Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
by Joseph Moran
That’s significant, because once a router uses DNS servers controlled by an attacker, that router can be used as a springboard for all manner of dirty deeds, ranging from malware infection to identity theft via phishing. The Indiana University report points out that this attack doesn’t exploit any browser vulnerability, and, more importantly, it seems to work with pretty much any router, irrespective of brand or model.
But what’s even more interesting is that the hack was successful only when the target router’s default administrative password had been left at the factory default setting. In other words, users were protected if they had simply changed their passwords, because the attack relied on the use of the device vendors’ default passwords, which are common knowledge.
There’s no telling just how many routers out there still use the default passwords, but it’s a safe bet it’s a lot. After all, many automated router setup wizards don’t prompt the user to change the default administrator password, and most routers bury this setting way down in the menu where casual users are unlikely to notice it.
What’s That Term?
Not sure what a particular term means? Check out the searchable PracticallyNetworked Glossary.
This particular attack scenario illustrates how a seemingly minor and easily overlooked setting can still have profound security implications. Therefore, it seems like a good time to review some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Change the Administrative Password
As outlined above, if your router’s password is “password,”,”admin,” “1234” or any of the other default value, you’re just asking for trouble, so change it immediately.
Change the Default SSID name Just as many users neglect to change their router’s administrative password, many also keep the default wireless SSID, which almost always indicates the device manufacturer and makes it possible to infer other information, too. Ditch the defaults, create a custom SSID and avoid using any descriptive information such as family name or address.
Turn off SSID Broadcast
Broadcasting your SSID makes it super-easy to connect new wireless devices to your network. But it also advertises your network to any passers-by, which isn’t an ideal situation. Turning this feature off won’t hide your network’s presence to determined interlopers with special software, but the fewer people that know about your network, the better. As long as you know your own SSID, you won’t have any trouble setting up new devices.
Use WPA, not WEP
Even though the weaknesses of WEP have been widely documented for years, many continue to use it, and it’s the default encryption method on some devices. In fact, there are still wireless products — mostly non-PC devices like media streaming units — that only support WEP even now.
Bottom line — use WPA to encrypt your wireless network, and avoid buying or using any device that forces you to use WEP to accommodate it. In addition to greatly improved security, there are also usability benefits to using WPA, because unlike WEP you don’t need to choose between ASCII or HEX, and encryption keys needn’t conform to specific lengths (e.g., exactly 13 or 26 characters for 128-bit WEP).
Reduce Wireless Power
If your router supports it, turn down your wireless radio’s power setting to try and keep the signal within the confines of your home or office. This may take some trial and error and it’s not always possible to precisely control where the signal travels, but you may be able to minimize the amount of signal that spills out to the street or the neighbor’s yard.
Eliminate or Reduce the Use of DHCP
DHCP‘s automatic allocation of IP addresses is enormously convenient, especially when you have lots systems to manage, but remember that DHCP will happily issue an IP address to any system that asks for one. If you have only a handful of devices, turning off DHCP and giving them static addresses will make it a little harder for unauthorized users to get a valid address for your network.
Another option is to leave DHCP on but reduce the size of it’s address pool. Most routers put almost every available address — more than 250 in all — into the pool, which is far more than just about anyone needs and leaves plenty for unauthorized users. Limiting the number of available DHCP addresses to the specific number of devices you have lets you use DHCP addresses while preventing wireless trespassers from obtaining them.
Turn On MAC Filtering
Although it shouldn’t be used in lieu of wireless encryption, MAC filtering can be a good complement to it. Most routers support this feature, which limits access only to those devices with the hard-coded MAC addresses that you specify. Configuring MAC filtering can sometimes be a pain in the neck, but some routers will let you easily add a connected device to a filtering list, which can save you the trouble of having to hunt down the MAC addresses for each of your devices.
Make Sure your DMZ is Turned Off
The router’s DMZ feature is usually turned off by default, but users sometimes enable it for troubleshooting reasons and then forget to deactivate it again afterward. Since the DMZ — short for demilitarized zone — is an IP address (or address range) left open to the Internet, any system inadvertently placed there is completely exposed and at risk.
Turn Off Ping Response
This setting allows your router to respond to ping commands issued from the Internet. It’s usually turned off by default, but you should verify that it is because it can betray the existence of your network to potential hackers, which in turn is an open invitation to probe further.
Avoid Using Remote Management
Most routers have this feature, which allows you to log in and manage the device from outside your network. There aren’t too many situations where this is useful, so you should avoid using it unless absolutely necessary. If you do use remote access, change the default port number (usually 8080 or 8888) to something less obvious.
To be sure, none of these steps are foolproof (security seldom is), but most are simple, all are free, and ultimately, every little bit helps.
Joe Moran is a regular contributor to PracticallyNetworked.
For more help, don’t forget to try one of our PracticallyNetworked Forums.