Router Security Security Checklist Website by     
Michael Horowitz 
Home | Introduction | Router Bugs | Security Checklist | Tests | Resources | Reviews | About |
 

The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure. That list includes a number of actions, like changing the default password, that are common to all routers and thus not in the list below. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.

  1. WPS
  2. NO DEFAULT PASSWORDS (added Nov. 21, 2015)
  3. Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
  4. LOCAL ADMINISTRATION
  5. A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The router also needs to be protected from malicious web pages that exploit CSRF bugs.
  6. REMOTE ADMINISTRATION
  7. WIFI
  8. No one can hack into a network that does not exist.
  9. WPA2
  10. Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
  11. GUEST NETWORKS
  12. In general, a guest network is a good thing. I blogged on this December 2015: To share or not to share - a look at Guest Wi-Fi networks. But, all guest networks are not the same.
  13. ROUTER USERID
  14. ROUTER PASSWORD (updated Nov. 15, 2015)
  15. FIREWALL
  16. Look for open ports. Any and every port that is open, on both the WAN side and the LAN side needs to be accounted for.
  17. MAC ADDRESS FILTERING
  18. I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to your network. Many people say not to bother with it both because its a big administrative hassle and because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
  19. UPnP (Revised Oct 9, 2016)
  20. Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices poke a hole in the firewall. It was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on the LAN side.
  21. PORT FORWARDING
    • Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
    • Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.

  22. Is HNAP supported?
    The correct answer is no. The Home Network Administration Protocol has been the basis for multiple router flaws. In April 2015 it was found to make a number of D-Link routers vulnerable. In Feb 2014 is was used as part of an attack on Linksys routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers. As far as I know, there is no way to disable HNAP. There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not support HNAP - I asked them. For a technical test, try to load HTTP://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com. For good luck, also run this test on port 8080, which would look like HTTP://1.2.3.4:8080

  23. FIRMWARE
  24. SELF-UPDATING FIRMWARE (added Sept. 29, 2016)
  25. Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.
  26. Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this means they shipped extremely old software.

  27. Can it block access to a modem by IP address? See my blogs on this part one and part two.

  28. LOGGING: (revised Nov. 23, 2015)
    • Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files: System, Firewall & Security and Router Status.
    • Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
    • Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
    • Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
    • Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
    • Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
    • Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO.

  29. EMAIL: (added Nov. 19, 2015)
  30. Can the router send an email message when something bad happens?
  31. DDNS:
  32. Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
  33. MONITORING ATTACHED DEVICES:
  34. Its nice to know who/what is connected to the router
  35. Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software. NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed files plugged into a USB port to the Internet at large.
    If you must use a router to share files, then look for one that offers a way to safely disconnect the USB storage device. At least some Linksys routers have a Safely Remove Disk button. TRENDnet labels their button Safely Remove USB Device. And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without a hard drive. QNAP seems to start around $120, also without a hard drive.

  36. Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into the router with http://something.easy rather than http://1.2.3.4. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses setup.ampedwireless.com, Linksys uses myrouter.local and linksyssmartwifi.com. According to RouterCheck.com (the page is both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to a router.

  37. SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.

  38. Smartphone apps: (added June 12, 2016)
  39. Security when administering a router via a web browser is easily understood, but smartphone apps are different.
  40. OOBE: (added June 12, 2016) Can the router, out of the box, be configured off-line? If not, then the hardware company is interposing itself in a way that is too conducive to spying. This is a fairly new issue, I first ran across it with the new mesh router systems targeting consumers. Eero fails this test. In fact, Eero wants your phone number before the router can be configured. And, even ignoring privacy issues, this probably means that if the hardware vendor goes out of business the router is useless. The Ubiquiti AmpliFi and the Netgear Orbi mesh router systems do not require a vendor account. Luma, not only requires an account, but you can't even setup the router if location services are disabled on the device running its mobile app.

  41. Security Unicorn: This may not exist. As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. I realize this is not perfect security, but it would still be nice to have.
    --A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company.
    --Eero claims their routers will do this, but I have not seen a review that mentioned it.
    --Luma says that their router "automatically recognizes any new devices in your home, and lets you grant or deny them access with a quick swipe." Again, I have not seen a review that mentioned this feature. A Nov. 2016 article on SmallNetBuilder said "If an unknown device is found on the network, Luma can send a notification through the app, alerting the owner of the unidentified device." The article, however, was a paid ad.
    --An article about the Amped Wireless AC1900 ALLY and ALLY Plus routers says "The router also alerts users when a new device requests network access". They are expected to be available in October 2016.

  42. Internal security: (Added Nov. 17, 2016) Many new routers are sold as a set of devices, commonly referred to as a mesh. A better term would be a router system and examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi and Luma. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected?

Rare security features

It can be argued that VLAN support belongs in the list above and I may add it at some point. It's certainly a security feature and not all that rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not in the list above because many people get close enough to the VLAN experience with Guest networks. One difference, however, is that a VLAN is a separate subnet, a feature that Guest networks are not likely to include. I use a VLAN isolated wireless network at home for assorted devices that only need Internet access and do not need to see a network printer or a NAS box, let alone the computers on the LAN. The Pepwave Surf SOHO can even prevent this network from directly accessing the router. VLANs are not just for Wi-Fi, some routers, such as the Pepwave Surf SOHO and the Ubiquiti Edge Routers, can put each Ethernet LAN port into its own VLAN.

VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own.

The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks. Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials." Sounds interesting, I hope to fully understand it someday.

This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.

Germany

October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers.

Some non-security features to look for

Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.

Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.

Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface.

Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged directly into the modem, no router at all. But, a router running its own tests should be good enough.

I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.

Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.

Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. The Amped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.

Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.

Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.

Website blocking is arguably a security feature, but an optional one. I have only tested it on two routers but in both cases it was lame. Each router would block HTTP access to the site, but failed to block HTTPS access. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.


Top 
This page was last updated: November 17, 2016 4PM CT     
Created: February 3, 2015
Viewed 89,539 times since February 3, 2015
(133/day over 671 days)     
Website by Michael Horowitz      
Feedback: routers_at_michaelhorowitz.com  
Changelog
Copyright 2015 - 2016