15+ Things to Check in your WiFi (802.11a/b/g/n) Router related to Security
- Turn off the radio if you aren’t using WiFi. It is secure if it isn’t on. Note that some routers will re-enable the radio after a reboot, so you’ll want to determine if your WiFi router mis-behaves in that way. Wired connections are faster and 50x more secure anyway.
- Change the SSID name from the default to something unique that doesn’t contain your name, address or the type of router. Unusual is good.
- Change the default administrative login userid and password. Sometimes only the password can be changed. Make it good, random and over 30 characters. Why?
- Disable WPS. Seems there is a bonehead flaw in most routers that makes WPS your worst choice.
- Disable WAN management. Seriously, why give someone outside your network any more opportunities?
- Don’t use the DMZ in any way, even if you are running a server. You can forward the single port you need open to an internal computer. 99% shouldn’t do this. Home users should only open ports for either openvpn or ssh for remote access using non-default ports – nothing else. ssh is amazing.
- Use the NAT capability. Network Address Translation. Avoid “bridge” or other modes. You want the public IP and internal IPs to be very different, not close at all. 10.×.×.x or 172.19.×.x or 192.168.×.x are good internal networks. Anything else is probably public (there are small exceptions called bogon ; Hamachi uses the 5.×.×.x range is a well known violation.
- Enable only HTTPS or ssh for router management. You don’t want to use HTTP or telnet.
- Disable UPnP. THIS IS IMPORTANT! UPnP can be used to open ports on your router without you knowing it. A little javascript is all it takes. Once it runs from your PC inside the network … they can do pretty much anything they like without authentication or your knowledge. Some game consoles and other non-computer devices may require manual network setup with UPnP disabled.
- Do NOT use a router for storage if that router is connected to the internet. Firmware vendors have been able to secure their firmware completely.
Similarly, it appears that some ASUS routers — and any storage devices attached to them — may be exposed to anyone online without the need of login credentials if users have taken advantage of remote access features built into the routers, according to this Ars piece from Feb. 17. The danger in this case is with Asus router models including RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R
It isn’t just the Linksys and Asus guys either, some Prosumer software devices have issued warnings too. - Disable WEP, WPA, and Open WiFi, unless you are running a RADIUS server for network access. Yes, WPA isn’t safe anymore We need to use WPA2.
- Only use WPA2-AES (personal or enterprise) encryption. This will probably change when AES is cracked, but today, it is believed to be safe … provided you ….
- Choose a unique, completely random 40+ character, digit, punctuation passphrase as the PSK – Pre-Shared Key. Usually if you use a PSK, everyone on your network can see everyone else’s traffic. Think of the coffee shops and hotels that you’ve used wifi in where they told you the same PSK? This whole is fixed in WPA2-Enterprise.
- Set the DNS on the router to use the fastest DNS server possible that
- is not your ISP (privacy) My ISP was capturing all DNS queries and forcing them to the ISP DNS servers. I called, complained and they showed me in my profile where to change this setting. Definitely validate which DNS you are hitting. THIS IS CRITICAL for security on the internet. DNS is the backbone of internet security. All those HTTPS websites are completely dependent on it. If the DNS you use isn’t trusted, perhaps a Libyan government server, then you cannot trust any certificate based on PKI.
- is not Google (privacy)
- you trust (opendns may be an option); doesn’t google already have enough data?
- Set the router to not respond to any outside ICMP requests (ping) and do not open any inbound ports. Less than 1% may need to open an inbound port to a specific internal computer.
- If you use the DHCP server in the router, limit the DHCP address range to no more than 3x the number of devices that will connect in any 24 hour period. 3-6 IPs in the range would be more than enough for most homes except during holidays, 10 IPs is a safe range. I prefer to use static IPs for my internal systems. DHCP is only for guest devices.
- Enable the SPI Firewall – State-full Packet Inspection Firewall on the device so connections are closed quicker. This is usually just a checkbox.
- Check whether your firmware has security related updates from the vendor every few months. If it does, apply them. Other usability updates can be ignored if your router is working the way you like. Set a periodic reminder to do this in your most used calendar.
- Use MAC filtering. This is not really security, but it is like putting the top up on a convertible vehicle before going into a store while still leaving the car unlocked. MAC address spoofing is trivial and every RF packet includes the MAC address in the clear. This will not stop anyone with any security knowledge, but it will probably keep your neighbors off.
- After every device has connected, disable SSID broadcasting. For some devices, this won’t work and connections will fail. It isn’t really security, but if you don’t broadcast that you are there, perhaps, just perhaps, anyone trying to get into a network won’t try. There will still be RF traffic seen and anyone who really want to find it can. I don’t bother with this and think it may slow the network down.
Save The Settings
Back up your settings and keep them in a safe place. If you are setting this for Grandma or some other non-computer-network person, do everyone a favor and write down the key settings on a 3×5 card, then tape that card to the back or underside of the router. Please don’t block any ventilation slots. Next year when you come back, you’ll want to know:
- Router IP
- Router netmask
- DHCP IP Range
- Administrative login and password
- SSID
- WPA2-PSK passphrase – this should be ugly and 40+ characters
- Router HTTPS access page URL eg. https://192.168.0.254/
Test Your Security
Visit GRC.com and click on Shields Up from inside your home network, behind your router. The tests performed only test a few the settings that we’ve changed above, but it will show what your router looks like to someone in China or England or Russia. All ports should be listed as either closed or stealth. This doesn’t test whether your neighbor can hack into your network. If you used WPA2-AES and a 40+ character, no words, completely random passphrase, then you should be good enough for home use.
Channel Selection
If you are in the USA, there are only 3 real WiFi channels for 2.4GHz B/G routers. The others all overlay with these three. You should check the channels and signal strength used by pre-existing wifi networks in your area and try to choose channel 1, 6, or 11 if it is unused or if the others are very low power. If those channels are all used with good signal strength, you are forced to select an overlapping channel. Which channel that will be best is really a trial and error effort. Weather conditions and your WiFi use as compared to the neighbors use will impact it too. Check the WiFi use around your home yearly. Things change and your WiFi network can really be impacted by neighbors.
If you are an advanced user, there are many other ways to secure a wifi network outside the router. A RADIUS server with mandated encryption from the client would be preferred over all the recommendations above provided network access was refused if the RADIUS login failed.
Want to Know More?
If you’d like to read more about Desktop Computer Security see my other article to learn how to setup your desktop for reasonable levels of security.
Other Security-related pages here:
- Secure Browser Settings
- Security for Desktops
- Security with the Hosts File
- WiFi Router Security Checklist
Here’s a link on How to hack WPA and another with the step-by-step for WEP and WPA hacking. These days, most of the people doing the hacking are using an all-in-one Linux distribution that anyone can download for free and boot from a CDROM. It really is very trivial to do, which is why the steps listed on this page are important. Skipping one of them like having a strong AES passphrase is a critical error. Basically, anyone using a shared WiFi is open to MITM, Man In The Middle, attacks if they don’t use a VPN. I am not saying Open WiFi, but that would be worse than wifi where a key is needed. Still, wifi at hotels and other places that give out the key to more than 4 people in a month should be suspect and a VPN should be used. Always.
Go here if you’d like to comment on this page.
Last Update: 6/2010