
Therefore, anyone who gets access to the PIN printed at the base of your router can access your router forever.
If a router uses WPS, it is not good enough. Check if WPS can be turned off. Proceed only if WPS is absent or can be disabled in your router.
WPA2 encryption is good. However, one must consider some other points when looking for a secure router. Keep the following points in mind:
• Verify if your router offers WPA2 exclusively and not the combination of WPA2 and WPA
• A router that uses AES or CCMP is also as secure as the one that uses WPA2 encryption
• Ensure that your router does not use TKIP
• Look out for routers that offer WPA2 Enterprise support. This usually means that the router allows every Wi-Fi user to set their own user id and password. A RADIUS server is required to handle these user ids/passwords. This option might be a high bar for most people, but it is the best encryption mechanism possible
Local administrative access
Another aspect of determining the security of a router is its local administrative access mechanisms. A secure router must:
• Limit access based on LAN IP address or by Mac Addresses
• Limit the number of logons and allow only a single computer to log into it at once
• Lockout after repeated failed login attempts
• Create audit logs for every login attempt
• Timeout and allow you to set a timeout period
• Restrict access based on the SSID
• Allow you to log out
Remote administrative access
Remote administrative access in your router should be off by default. A secure router must:
• Limit remote administrative access to HTTPS
• Allow you to change the port number
• Allow you to restrict access on the basis of the source IP address or source network
• Timeout the running session after a certain timeout time
Be wary of routers that employ default passwords. Default passwords can look random, but follow a specific formula to be created. Once someone understands this formula, the rest is easy.
Check if the router forces you to provide a new non-default password for logging into the router. Additionally, check if the router forces you to provide non-default passwords for each new Wi-Fi network. Choose the router only if the two conditions are met.
A secure router must allow the options to:
• Schedule turning off the Wi-Fi at night and turning it back on in the morning
• Use the Wi-Fi ON/OFF button
The bottom line is that the router should make it easier to disable a Wi-Fi connection when it is not required.
Monitoring Attached Devices
Another feature of a good router is the ability to monitor the devices connected to it. A good router:
• Lists all the attached devices
• Allows you to list both DHCP assigned devices and devices with static IPs
• Allows you to list devices by grouping it on the basis of the Wi-Fi network
• Allows you to monitor the bandwidth usage of each device
A good router’s firewall should:
• Close all ports on the WAN/Internet side
• Allow you to create outgoing firewall rules
Listed below are other good to have features which can help you make the right choice.
• Factory Reset
Look out for a router that allows you to factory reset it and erase all personal data from it.
A good router logs unsolicited incoming connections, failed login attempts, internet accesses and changes made to the configuration.
Another parameter that can help you determine the right router for you is its ability to make firmware updates.
• HNAP (Home Network Administration Protocol)
The HNAP has been the baseline for many router flaws. A secure router does not support HNAP.
• Port Forwarding
Make sure that your router limits port forwarding by IP address. It is better if your router allows you to schedule port forwarding.
• Router Admin Password
The router admin password should not be too short and must allow the maximum password length to be at least 17 characters. A router should also defend itself against brute force password guessing.
Step 2: Configuring the router securely
Once you select the right router of your choice, it is time to configure the router as securely as possible. The below mentioned short list of configuration tricks can do wonders for the security of your router:
- Change the default password of your router. Make sure that you do not use a dictionary word. Incorporate some numbers and special characters in your password. Also make sure that the password is not something as menial as the name of something you love, or the name of your hometown.
- Ensure that the encryption mechanism used is WPA2 with AES. The password of your Wi-Fi network should be at least 16 characters long. Again, make sure to set a password that is not easy to guess.
- Turn off UPnP (Universal Plug and Play). While UPnP was initially designed to be used on a LAN, some routers implement it on the Internet too. There have been security issues with routers in the past because of UPnP, hence turning it off is the best way to ensure that your router is secure.
- Choose a sensible SSID (Service Set Identifier). Using a default SSID makes it easier for malicious users to crack the WPA2 encryption. Choose a network name that does not give away your personal information.
- Turn off WPS. It is actually better to choose a router that does not support WPS at all. If it does have WPS encryption, make sure to run it off.
- Turn off Remote administration.
- Check for new firmware occasionally. If your router does not release new versions of firmware, it might be the right time to switch to a new router.
- Use a Guest Network. Use a password protected Guest Network for guests and also for IoT devices.
- Test your router. Use available online testers to test the port information of your router.
The steps mentioned above are just the basic things you can do to ensure that nobody accesses your router or installs malicious software in it. If you are actually a freak for security, there are a number of other methods that you can employ to make your home router a fortress that can guard the electronic devices that connect to the web through it. Choose and implement anything from the list below:
- Change the user id of the router. That is if your router lets you.
- Change the default DNS servers that your router provides you. ISP-assigned DNS servers are usually the worst when it comes to security. It is better to use the DNS of a company that specializes in it.
- Turn off unused features. This is a good way to reduce the attack surface. The features that are better turned off are remote administration, web access from WAN, Telnet, SNMP, NAT-PMP and Remote GUI.
- Change the router’s LAN IP address. It is better to change the subset of the LAN side as a whole. Doing this prevents router attacks.
- Lock down the access to the router from the LAN side.
- Turn off Ping reply. Test this implementation by having someone outside your network ping your public IP address.
- Block the ports used by Windows file sharing. It is also a good idea to prevent network printers from making outbound connections.
- Disable the analytics on your router. You would not want your router company spying on you, so it is better to turn off the analytics feature in your router’s firmware releases.
- Use a clean web browser session to administer routers with a web interface. Start the browser, work on the web interface of the router, and shut down the browser after you are done with the administrative activities. The better option would be to use a private browsing mode.
- Always backup your configurations. If you have to reset the router at some time, you can restore the last backed up state of the router.
Step 3: Ongoing care for the router
After initially configuring the router, it is also essential to monitor for your router configurations regularly. There are a number of methods that can be adopted to ensure that your router’s security has not been compromised.
- Updating the router
Check if your router self-updates regularly or not. Check for the availability of new firmware updates every month. If your router has the self-updating feature, make sure that the system is actually working as expected and if the new updates are actually worth using. There can be major security loopholes in some security updates. It might be a good option to revert the updates in such cases.
- Rebooting the router
When a router gets infected with malware, the infection is sometimes very difficult to get rid of. However, most infections are temporary and simply rebooting the router can help you get rid of the infection. Make sure that you reboot your router every week or every month, in order to remove such kind of malware on a regular basis.
- Checking the list of attached devices
Every router has the functionality of displaying the attached devices. Make sure that you check this list now and then and validate the list against the number of devices that your network actually uses. Some routers also offer the capability of assigning names to these devices.
- Checking the status of DNS servers
A common attack against routers is maliciously changing the DNS servers. It is hence important to continuously check and ensure that your DNS servers have not changed. You can configure a DNS server on your own computer. Doing this ignores the DNS configuration present in the router. This is especially useful when you use public Wi-Fi networks. However, some routers override the DNS configuration of the computer and force the computer/laptop to use its own configuration. Hence, it is important to know the kind of router you possess and periodically check the DNS server configuration of your devices.
- Checking the logs of the router
If your router offers logging facilities, it is recommended that you continuously check the logs for unsolicited incoming connections, failed login attempts, internet accesses and changes made to the configuration.
All in all, router security is not limited to buying a good router and configuring it one-time. New router threats are emerging every day and are posing serious threats to personal privacy and security. It is essential to keep yourself updated with router flaws, and periodically check your router security parameters to avoid compromising your personal information.