- Back to Home »
- CCNA , News , Router and Switches »
- Tips for Improving Router Security
Posted by : Sivapriya
Wednesday, 4 November 2015
With the recent news of router vulnerabilities, we thought it would be an excellent time to provide a few tips for improving your router security. While nothing is hack-proof in the world we live in, you can take many steps to deter attackers from targeting you. I have arranged this from easy to do, to increasingly technical.
- This step may be common knowledge to many, but most routers use a default login username such as “admin”, and a password that is usually just “password”. The first step you should take when acquiring a router is to change this to a username you have created, and create a strong password for access. Please note that this is different than your Wi-fi name and password.
- Once you have set the router login, you will want to create a password and name for your connection. I generally advise changing it from the default to something that is not personally identifiable. Ideally you do not want your router manufacturer (Netgear. Linksys, etc.) or address as your Wi-fi Name. To add to this, I always advise to go with WPA2 over WPA or WEP. A long passphrase is important here and I would aim for more than 20 characters.
- To add to the previous step, you can entirely disable the SSID broadcast so that only users that know your network name can connect and I advise doing this.
- If you plan on having guests, create an entirely different Guest network. It is never advisable to give the credentials to your main connection.
- Unfortunately convenience generally leads to weaker security in our world. That WPS (Wi-fi Protected Setup) button may be incredibly easy to use, but for security reasons it is generally not advised to use this feature. This can allow an attacker to attempt connection with a PIN and even a longer PIN can be brute-forced fairly quickly with modern technology.
- Always make sure the firmware for your router is up to date. I would advise logging into your router regularly to check for updates. This is frequently neglected and should not be.
- Disable Remote Administrative Access to your router, and disable administrative access over Wi-Fi. This one is a given and an Admin should only be connecting via a wired Ethernet connection.
- The next step I usually advise people to take is to change the default IP ranges for their router. Almost every router has an IP resembling 192.168.1.1 and changing this can help prevent CSRF (Cross-Site Request Forgery) attacks.
- Restrict access to the router via MAC addresses. You can specify exactly what devices you want to connect so that others are not permitted. You can usually identify the address of the specific device in the Admin Console of the router.
- If the devices you use are compatible, it is generally advisable to change from the standard 2.4-GHz band, to the 5-GHz band. This decreases the range of the signal and could stop a potential attacker that is farther away from your router from discovering it.
- Disable Telnet, PING, UPNP, SSH, and HNAP if you can. You can close them entirely, but I generally advise putting them into what is referred to as “Stealth” mode. This stops your router from responding to external communications.
- Once you have gone through these steps, make sure that you log out of the router. This does not just apply to routers though. You should log out of any website, utility, or console when you are done using it.
I would certainly advise taking all of the steps above but if you cannot do them all, the more the better. “Better Safe Than Sorry” should be common practice in the cyber security world.
Read More..