Router Security   Website by     
Michael Horowitz 
Home | Introduction | Router Bugs | Security Checklist | Tests | Resources | About |
 

This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration changes to make a router more secure, and, picking a router that is more secure out of the box.

Why devote an entire site to router security?

I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. But, anyone who follows tech news has no doubt heard of assorted router flaws. After some huge flaws, affecting millions of routers, caught my attention, I started following the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic.

I spoke on Securing a Home Router at the HOPE conference in July 2014. This website is planned to contain all the information in that presentation and be kept up to date with new developments. It's a journey of a thousand miles and I have only taken the first few steps.

Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, describes the hardware and the many ways to communicate with a router.

Router security may be a dull and boring topic, but it's important. As proof, see the page on what can happen if your router gets hacked.

As of June 2015, the list of configuration changes to increase router security is far from complete. The topic on selecting a secure router is mostly complete, as is the checklist page which lists router security features to look for when buying a router. The router bugs topic is more than complete enough to make its point - don't buy a consumer router.

A PDF of my HOPE presentation is available at box.net (last updated Oct. 4, 2014). Audio is available at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.

This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware.

Picking a Router

The first step towards a secure router is choosing a router.

Many people use the device given them by their Internet Service Provider (ISP) which I think is a bad idea for a number of reasons.

The next decision is buying a consumer router or a business class device. Don't buy a consumer router. I say this for many many reasons.

I am not alone in pointing out the sad state of router software/firmware.

Which router do I recommend? The Pepwave Surf SOHO router from Peplink. My only relationship with Peplink is that of a customer.

Consumer Reports is no help in picking a secure router. Here's a screen shot from the ratings on their website. Each router is graded on security which they define as "features such as encryption, remote administration default settings and filtering and firewall compatibility." Useless.

Finally, some thoughts on Apple routers and Google OnHub routers and Routers for Dummies.

Secure Router Configuration - Start With This

When complete, this site will list dozens of tweaks to make a router more secure. But, at the least, make these changes:

  1. Change the password used to access the router. Anything but the default is OK.
  2. Turn off WPS
  3. Wi-Fi security should be WPA2 with AES (do not use TKIP)
  4. The Wi-Fi passwords need to be long enough to stall brute force attacks. Opinions on the minimum length differ, my best guess is that 14 characters should be sufficient. A totally random password is not necessary, "999yellowtulips" is both long enough and easy to remember.
  5. Turn off Remote Administration (its probably off already)
  6. If any of your Wi-Fi networks (a router can create more than one) use the default name (a.k.a. SSID) then change it. Also, if they use a name that makes it obvious that the network belongs to you, then change it. More...
  7. Test the firewall in the router at Steve Gibson's ShieldsUP! site. Start with the Common Ports test but also do the All Service Ports test. Finally, do the Instant UPnP Exposure Test (orange button).
  8. Use a Guest Network whenever possible. Any computer running Windows 10 should never be allowed on the main network, always restrict them to a Guest Network.
  9. For extra credit, turn off UPnP. If it breaks something, and port forwarding is beyond your ability, then you have a choice to make.
  10. For more credit, turn off wireless networks when not in use. Some routers let you schedule this, others have a Wi-Fi on/off button. If the router has an iOS or Android app, the app may be able to do this. Many routers, however, will require logging in to their web interfaces. Make a browser bookmark for this.
  11. Periodically update the firmware and eat your vegetables

Secure Router Configuration in Detail

  1. Suggestions for setting up a new router
  2. Setting a good router password (not WiFi password) is almost always the best first step for both new and existing routers
  3. Selecting a unpopular range of IP Addresses helps prevent many router attacks
  4. Don't let DHCP give out the full range of available IP addresses. Reserve some for static assignment.
  5. Turning off features you are not using reduces the attack surface (added June 18, 2015)
  6. Be smart about choosing an SSID/network name (added July 11, 2015)
  7. There is more to encryption than just choosing WPA2 (added July 13, 2015)
  8. Of course, upgrade the firmware (added Aug 19, 2015)
  9. MUCH more to come ...........
  10. MUCH more to come ...........

When you are all done making configuration changes to a router, it is a good idea to back them up. Routers normally can export a file with the current settings. On a Pepwave Surf SOHO router, go to the System section, click on Configuration, then click the Download button to Download Active Configurations. With a TP-LINK Archer C8, go to the Advanced tab, click on System Tools, then on Backup and Restore, then the Backup button.


Top 
Last Updated: April 25, 2016 10AM CT     
Created: January 30, 2015
Viewed 79,660 times since January 31, 2015
(165/day over 483 days)     
Website by Michael Horowitz      
Feedback: routers_at_michaelhorowitz.com  
Changelog
Copyright 2015 - 2016