Your connection to the Internet is the most vulnerable part of your online existence. It is on the edge of your network and is the front facing interface to all the major cyber threats. In particular the following common threats exist and take advantage of badly configured routers:
- Default settings passwords allowing someone to hack into the settings of the router and change anything
- Default WiFi passwords and encryption (or no encryption) allowing people to hack in remotely to your network
- Denial of Service (DoS) and its distributed variant DDoS shutting down your connectivity
- Network based penetration including the attacking of ports that have been left open by default
- Network functions such as Universal Plug and Play (UPnP), File Transfer Protocol (FTP), Remote Desktop Protocol (RDP) and Telnet to note a few
- Default FireWall settings allowing hackers to bypass basic safeguards.
If you are a large company, then you will have a team of people able to configure your network and keep it safe. However, if you are a small to medium size business, or a home worker/consumer then you will have to rely on your own knowledge which may be limited.
This guidance will introduce you to some of the basic precautions you can take as a novice, as well as some of the more advanced safeguards you can take once you understand the technology behind it. It is therefore focused on the home user and small/medium size business.
What is a Router?
A router is a small device that usually sits on a desktop near the broadband connection to your ISP. A typical consumer/small business Broadband/WiFi router looks a bit like this:
There are many different models of router that provide different built-in services, and have different configurations and cases. However the above image is a typical domestic router case design.
Routers normally come in few variants that connect to the internet in different ways:
- Digital Subscriber Line (DSL) protocol router that connects to your phone line (relatively slow by today standard by still in wide use)
- Cable Router that connects to a Cable Modem that in turn connects to your cable connection to provide your internet service (typically used for connecting to Virgin Media hubs in modem mode)
- Cable Modem/Router that is typically provided by your cable operator that performs both connection to the cable service and WiFi/Wired network connections.
Routers will typically have both WiFi connections as well as several wired ‘Ethernet’ connections. The Wired connections look a bit like an oversized phone connector and are called an “RJ45 Ethernet Connector”. If you use a desktop PC at work, you will typically connect to your company’s network using such a cable. They will also have a wired connection that connects to your phone line or your broadband service providers equipment in your home or office.
Take a look at the headline image for an example of what the back of your router looks like and the various wired connections it will probably have.
If you are in a home office, or possibly a small business, you will typically connect to the internet using a similar device. If you are a large business, your connectivity will be significantly more complex as the following picture shows:
If you are an enterprise, then the scale goes up significantly to multiple devices like the one above that will provide thousands of connections to a company’s headquarters and outlying offices.
For home users and small/medium size businesses you will typically rely on WiFi connections as wiring your office/home is not always possible unless this has been provided as part of a serviced office.
Going forward I will assume you are a home user or small/medium sized business using the basic router equipment. Large companies and enterprises have a lot more specialized resources to provide these enterprise scale services.
Basic Precautions – Non-Technical User
If you are a non-technical user, then at the very least make sure you take the following basic precautions:
- Change the default password on your router settings to be a strong password
- When you get in to your router settings, make sure Universal Plug and Play (UPnP) service is not active (may affect XBox/PlayStation connectivity, but this should be largely replaced by now)
- Make sure your WiFi password is a strong password and not the default
- Make sure you are using one of the following to encrypt your WiFi transmissions:
- WPA-PSK [TKIP]
- WPA2-PSK [AES] (typically the default)
- WPA-PSK [TKIP] + WPA2-PSK [AES]
- You can also hide your SSID (the name for your WiFi network) – most devices these days will connect to a hidden WiFi connection consistently, but you will need to reconnect all your devices if you hide an open SSID
- Reset your SSID to be a unique string that does not identify
- your or your household/office (e.g. not your your name or address)
- The router model
- Your ISP’s name
- you will need to reconnect all your devices in your home if you reset your SSID
- Where possible use a wired connection – it will be more secure and in all likelihood faster and more stable
- Make sure you have enabled the Fire Wall on the router.
There are a lot more technical steps you can take, but if you do the above it will be a fair way towards securing your network.
There are also some physical precautions you can take:
- Put your router away from public attention, preferably in a locked room that is not normally accessible to visiting clients
- Reboot your router every day to ensure anyone who has gained access is kicked off
- Rebooting your router also removes most malware that is installed since most router based malware cannot store itself on the router (see also below)
- Make sure any firmware updates are installed promptly as these may remove software vulnerabilities in the routers firmware (much the same as your PC/Phone).
It has been found that certain types of malware can embed themselves in the firmware of the router, which then gets reactivated when the router is rebooted. If you notice bad performance, or aberrant behaviors, then you will need to re-install the firmware from a clean image that has not been downloaded through the router in question. This will normally clear any malware, but there are cases where this has not been successful. In this case you will need to disconnect the router and replace it with a newer model.
More Advanced settings
In this section I want to go over some additional settings a typical novice user can address, as follows:
- Network Based (MAC Address) Filtering
- Setting up Network Addresses (IP Address).
A subsequent set of sections will get more technical.
Network Based (MAC Address) Filtering
A more advanced setting, but still in the realms of a relatively novice user, is to set up an access control list that depends on MAC addresses, sometimes called MAC Address Filtering.
The Media Access Control (MAC) address is is a 48bit alphanumeric address that uniquely identifies the network card in your device. It is unique to your device and will never be re-used. It is used to establish a connection between your device and a network router (WiFi router, Bluetooth, etc.). This is typically represented as a sequence of characters similar to F1:A2:CD:E4:5P:8K (in hexadecimal) and is normally found:
- Printed on your PC’s underside,
- On your WiFi router,
- In the settings app of your device or other utility programs (e.g. ipconfig on a PC).
Most routers allow you to set up specific device access that records the devices specific MAC address. If a device that does not have one of the configured MAC addresses when it tries to connect, it is rejected before any further authentication is done (e.g. providing the WiFi network password).
This is a relatively simple configuration to make. However, every time you bring a new device into your network you will have to locate and specifically configure the filter before the device will be able to connect to the network.
MAC Address filtering is also not a fail safe way of filtering your network connections. The MAC Address is typically transmitted to your router in an unencrypted form from your device. Anyone using a network protocol analyzer will be able to read the MAC address of all your connected devices and spoof one of these addresses on their own device. At this point they have broken through this barrier.
MAC Address filtering will typically defeat a casual user trying to get free WiFi from your home/business connection, but not a more tech savvy user or dedicated hacker. As a result it is of questionable benefit for the hassle it creates, but in my view is still a valid precaution. In an enterprise setting, this filtering can be automated and is part of commissioning a new device/PC on the corporate network.
One issue that may present itself is that some devices present a random MAC address every time it connects to a WiFi connection. Windows 10 has this capability, but is normally switched off by default. Android phones got this feature in Android version 10, released in the summer of 2019. I believe this is also enabled by default for the iPhone/iPad and is also available for Apple MAC computers (no direct reference as I don’t use them). However this can be switched off on Android and on Windows PC’s (not sure about iPhone/iPad/Mac).
Network Addresses (IP Address)
When your device connects to a router and passes all the authentication, your device will be provided with an machine readable address that is unique to your network. This is the IP (Internet Protocol) Address and is typically something like:
- 192.168.1.94 (IP version 4 address)
- fe80::c869:2023:ebcc:c2f7%5 (IP version 6 address).
The IP Version 4 address is in widespread use but is being superseded by the IP Version 6 address. This is because we can generate fewer IP Version 4 addresses than there are computers/servers connected to the internet and the IP Version 6 address provide a massive expansion of the number that can be assigned.
There are public addresses that you can lease and private addresses that are free, but can only be used internally and these are typically allocated by your router on a first come first served basis. IP Addresses are typically leased to the device by your router. Once the device disconnects (or when the lease time expires) the IP address is typically released back and can be allocated to the next device to connect.
Some routers allow you to pre-configure your IP address based on the MAC address (version 4 and 6). This is a dubious practice as this means your device has a fixed access point to the network which makes it vulnerable to attack. However in some cases it is important to have either a long lease, or a fixed IP Address, for servers and/or network management equipment. If you can get away with not configuring long lease/permanent IPA addresses, then please do.
If you are configuring a public WiFi network for your clients/home guests to use then allow the router to allocate the IPA address on a per connection basis dynamically.
Getting more Technical
I am going to get a bit more technical in terms of disabling specific ports and services on your router. This is more for the advanced user. I am also unable to show specific pictures of what these settings will look like on your router as every router’s user interface is different. If I showed you mine, firstly that might be a copyright infringement but more to the point I would be declaring my router model/version to the whole world, which is something I am not going to do. I also suggest you do the same.
The topics I am going to cover are:
- Internet Setup
- Wireless Setup
- WAN Setup
- LAN Setup
- QoS Setup
- Guest Network Setup
- Blocked Sites and Services including schedules
- Wireless Access Point
- Port Forwarding and triggering
- Dynamic DNS
- Static Routes
- Remote Management
- Universal Plug and Play (UPnP)
- VLAN and Bridge Setup.
I will now go over these in some detail under their own headings. These are often more technical settings that may require additional training to decide them for yourself, but I will be explaining the typical default settings that you should be using. If you have specific needs then you will have to get the required training to intelligently set these up.
On more modern routers there may be additional features that I am not covering. You will often find online help for these features, but if in doubt leave well alone.
This will allow you to configure the following for your Internet Service provider:
- Specific login information (username/password) for your ISP
- Internet (IP) Address
- Domain Name Services
- Router MAC Address.
Your ISP may require you to provide a username and password to allow connection to their service. In a lot of cases this is unnecessary for cable services, but may be required for others. This will be provided by your ISP.
Internet (IP) Address is the IPA address your router uses to connect to your ISP. The typical default is to get it dynamically from your ISP, but some routers will allow you to set up your own IP Address. If this is the case, your ISP will tell you what this address is.
Domain Name Services (DNS) are a number of servers on the Internet that allow you to translate a typical web address (WWW) to a specific IP address of the server on the internet that will provide the website you are looking for. You can set this up yourself, but typically this is set by your ISP. If you set them up yourself then you will be asked for the:
- Primary DNS Address
- Secondary DNS Address.
These are typically an IP Address and can be version 4 or 6 addresses. Some modern routers may also support encrypted DNS settings, but these are still not totally available since most ISP’s don’t support it yet.
The Router MAC Address will be set in the factory, but a lot of routers allow you to set this to a specific address. Unless you have a specific need to do this, I suggest this is left as the factory default.
In this section you will likely find the following:
- The ability to enable/disable the SSID broadcast – this may have different frequency settings (e.g. 5Ghz, 2.4Ghz)
- Security/encryption settings
- The ability to set the WiFi network password/key.
The SSID (Service Set Identifier) is your WiFi network’s name. It is what you see when you scan for WiFi networks on your device (see also the IEEE 802.11 standard for more technical details). The SSID does not need to be unique to your router, but does identify it. It is possible to set the SSID to a hidden mode, in which case in order for you to connect to it you will need to know the exact name as it won’t appear in any available WiFi networks.
Hiding the SSID is a sensible security precaution to stop people from causally trying to connect to your WiFi network. However, this is broadcast from your device in unencrypted text and anyone with a WiFi network analyzer will be able to see the SSID of the router you are connected to by inspecting your network traffic. As a result any tech savvy person, or dedicated hacker will be able to find this information easily.
You may find a means to select the WiFi Channel and the mode/speed of the WiFi connection. In some cases it is best to leave the WiFi channel at its default, unless you have analyzed the WiFi networks in your area to determine what channels they are working on. It is possible using this setting to set the WiFi channel to one that is less congested. This can be done using WiFi analyzers that can be download from your App store for your phone, but my advice is to leave this alone as you can end up with bad network performance with the wrong setting.
The mode/speed of a WiFi network should be set to the maximum supported by default and may be typically:
- 2.5Ghz network, 54Mbps, 145Mbps or 300Mbps
- 5Ghz network, 289Mbps, 600Mbps or 1300Mbps.
WiFi Encryption Options are typically the following:
- WPA-PSK [TKIP]
- WPA2-PSK [AES] (typically the default)
- WPA-PSK [TKIP] + WPA2-PSK [AES]
- WPA/WPA2 Enterprise.
The default for a home/small business router is WPA2-PSK [AES]. You would only need WPA/WPA2 Enterprise if you were connecting to an enterprise network that used the higher standards this provides.
UNDER NO CIRCUMSTANCES set it to None as this will mean you are communicating to your router unencrypted and anyone using a WiFi network analyzer will be able to see everything you are sending over your WiFi connection. This is the usual mode for public WiFi which is why this is so insecure.
The WiFi network password/key is the WiFi password you will need to enter when you connect to the router via WiFi. This needs to be a complex password, but one that you can easily type. This is the key to your network, which should not be written down or disclosed.
In this section you may find the following:
- Disable Port Scan and DoS protection
- Default DMZ Server
- Respond to Ping on Internet Port
- Disable IGMP Proxying
- MTU Size
- NAT Filtering
Disable Port Scan and DoS Protection – The DoS Protection protects your LAN against Denial of Service attacks. This should only be disabled in special circumstances and is typically not disabled by default.
A DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or virtual sub-network that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN): an external network can access only what is exposed in the DMZ, while the rest of the organization’s network is secured behind a firewall.
Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven’t defined. There are security issues with doing this, so only do this if you’re willing to risk open access. If you do not assign a Default DMZ Server, the router discards any incoming service requests which are undefined.
Enable Respond To Ping On Internet Port if you want the Router to respond to a ‘Ping’ from the Internet. This can be used as a diagnostic tool. However, like the DMZ server, this can be a security problem. You shouldn’t enable this unless you have a specific reason to do so.
The PING command on Windows (and other OS’s) can tell you if a particular server is operational. For example, if you process the following command in Power Shell you will get the following:
If the server is not operational the ping will timeout, or show you an error message. It is probably not a good idea to do this too often on public services as this may be interpreted as an attempt to hack the website by your ISP or the website owner.
IGMP Proxying allows a computer on the local area network (LAN) to receive the multicast traffic it is interested in from the Internet. If you do not need this feature, you can select this enable it, but I recommend disabling it by default.
The Maximum Transmission Unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction (I said this was going to get technical). The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g. Ethernet frame.
The MTU value for most Ethernet networks is 1500 Bytes, 1492 Bytes for PPPoE connections, 1436 for PPTP, or 1428 for L2TP connections. For some ISPs you may need to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
NAT Filtering is the option that determines how the router deals with inbound traffic. The Secured option provides a secured firewall to protect the PCs on LAN from attacks from the Internet, but it may cause some Internet games, point-to-point applications, or multimedia applications not to work. The Open option, on the other hand, provides a much less secured firewall, while it allows almost all Internet applications to work. This should be set to secured and not open. Your router may provide more options, but in all cases you need this secured.
You may also see an option under NAT Filtering to Disable SIP ALG. Some voice/video communication applications do not work well with the SIP ALG. Enabling this option to turn off the SIP ALG and may help your voice/video applications to create/accept a voice/video call through the router. However my recommendation is not to disable this unless you have a real reason to do so.
You may find under this section of your settings the ability to:
- Set a router name
- Make settings against the LAN TCP/IP Setup
- Use the router as a DHCP Server
- Allow for the reservation of IP addresses for devices on your network,
Setting the router name is optional, and often does not have any bearing on its function unless you are trying to remotely manage the router (which I discourage).
LAN TCP/IP Setup allows you to set up the following:
- Routers IP Address
- Setup the sub-net mask
- RIP Direction
- RIP Version.
My recommendation in all cases is to leave these at their default values unless you really know what you are doing. Misconfiguring these settings has the ability to totally lock out your router, even to the level of not being able to login requiring a hard reset back to factory settings.
Setting up your router as a DHCP Server allows you to issue IP Addresses to your devices as they connect to your router. DHCP stands for Dynamic Host Configuration Protocol. This is another setting I recommend you leave at its default settings.
Address Reservation allows you to reserve IP Addresses against the specific MAC address of a connecting device. Every time that device connects it will bet the same IP Address. Unless you have a real reason to do this, my recommendation is to leave this in its unconfigured state as this can represent a vulnerability that can be exploited by a hacker that gains access to your network.
QoS is an advanced feature that you can use to prioritize some Internet applications and online gaming, and to minimize the impact when the bandwidth is busy. This can allow you to:
- Enable WiFi Multimedia (WMM) settings
- Enable upstream QoS Settings, which allow for better performance when gaming
- Setup QoS Priority Rules.
WMM allows wireless traffic to have a range of priorities, depending on the kind of data. Time-dependent information, like video or audio, has a higher priority than normal traffic. For WMM to function correctly, wireless clients must also support WMM.
Enabling the upstream QoS Settings allows gaming applications to function better, but this can also mean other traffic coming through your router may be impacted. My recommendation is to turn this off unless you are specifically going to do high performance online gaming.
If you have the ability to set up Setup QoS Priority Rules, my recommendation is to leave this at its default settings unless you know what you are doing.
Guest Network Setup
Some routers have the ability to provide a separate network for guests to use. This typically allows a guest to connect to your WiFi router but does not have access to your business systems/servers. This is useful to provide visiting clients to your business access to WiFi while on your premises.
The setup for this is typically the same as for your normal WiFi setup.
Blocked Sites and Services including schedules
Some routers provide a means to block certain websites and services from being accessed. This is particularly useful in a business where you want to block access to social media (and other websites) during work hours. You can often provide a schedule so that sites can be blocked during certain times to limit access only to the recognized lunch break times. It can also be used to block certain sites in your home outside of specified times (e.g. block adult sites so that your children cannot access them).
Maintaining this list is often a nightmare as sites come and go very quickly. In a larger organization this configuration can be automated against published block lists.
Wireless Access Point
Some routers allow you to configure them as a Wireless Access Point (AP). This effectively allows you to provide a bridge between different networks. This is an advanced topic and should not be attempted unless you have the required networking training.
You can buy what are typically called Mesh networks that allow for your WiFi network to be extended into WiFi dead spaces in your home/office and you can also buy WiFi extenders. This is is not the same as using the bridging function in this section.
Port Forwarding and Triggering
This allows you to forward certain ports/services to specific IP Addresses on your network (an example when you might use a fixed IP address). This will typically allow you to set up forwarding for the following network applications:
- File Transfer Protocol (FTP)
- Hypertext Transfer protocol (HTTP) to allow you to set up a web server
- ICUII/Peer to peer client networking
- IP Phone
- News servers
- Audio servers
- Telnet Servers
- VPN servers.
You should disable them all by default unless you you have a specific need and you know what you are doing. These servers will also need additional network protection so this is best left to a network technician.
You may also be able to setup a custom service. Again, this is an advanced topic for network technicians to configure and should not be enabled unless you have a real need. Most home users and small/medium size business won’t have a need for this.
Dynamic DNS and Static Routes
Dynamic DNS (DDNS) service provides a central public database where information (such as e-mail addresses, host names, and IP addresses) can be stored and retrieved. The Dynamic DNS server also stores password-protected information and accepts queries based on e-mail addresses. My recommendation is that this is not configured unless you have a real need for it.
Static routes give the router information that it cannot learn automatically through other means. This can happen when RIP is disabled on the LAN. Enabling static routes is a hackers dream, so this should not be configured unless you really know what you are doing. This is typically not configured by default.
This feature is sometimes provided on home/small business routers which allows you to connect to your router from anywhere on the Internet. This should never be enabled unless you have a very specific need as this will be noticeable by any hacker browsing the Shodan database/search engine.
Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network.
This should be switched off as it has been proven to be vulnerable to attack from the Internet.
VLAN and Bridge Setup.
This allows you to setup Virtual Local Area Networks (VLANs) that operate as a sub-net of your main network. If you are setting up an IoT network, it is sensible to setup virtual LANs so that your IoT devices are isolated from your main devices.
This is an advanced topic, and should be left to a network engineer to set up. My recommendation is to leave this in its default unconfigured state unless you have a need for it as a badly configured VLAN can be a serious network vulnerability.
Your router is your front door to your home/business network. You need to secure it as best you can. Configuring a secure setup on your router will go a long way to stopping hackers, or just mischief makers and WiFi freeloaders, from accessing your internet connection and the business systems you rely on.
This has been an extensive article, with a lot of technical details in it and not the usual blog from us. I have in many cases I have deliberately not gone into the deep technical information required to configure some advanced options as these are best left to people who know what they are doing and specifically network technicians. However, I hope this has opened your eyes to a number of configurations available behind the scenes of your humble router.
There are a lot or topics that can be investigated, but these will need more extensive knowledge of how networks are configured. I may post articles on this in the future.