The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure, that's on the home page of this site. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.
- NO DEFAULT PASSWORDS (Last update: September 2024)
Default passwords used to be a huge problem for routers. As of 2024, it seems to me that more and more routers no longer have one default password used by every device, and that is a good thing. Note, however, that some default passwords may look random, but not actually be. Eventually, someone could figure out the formula for creating that password and can often use that
to derive the password (thanks Russ). Even if the default password is really random, the ISP knows it and assorted people can learn it from the ISP, either by being an employee or if the ISP gets hacked. The concept applies both to the password for accessing the router and the Wi-Fi password(s). FYI: Default passwords are illegal in the UK as of 2024.
- When initially configured, does the router force you to provide a new, non-default password for logging in to the router itself?
The best routers do. Peplink does.
- When initially configured, does the router force you to provide new, non-default WiFi passwords for every Wi-Fi network?
The correct answer is yes :-)
- SECURE DNS (Added Feb 2022, updated March 2023, June 2024)
There are two versions of DNS. The older version (UDP on port 53) is not secure, the new version is. There are also two flavors of the new Secure DNS: DoH (DNS over HTTPS) and DoT (DNS over TLS). Currently (Feb. 2022) Secure DNS is no longer new, so any router should offer it as a DNS option. Secure DNS creates a secure/encrypted connection to a DoH or DoT DNS server. This connection, just like HTTPS and secure web pages, blocks the ISP from being able to see the DNS requests of all the devices on your network.
One thing to look for is how the router deals with a failed secure DNS connection. Perhaps it does no DNS, perhaps it falls back to old insecure DNS, perhaps it lets you configure this. The Test Your DNS page on this site has much more background information on DNS.
- pcWRT supports DoH with OpenDNS, CleanBrowsing, Cloudflare, AdGuard, Google Public DNS and Quad9.
- Asus supports DoT at WAN -> Internet connection tab -> WAN DNS Setting, where the DNS Privacy Protocol can either be "None" or "DNS-over-TLS".
- Peplink added Secure DNS in firmware version 8.2 which was released in Feb. 2022. They support DoH. On a Balance 20x running firmware 8.3, you configure this at Network tab -> WAN -> DNS over HTTPS. The company says that Secure DNS will not fallback to traditional UDP DNS. The firmware natively supports Cloudflare, Quad9, Google DNS and OpenDNS. To use another Secure DNS provider, select the "Custom URL" option and enter the DNS server URL and IP address. For NextDNS, use a server name in this format:
https://dns.nextdns.io/profileID/routername
For example: https://dns.nextdns.io/xyz123/mikeysrouter
- Firewalla also supports DNS over HTTPS. Their routers can apply different DNS profiles to different devices. Wow.
- If you use NextDNS as your Secure DNS provider, their optional logging feature, available on their website, can be used to monitor/audit all DNS activity on the LAN.
- ROUTER MANUFACTURER ACCOUNTS (Last update: September 2024)
Are you required to have an account with the hardware manufacturer? Yes, is the wrong answer.
One problem with having an account is that you never know what information is being reported back to the mother ship. Requiring an account also opens you up to security problems if the router vendor gets hacked or has a malicious employee. It may also mean that if the hardware vendor goes out of business the router is useless. In this August 2022 article, Your Router and Online Privacy Risks: Be Aware of that Hidden Potential Danger,
Dong Ngo says "... if you use a router made by a company that forces you to log in via an account before you can manage your network, your privacy is generally at the mercy of that company ... it’s like you actively report your every move to a third party. And this is the scariest part: That happens completely without your direct knowledge. There’s no visual, warning, or ID checking, not a fist bump or a wink. It’s total unawareness."
Prior to the rise of mobile apps, this was never an issue. Now that so many routers are managed with a mobile app, the majority of routers require you to have an account. Three vendors that let you use their routers without having an account are Peplink, Asus and pcWRT.
December 27, 2021: Please recommend a router without need for a cloud account by hnthrowaway0315 at Hacker news. Most recommended: OpenWRT, Turris Omnia, Netgear (they require an account to use their mobile app, but there is still a LAN side web interface that does not require an account), ASUS hardware flashed with AsusWRT-Merlin firmware, Synology and FritzBox
Eero, now owned by Amazon, goes so far as wanting your phone number before the router can be configured. In fact, Eero may be the worst company when it comes to privacy, both because you have no control over how this works and because it is Amazon which already knows much about us. Needless to say, Google requires an account to use their routers and their privacy policy is here:
Google Wifi and your privacy. It is long and complicated.
Linksys wants you to create a Linksys account, but there is a secret way to use their routers without doing so. In an article comparing the Synology RT6600ax with the Ubiquiti Dream Machine (July 2022), Dong Ngo points out that Synology does not require a login account while Ubiquiti requires an account when using both the UniFi mobile app and the web user interface.
- ROUTER SPIES ON YOU (Last Update: Feb 2022)
- From: Your Router Is Collecting Your Data. Here's What to Know, and What You Can Do About It by Ry Crist of CNET (February 25, 2022). A review of the privacy policies for D-Link, Netgear, Asus, TP-Link, Eero, Google Nest and Arris found that each company collected personal data for the purpose of marketing. All the companies also share user data with third parties for marketing purposes. D-Link refused to answer questions about privacy. TP-Link does not offer any direct means of opting out. Eero was the worst. The only way to stop Eero devices from gathering data is to not use them.
- From: Router Management: Web Interface vs. App and the Trend Linksys Typifies by Dong Ngo (May 29, 2021). Quoting: " ... the [mobile] app itself is not inherently bad. Rather it's the intention behind the app that can be problematic. That’s especially true when a vendor attempts to turn you into a product via the app. Have you ever wonder how exactly the app on your phone is linked to the router at home? There’s no magic. You likely pay for that with your personal information. In fact, the mining of personal information is so lucrative that many vendors - such as Google or Amazon - have gone as far as taking the web interface entirely out of their home networking devices and make the app the only option
... ever wonder why a vendor would like to collect data from your network, the answer is, among other things, advertising. Your online habits reveal a lot about what you have bought and are going to buy. This type of information, collected over time, is a gold mine for the receiving end. In other words, you become the product.."
- For routers that do not require a vendor account, we still have to ask: how much, if any, data does the router send back to the hardware manufacturer? I have tested this with my favorite router, the Pepwave Surf SOHO. The only outbound requests the router made were for the time of day. It did not send anything back to Peplink at all. I have also tested pcWRT in detail and found that it does not phone home.
- In Jan. 2021, I blogged about configuring a Linksys router. There was an option "I want to contribute to future improvements by reporting router errors and diagnostics to Linksys". The router also had a speed test from OOKLA and a link to the OOKLA privacy policy.
- In July 2017 Netgear started collecting "analytics". For more on that see the Bugs page for July 2017, this article and What router analytics data is collected and how is the data being used by NETGEAR? (last updated 6/10/2020).
- Linksys is owned by Belkin, which in turn, is owned by Foxconn Interconnect Technology, a subsidiary of Foxconn, the Taiwanese company best known for making iPhones.
The Belkin Privacy Policy (last updated July 1, 2020) is very long and complicated. It says: "We automatically collect information when you use Belkin websites or Belkin products, including ... usage data about how and when you use Belkin products, other devices that are connected to Belkin products and what features of Belkin products you use; [and] technical information and data gathered when your Belkin products are connected to the Internet, such as how many and which devices are connected to your home network, when you use the devices and the amount of network traffic generated."
- Integrated security software: Some router vendors integrate security software into the router firmware. One example is Netgear, which offers BitDefender software with some of their router firmware. This is sold to the public as good for security, but the flip side is that it is bad for privacy. Considering the EULA that Trend Micro requires router owners to agree to, it may be best to avoid routers that include Trend Micro software. The EULA notes that web page URLs and email message may be sent to Trend Micro. For more, see Review: ASUSWRT router firmware by Daniel Aleksandersen (May 2017) and The Asus RT-AC68U router - it's fast but it also secure? by John Dunn (July 2015).
- LOCAL ADMINISTRATION
A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The web interface of a router also needs to be protected from malicious web pages that exploit CSRF bugs.
- Is HTTPS supported? In 2013, Independent Security Evaluators tested 13 consumer routers. Some supported HTTPS, some did not. Every router that supported it, however, had it disabled by default. According to this thread, Netgear does not support HTTPS on the LAN side and customers have been asking for it since 2016.
- If HTTPS is supported, can admin access be limited exclusively to HTTPS?
- Can the TCP/IP port used for the web interface be changed?
- Does the router allow very short passwords?
- Can access be restricted by LAN IP address? To really prevent local admin access, limit it to a single IP address that is both outside the DHCP range and not normally assigned.
- Can admin access be limited to Ethernet only?
- Can access be restricted by MAC address? The TP-Link Archer C7 supports this. See screenshot.
- Can router access be restricted by SSID and/or by VLAN? The Pepwave Surf SOHO can do both of these since it can
assign an SSID to a VLAN (screenshot).
- Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
- Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
- Is there a CAPTCHA option for logging in? (D-Link offers this)
- Every time the router administrator logs on to the router, there should be a log entry for this. Peplink does this.
- Every time someone tries to log on to the router but provides an incorrect password, there should be an audit log created. Peplink does this.
- Users on a Guest Wi-Fi network should not be allowed to access the router's admin interface
- Can you logout of the web interface? You should be able to. I have seen Linksys and D-Link routers without a Logoff button.
- Does it time out? It should, and you should be able to set the timeout period. See Cisco example.
- See the section below on rare security features for some nifty options in FRITZ!Box routers
- REMOTE ADMINISTRATION (aka Remote Access to the web interface)
- Is it off by default? It should be. The Linksys AC1900 (EA6900) has Remote administration enabled by default.
- Can it be limited to HTTPS only? To me, this is an absolute must. The Netgear Nighthawk R700, despite great reviews, only supports remote
management over HTTP which means your password travels in the clear. I have seen this too with low end Asus routers, while their higher end models
do offer HTTPS.
- Can the port number be changed? (also a must)
- Can access be restricted by source IP address or source network?
Here is an example of this, from
a Pepwave Surf SOHO router running Firmware 6.2. The "Allowed source IP subnets" is where you can set multiple IP addresses (yes, its a bit confusing) and IP
subnets from which remote administration is allowed. In reference to the two above issues, the security for remote administration can be HTTP only, HTTPS only,
or both. In the screenshot, it is HTTPS only. The "Web admin port" is the port used for remote administration, in the screenshot it is 12345. The "Web admin access"
can be set to LAN only (which disables remote admin) or, as in the example, both LAN and WAN.
FYI: Most of us, at home, have a dynamic/changing IP address from our ISP which at first glance would seem to rule out Remote Administration. The standard solution to
this is Dynamic DNS (aka DDNS) which is supported on some routers. DDNS assigns a static name to the router and when DDNS software on the router detects a
change in the public IP address, it updates the DNS for the static name. Some router vendors offer not only embedded DDNS software but also a free DDNS service.
Another option is a VPN provider that offers static IP addresses for an extra fee.
- Does it time out? (it should) That is, if you forget to logout from the router, eventually your session should time out, and, you should be able to set the time limit,
the shorter, the more secure.
- Does the router create an audit log every time someone tries to logon, whether the logon was successful or not?
- Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
- Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
- Cloud: rather than have a router open a port to allow incoming Remote Admin connections, many router vendors offer a cloud service for administration of their
routers. To me, this leaves you vulnerable to bad employees of the hardware vendor. Or, a government could perhaps lean on the hardware company to do something
undocumented.
- See the section below on rare security features for some nifty options in FRITZ!Box routers
- FIREWALL (Last Update: Jan. 2019)
There are three aspects to the security of a router firewall.
- Inbound WAN: What ports are open on the WAN/Internet side? The most secure answer is none and you should expect any router not provided by an ISP to have no open ports on the Internet side. One exception is old school Remote Administration, which requires an open port. Every open port on the WAN side needs to be accounted for, especially if the router was provided by an ISP; they often leave themselves a back door. The
Test your router page links to many websites that offer firewall tests. That said, none of them will scan all 65,535 TCP ports or all 65,535 UDP ports. The best time to test this is before placing a new router into service. See the page on New Router Setup for more.
- Inbound LAN: What ports are open on the LAN side? Expect port 53 to be open for DNS (probably UDP, maybe TCP). If the router has a web interface, then that requires an open port. The classic/standard utility for testing the LAN side firewall is nmap. There are some instructions for using nmap on the New Router Setup page. As with the WAN side, every port that is open needs to be accounted for.
- Outbound: Can the router create outgoing firewall rules? To me, this is a huge consideration. There are all sorts of attacks that can be blocked with outgoing firewall rules. For example, a firewall rule can insure that a baby monitor stays within the home and never sends any data to anywhere on the Internet. Here is an example of a Peplink firewall rule that blocks access to a domain for all devices connected to the router. Generally, consumer routers do not offer outbound firewall rules while business class routers do. In addition to blocking, it would be nice if the blocks were logged for auditing purposes. Note however, that devices connected to Tor or a VPN will not obey the outbound firewall rules.
- VLANs (added March 2, 2024)
While a router firewall keeps bad guys on the Internet away from the devices in your home, a VLAN (Virtual LAN) can isolate suspected bad devices in your home to minimize their contact with your important devices. There is a page here devoted to VLANs with many details, so the topic here is brief. VLANs let you logically divide the network in your home into isolated sections. If attackers gain access to one section of the network, the VLAN can prevent access to other areas of the same network. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not available in many routers, but a Guest network can be a poor man's version. With Peplink routers a VLAN can be totally isolated or you can use internal firewall rules to allow/block specific types of data flowing between VLANs. In addition, Peplink VLANs can prevent the devices inside a VLAN from communicating with other devices in the same VLAN. With Peplink, you first define a VLAN and then assign it to one or more Ethernet LAN ports and/or one or more SSIDs.
- WIFI
No one can hack into a network that does not exist.
- Can the wireless network(s) be scheduled to turn off at night and then back on in the morning? Some routers that offer this feature are the Pepwave Surf SOHO (all Peplink routers can do this), the Amped Wireless RTA1750, pcWRT the Synology RT1900ac.
- Is there a WiFi on/off button? The idea is to make it easier to disable WiFi when its not needed. When this is easily done, more people will do it. This is a somewhat rare feature. Note that a number of routers have a very small WiFi On/Off button that is hard to reach, or even see.
Some routers with Wi-Fi On/Off buttons are the TP-Link Archer C7, C9, D9 and C3150, the Synology RT1900ac and RT2600ac, the Netgear R6220 and some FRITZ!Box routers (popular in Germany and Australia). Here you see a big WLAN button on the top of a FRITZ!Box router.
The Netgear Nighthawk X4 R7500v2 and the R6400-100NAS also have the button in an easy to locate position on the top of the router. The high end Asus RT-AX88U has a big Wi-Fi button in the front. The Asus RT-AC68U has it on the side as does the Asus RT-AC1900P and the Synology RT2600ac. Other Asus models with a Wi-Fi button are the RT-AC86U and the ROG Rapture GT-AC5300. All Asus routers do not have a Wi-Fi button.
- HIDDEN WIFI NETWORKS (added Dec. 13, 2021)
Some routers (examples below) create a hidden Wi-Fi network. It is typically created for supporting a mesh environment and serves no purpose when using a single device router without mesh. Sometimes this hidden network can be disabled, sometimes not.
- WPA2
Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
- Verify that the router offers WPA2 exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as WPA2.
- After opting for WPA2 encryption, a better router will always use AES or CCMP (two terms for the same thing). Some routers offer TKIP as an option
with WPA2. TKIP is not as secure. Meraki is high end wireless vendor owned by Cisco. I have seen a network running their hardware offer WPA2 with TKIP. If there is no secondary option, then, after you select WPA2, then you will need to use a WiFi scanner app, such as WiFi Analyzer on Android, to see if it is using AES, CCMP or TKIP.
- Look for an option called Protected Management Frames (PMF) and turn it on. While this increases security, it is an optional WPA2 feature and may not be supported by all your devices. If a device can not login to the router after enabling PMF then perhaps create a separate SSID that does not use PMF.
- Look for WPA2 Enterprise support. The upside is that WPA2-Enterprise lets every Wi-Fi user have their own userid and password. Another advantage is that some bad guys will not know how to attack a WPA2-Enterprise network. The downside is that it requires a RADIUS server to handle these userids/passwords and thus it will be too high a bar for most people. Normal WPA2 is, technically, WPA2-PSK where PSK means Pre-Shared Key, which translates in plain English to there is one and only one password. See the WPA2 WPA3 Encryption page for more.
- WPA3 (added Nov. 28, 2023)
WPA3 is an improvement over WPA2, but not a drastic improvement. For example, the PMF feature mentioned above, that is optional in WPA2, is required in WPA3. If your router supports WPA3 you should try to use it. But, it is likely that some of your devices will not be able to connect to an SSID using WPA3. The bad solution is configure the SSID as supporting both WPA2 and WPA3. The better solution is to have an SSID that only does WPA2 and another SSID that only does WPA3. Many routers can only create two SSIDs, yet another reason to get a good router. Also, see if you can update the Wi-Fi software on your devices, it is possible that this may add support for WPA3.
- GUEST NETWORKS (updated Jan. 26, 2021)
A guest network is a good thing for security. If nothing else, it gives you a second SSID with a second password, so you don't need to give visitors to your home or office the password for the main network/SSID. I blogged on this December 2015: To share or not to share - a look at Guest
Wi-Fi networks. But, all guest networks are not the same, here are some features you may run across.
- The biggest security feature of a wireless guest network is that it can keep guests/visitors and IoT devices away from the main/private network. When this is working
properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest
wireless network from the same router. Some routers always offer this separation, others let you configure it. The feature is assigned different names in different browsers.
- Asus calls it "Access Intranet"
- Both Synology and TP-LINK call it "Allow Guests to access my local network" (see TP-LINK example)
- D-Link calls it "Internet access only" in the Guest Zone
- TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
- Eero and AmpliFi have no configuration option for this.
- Peplink does not offer Guest Wi-Fi networks, but any Peplink SSID can be isolated by assigning it to a VLAN that does not allow inter-VLAN routing. (more)
- With Google Wi-Fi, sharing between the Guest and main network is always enabled, but devices on the main network are only shared if you specifically share them in a Google app.
More here: How Google wants to re-invent the router (April 2017).
- Older Netgear routers had an option to "allow guests to access my local network". From a March 2015 article at How-To Geek. I am not
sure if this still exists.
You can test whether the Guest and main networks are isolated with a LAN scanner app such as Overlook Fing which runs on iOS, Android,
Windows and OS X. If run from a Guest device, the scan should not see any devices on the private network. Another option is, from a guest network, to try and access a NAS or
a network printer or any other LAN device exposing a web interface. Finally, there is the simple Ping command.
- If isolating Guest devices from the main network is step 1, isolating them from each other is step 2. This increases security because if one Guest device (probably IoT) is
malicious, the router can prevent it from seeing any other devices. Guest devices can be fooled into thinking they are the only device connected to the router. Put another way, Guest devices
can see the Internet and nothing but the Internet. A few routers let you configure this, most do not. What is the default behavior when there is no configuration option?
You will need to test for yourself as described above. While it is more secure to not let Guest/IoT devices see other devices on a Guest network, there are times when you want to do this. The solution there is to have more than one Guest network, one where devices can see each other and one where they can not. Peplink is the only company I know that allows this level
of configuration and it does this on each of the many wireless networks their routers can create. As for consumer routers:
- TP-LINK calls this "Allow Guests to See Each Other"
- TRENDNET calls this "Wireless Client Isolation" and they explain that it "isolates guests from each other"
- Synology (as of SRM 1.2.3) has no option for this. Guest users are isolated from each other by default
- According to a March 2015 article at
How-To Geek, older Netgear routers had an option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6
combined two options into a single option called "allow guests to see each other and access the local network." Not good. As the article says
"There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with
their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN)..."
- If there are multiple guest networks (often one on the 2.4GHz band and another on the 5GHz band with different SSIDs), then the question becomes whether guest users on one guest
network can see guest users on another guest network.
- Guest networks should offer the same over-the-air encryption options as other Wi-Fi networks. Specifically, WPA2 or WPA3 . It is unlikely that a Guest network will support the Enterprise version of WPA2 or WPA3 (Peplink does). Way back when, Belkin and Linksys Smart WiFi routers did not support WEP, WPA or WPA2 on
their Guest networks. Way back.
- Each Guest network should offer its own password. Linksys offers two Guest networks but they must share the same password. Ubiquiti AmpliFi routers default to not having a password on the Guest Network. You can add a password, but this is done on a different screen in the mobile admin app and thus easily missed.
- A Guest user should not be able to make administrative changes to the router. Better still, they should not be able to see, never mind logon, to the admin interface of the router.
I have never seen this discussed in relation to any consumer router so it is the sort of thing you will have to test for yourself. I have tested two, Peplink and Synology, both of which have a web interface. Synology routers do not allow Guest users to access the web interface of the router. It is not a configurable thing. With Peplink, this is configurable, you can limit router access to a single SSID or VLAN or to the untagged LAN. Routers that are administered with a mobile app are a
whole different thing. I have no idea if any of them limit router access by Guest devices.
- Some Guest networks are not normal, instead they are Captive Portals. This is the type of network typically seen in a hotel, where you have to first view a web page with details of
allowable behavior and acknowledge having seen it before being allowed Internet access. This is bad, mostly for usability; clients can appear to be connected, but they are not.
See this June 2015 article by Chris Hoffman Warning: Guest Mode on Many Wi-Fi Routers
Isn't Secure. I also blogged about this in June 2015: Linksys Smart Wi-Fi makes a stupid Guest network. Then, In January 2021, I wrote The Misery of a Linksys router which had more about their use of Captive Portals for Guest Wi-Fi.
- Some routers let you schedule the guest network(s). It would be great if you could turn it on for X hours and then have the router de-activate it.
Probably the worst thing about guest networks is leaving them on all the time. Synology and Peplink support this as does the Ubiquiti AmpliFi. So too does the Trendnet TEW-813DRU. The company has an online emulator from which I took a screen shot.
- No one can hack or use a network that does not exist. To that end, it should be as easy as possible to enable and disable a Guest Wi-Fi network. I would assume that a router administered with
a mobile app would involve fewer steps/clicks than one with a web interface. Another option is voice: Eero (owned by Amazon) can be told to start and stop the Guest Wi-Fi network with
Alexa commands. Likewise, at least one D-Link router can also be connected to Alexa and then told to start/stop the Guest Wi-Fi. On the other hand, this is not very secure, especially in a
home with children. Everything is a trade-off.
- Does the Guest network share the same subnet as the private network or use a different one? Different is better and is what I have usually seen.
- Nice to have: Some routers (Peplink, Ubiquiti AmpliFi and Synology for example) let you limit the total number of concurrent guest users. Synology screws this up
however as the two lowest options are 1 and 16. That is, you can not, for example, limit a Guest network to two or three users.
- Nice to have: Some routers let you limit the bandwidth of guest networks. In the TP-LINK example above, it is not clear if the limit
applies to the entire network as a whole or to each user individually.
- New Guest alert. It would be nice to be alerted every time a new Guest user/device logged on. The discontinued Norton Core router was the
only one I knew of that could alert you
when a new user joined the Guest Network. Eero does alerts of new users in its mobile app on the main network, I have not tested this on the Guest network. Peplink can log every
time a new device is assigned an IP address, but it does not offer passive alerts.
- FYI: On consumer routers, the Guest Wi-Fi network(s) use the same DNS servers as everyone else connected to the router. On higher end business/professional
routers, such as Peplink, Ubiquti UniFi, Cisco and Draytek, an SSID can be assigned to a VLAN and thus each SSID can use different DNS servers.
- FYI: Time limits. The discontinued Norton Core router could apply different time limits to each individual Guest device. Five minutes
before a users time was going to expire, the router could alert you, so that the time could be extended.
- FYI: Some routers do not let you chose the Guest network name. The Linksys Smart WiFi line, for example, always uses the SSID of the private network and appends
"-guest" at the end.
- FYI: Vouchers. The Ubiquiti UniFi system can run a Guest network based on vouchers. Users are forced to enter a voucher ID on a captive portal page. Vouchers can be single-use or multi-use. They last for a customizable amount of time and can also be linked to a bandwidth quota or bandwidth limits. You can print a sheet of codes, cut it up and give them out. The down side is that this requires Ubiquiti controller software. More
here and
here and
here.
- FYI: Synology routers have Guest networks designed for businesses rather than consumers. One feature they offer is the ability to generate a new Guest Wi-Fi password every day.
Still, I would avoid Synology routers.
- FYI: Kick the tires on how an Asus router configures Guest networks and see documentation on guest networks from TP-LINK, Netgear and Linksys.
- WPS (Last update: March 2017)
- Is WPS supported? WPS has been such a security disaster that I would not want to use any router that supports it.
Since WPS is required for WiFi certification, it is widely present in consumer routers. Yet another reason, not to use a consumer
router.
- At the end of March 2017, I added a new WPS page to this site with everything you ever wanted to know about it, and more.
- If you are using a router that supports WPS, then check to see if it can be turned off. There are two aspects to this. When the security issues with WPS first came
to light at the end of 2011, some routers would not disable WPS even when told to do so - a bug. Then too, some routers do not
let you disable WPS.
- WPS status: To verify that WPS is disabled use a WiFi survey type application such as the excellent WiFi Analyzer on Android. On Windows, look into
WiFiInfoView from Nirsoft - it is free and portable.
- ROUTER USERID
- Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most
important when using Remote Administration. An
October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
- Is there a read-only user? Most routers only allow for one userid, but some allow for two: one with full admin privileges and one that is only
allowed to view stuff but not make changes.
- Many users: this seems like overkill to me, but some routers let you define multiple userids. A Verizon DSL gateway, the D-Link 2750B lets you go so far as defining groups of users.
- ROUTER ADMIN PASSWORD
- How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from
his article: "I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ...
... my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters ....
when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating
one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first
16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear.
So, test if your router allows a 17 character password. It should.
- How short can the router password be? Very short passwords should not allowed.
- Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords?
That is, does it say anything about the length of the password or if any characters are not allowed?
- Does the router defend against brute force password guessing? After a certain number of wrong passwords it should do something to prevent further
guessing.
- MAC ADDRESS FILTERING
I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to
your network. Many people say not to bother with it, both because its a big administrative hassle, and, because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
- The big question with MAC address filtering is whether this feature applies to all networks created by the router, or, to all networks on the
same frequency band (2.4GHz or 5GHz), or, in the best case, if there are separate MAC filtering lists for each individual network/SSID?
If a router supports independent filtering lists for each SSID, then MAC address filtering can be used for the main, private SSID and not used
on guest networks. This makes it a practical solution as the maintenance hassle is so low.
- Another aspect that can make this much easier to deal with is comments. That is, instead of just maintaining a list of black- or white-listed MAC
addresses, the router should also let you add a comment to each MAC address. This way you can easily check if computer X is already in the list or not.
And, when tablet Y is lost, it makes it easy to remove it from the list. Of the routers I have seen, only AirOS firmware running on a Ubiquity
AirRouter offered the ability to add a comment. It looked like this.
- UPnP (Revised Jan 12, 2019)
Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices
poke a hole in the firewall. It is how IoT devices make themselves visible on the Internet, where many of them get hacked, either due to security flaws or the use of default passwords. UPnP was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on
the LAN side.
- Is UPnP enabled on the LAN side? As a rule, consumer routers have UPnP enabled, while business routers have it disabled. Can you disable it? If not, throw out the router. The D-Link DIR-880L is the rare
router that does not let you disable UPnP. Early releases of Luma routers did not let you disable UPnP. As of a software update from August 2016, UPnP can be disabled.
- Is UPnP enabled on the WAN side? Steve Gibson's UPnP exposure test is the only way that I know of to test for UPnP being enabled on the WAN/Internet side of a router. Start at his ShieldsUP!, then click they gray "Proceed" button. On the next page click the big orange button
labeled "GRC's Instant UPnP Exposure Test". I would take any router that fails this test out of service.
- If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. Synology routers display a UPnP client list. The TP-LINK Archer C7 has an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more. Netgear KB article, How do I enable Universal Plug and Play on my NETGEAR router? describes a UPnP Portmap Table that displays the IP address of each UPnP device accessing the router, which ports that device opened and what type of port is open and whether that port is still active for each IP address.
- Disabling UPnP: Eero enables UPnP by default, but it can be disabled. The Ubiquiti AmpliFi mesh router has UPnP enabled by default, but it can be disabled. Google Wifi routers enable UPnP by default, but you can disable it. UPnP was abused in Jan. 2019 to play videos on exposed Chromecast devices. This article by Lawrence Abrams has instructions for disabling UPnP on routers from Netgear, Linksys, D-Link, Verizon FIOS, TP-Link, Google Wifi and Eero.
- An example of the router security enemy is the UPnP PortMapper program that can be used to "manage the port mappings (port forwarding) of a UPnP enabled internet gateway device (router) ... Port mappings can be configured using the web administration interface of a router, but using the UPnP PortMapper is much more convenient". Ugh.
- NAT-PMP is very similar to UPnP but most often found on Apple devices. If a router
supports NAT-PMP, check whether it can be disabled. According to Apple, NAT-PMP is included in OS X 10.4 or later, AirPort Extreme and AirPort
Express networking products, AirPort Time Capsule, and Bonjour for Windows.
- Disabling NAT-PMP: How to Turn Off NAT-PMP
on Airport Routers from iOS, How to Turn Off NAT-PMP on Airport
Routers from macOS
- The Pepwave Surf SOHO ships with both UPnP and NAT-PMP disabled. You can verify this in firmware 7.1.2 at the Advanced tab -> Port Forwarding. There are checkboxes for both UPnP and NAT-PMP.
- pfSense supports both UPnP and NAT-PMP but not only does it let you disable
them, it also has some extra security of its own.
- PORT FORWARDING
- Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote
Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port.
Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software
on port 5900. The official term for this, I believe, is IP Filtering.
- Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in
the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.
- SETTINGS BACKUP:
Some routers let you manually backup the current settings to a file on your computer. The Pepwave Surf SOHO reminds you to do this when updating the firmware, which is as good a time as any. This may not seem like a security issue, but it can be if a router setting, such as the DNS Servers, was maliciously changed. Even ignoring security, having a backup of the settings can come in handy after a factory reset of the router. Just be aware that the settings file has all the passwords and they may not be well encrypted. (Added as a stand-alone issue Aug 20, 2021)
- FIRMWARE
- Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware?
Peplink does this. See an example from December 2015, announcing firmware version 6.3.
Most routers require you to seek out firmware updates on your own.
- For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
- For an existing router: can it automatically update the firmware on its own? If so, see the next topic. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to be in charge. This lets me install bug fix releases fairly quickly but delay new versions/releases.
- How easy is the upgrade process? Better routers can completely
handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure
makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means
that the firmware upgrade can be done by a remote user.
- The new firmware may reset some options. To protect against this, manually backup the current settings, if you can, before updating.
- If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is
notoriously inconsistent at keeping their auto-update servers up to date..." Tests run by the Wall Street Journal in early 2016 found 2 of 20
tested routers incorrectly reported their firmware was up to date.
- Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded
by the router itself or by you manually from the vendors website. Good luck answering this question.
- Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able
to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
- Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you
easily reboot into the prior firmware. This can also help if a configuration change causes a problem.
The Linksys EA6200 can also restore a prior version of the firmware.
- SELF-UPDATING FIRMWARE (added Sept 29, 2016, revised Feb 15, 2017)
Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.
- Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
- Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is
working correctly. Also, if you experience network problems, it is vital to know when the last firmware was installed.
- How often does the router check for updates? Can you control this?
- Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
- If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
- Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
- Can you force the router to check for new firmware?
- Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
- If you do nothing, how quickly will newly released firmware be installed? Eero promises to
install new firmware "within a few weeks"
- When the router phones home looking for updates does it do so securely with TLS?
- When the router downloads new firmware does it so securely with TLS?
- Is newly downloaded firmware validated in any way, such as being digitally signed?
- Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
- Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
- Does the vendor document the changes in each firmware update? If so, do they do it well?
- Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
- How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
- In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
- In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?
As for answering these questions, someone from Linksys was kind enough to address these issues for their routers in Feb. 2017. I created a new page for
Self Updating Router Firmware and hopefully I can get answers from other router vendors too.
- Can the router block access to a modem by IP address? See my blogs on this part one and part two. Put another way, does the router
offer outbound firewall rules.
- LOGGING: (revised May 28, 2021)
- Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers
all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. Peplink routers, such as the Pepwave Surf SOHO have three log files (Event log, AP log and
Firewall log). The D-Link 860L also has three log files: System, Firewall & Security and Router Status.
- Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge
of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address. Peplink routers log both
failed and successful logins to their web interface and the log shows the source IP address.
- Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined
the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however,
to log the appearance of a new device with a static IP.
- Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you
and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such
"smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
- Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no
indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some
DrayTek routers that create an audit trail/log of all admin access/activity.
- Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a
secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying
to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them
to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
- Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped
out when it is powered off. This is not true on the Pepwave Surf SOHO.
- EMAIL
Can the router send an email message when something bad happens?
- If so, what types of errors can it email about? At the least, it should be able to send an alert if one of the log files fills up.
- This is particularly useful for multi-WAN routers, that is, routers that are connected to two or more ISPs. When one Internet connection fails, it can use another to send
an alert email. Peplink is great at this.
- Can messages be sent to only one recipient or to many?
- I have not seen a router that can send a text message, but there are services that convert emails into texts.
- DDNS
Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
- Does the router phone home to the DDNS provider using HTTP or HTTPS? Good luck trying to figure this out. The DDNS provider may have a log file that you can check or use this as a test of technical support.
- How many DDNS providers are supported? The more the better. Also good, not being limited to Dyn.
- MONITORING ATTACHED DEVICES
Its nice to know who/what is connected to the router
- A good router will offer, at a glance, a list of all the attached devices. Having them all shown on one screen makes it easy to spot anything out of the ordinary. This screen shot from a Pepwave Surf SOHO shows that it uses a space-saving single line per attached client.
- Along with this, a great feature to have, is the ability to give friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. This too, should make it easier to spot new devices. The name column of the Surf SOHO display of attached clients is editable, allowing you to enter anything that makes sense to you. The Ubiquiti AmpliFi could not do this initially, but a later firmware update added this ability.
- I used to have a router that would only show devices with a DHCP assigned IP address. You never knew about any devices with static IPs, which stinks. In December 2014, Chris Hoffman
wrote "Many routers simply provide a list of devices connected via DHCP". Hopefully this gets phased out over time.
- Internet sessions/sockets: It can be very handy to see all the connections a LAN-resident device has to the Internet. For one, you can verify that a VPN is working the way it is supposed to, that all traffic flows over a single encrypted link to a VPN server. You can also use it to verify that an online banking app really has a secure connection to the bank. And, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits. Among the routers that report on this level of detail are the D-Link DIR860L and my favorite, the Pepwave Surf SOHO.
- The item above refers to connections a device currently has. It would also be helpful if the router could produce an audit trail of every connection made by a single device. This crosses over into the topic of Outbound Firewall rules. (Added Jan 30, 2019)
- Non-security: If the router is creating multiple WiFi networks, it is nice to see which devices are connected to which network. The Pepwave Surf SOHO does this in the "Network name (SSID)" column.
- Its nice to be able to see the signal strength, from the routers perspective, for each attached wireless device.
Peplink routers do this in the "Signal" column.
- Non-security: Another nice monitoring feature is showing the current bandwidth used by each connected device. Peplink routers do
this in the "Download" and "Upload" columns. It defaults to kbps but can be changed to Mbps.
- Bandwidth history. Peplink routers offer a daily bandwidth summary showing total Upload and Download
Megabytes. From the daily summary, you can drill down to an hourly summary. From the
hourly summary, you can drill down to each specific device within that hour.
One thing you can use this for is to check whether Alexa is really sending your conversations back to Amazon. On the whole, Alexa should download a lot
and upload very little. A bandwidth history lets you verify this.
With the threat of ransomware, a bandwidth history becomes all the more important. If a device gets hacked and starts sending all your files/data out to bad guys
it would be great to be altered to this. That is, to be able to set alerts based on massive uploads. Peplink does not offer this. Judging by the many many companies that have
had hundred of gigabytes of data stolen from them, I doubt that even high end routers offer this feature.
- Hiding on the LAN: Here is an oddball case that I ran across. A device may be able to hide from the router, if it only talks to devices on the LAN and
never makes a request out to the Internet. That is, if it only makes use of the switch in the router, but never the higher level functions of the device.
You can test this if you have a printer or a NAS with a static IP address. Reboot your router, then, from a computer on the LAN, send an HTTP request
to the device with the static IP address and get back a web page. Then check the router list of attached devices. Does the router show the
printer/NAS/whatever as being on the network? Maybe not. Yet, it communicated with a device on the LAN.
- Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers
let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software.
NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed
files plugged into a USB port to the Internet at large.
If you must use a router to share files, then look for one that offers a way to safely
disconnect the USB storage device. At least some Linksys routers have a Safely
Remove Disk button. TRENDnet labels their button Safely Remove USB Device.
And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My
suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without
a hard drive. QNAP seems to start around $120, also without a hard drive.
- Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make
things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into
the router with http://something.easy rather than http://1.2.3.4. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK
uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses
setup.ampedwireless.com, Linksys uses
myrouter.local and linksyssmartwifi.com. According to
RouterCheck.com (the page is
both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local
subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none
of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to
a router.
- SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.
- Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor
is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router
vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear
response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know
that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this
means they shipped extremely old software.
- Smartphone apps: (updated Feb. 1, 2019)
Security when administering a router via a web browser is easily understood, but smartphone apps are different.
- Does the app talk directly to the router or does it talk to the hardware vendor?
- If the app works remotely, how?
- What permissions does the app need? Does it ask for more permissions than it needs?
- Can you log out of the app?
- Does the app communicate with Bluetooth or WiFi?
- If app uses WiFi, is it HTTP or HTTPS? See also, the section above on securing local admin access
- If app uses Bluetooth, how secure is it? I am not familiar with Bluetooth security. Eero and Luma both use Bluetooth.
- NEW DEVICE NOTIFICATION (updated Sept 20, 2023)
As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. There are two ways this might go, either I have to approve the new device before it is allowed access or it is allowed by default, but I am notified and can disable it later.
- If you have a Firewalla device, turn on the "New Device Quarantine" feature. This lets you apply assorted rules to newly detected devices, such as blocking their Internet access. It is also the way to defeat the random MAC addresses used by default in assorted Operating Systems. More: Firewalla: New Device Quarantine Last Updated Sept 19, 2023
- I have read that Gryphon will assign new devices to a Guest user profile and that the Guest profile can be blocked from the Internet. It is also said that their mobile app can ding you about new devices. But, their website has no documentation on this that I could find.
- Eero routers will do this, but it seems to be an option to disable a new device after it has already been on the network, rather than a mandatory approval before being allowed on the network.
- A Fingbox is not a router, it is networking device that you add to your existing network. It can notify you both when devices join and leave the network. New devices can be blocked automatically. Notification is by an alert on a mobile device running the Fingbox app and/or by email. No texts. In the User Guide look for "alerts". For more about Fingbox, see the Add-on Security Devices section of the Resources page.
- A reader comment to this July 2019 review of Disney’s
Circle said that it can block all new devices, by default. Not sure how the notification works.
- The second generation Bitdender box says you can "receive notification in smart application when new device connected to your home network and control what that device is allowed to do."
- Luma says that their router "automatically recognizes any new devices in your home, and lets you grant or deny them access with a quick swipe." Again, I have not seen a review that mentioned this feature. A Nov. 2016 article on SmallNetBuilder said "If an unknown device is found on the network, Luma can send a notification through the app, alerting the owner of the unidentified device." The article, however, was a paid ad.
- The Aztech AIR-706P router is managed by the Aztech Smart Network mobile app. According to this Aug 9, 2017 article, it has a Wi-Fi Connect feature that can push a notification to a mobile device when something connects to the router.
- The Users Guide for the Amped Wireless ALLY routers says "ALLY notifies you of important events on your network ... for example when a new device joins your network." It is not clear if this includes a previously seen devices logging on again to the network.
- The User Guide for the Norton Core router says it can do this for the Guest Network but its not clear if it can also do it for the main network. The router has been discontinued as of early 2019.
- A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company.
- RECENT DEVICES (added August 9, 2017)
It would be nice if a router displayed a list of devices that had recently been on the network. This makes it easier to audit for devices that should not be there. Eero and the Norton Core router do this. Peplink sort of does this. Its display of currently attached devices, includes devices that are not currently attached but were recently attached. I think devices are included in the display until the lease on their IP address expires. Peplink can also log to its Event Log every time its DHCP server gives out an IP address. The message includes the MAC address of the new device, so you can audit based on that.
- FACTORY RESET (Added Nov 27, 2018)
A factory reset should put the router into a secure state, and, it should erase all personal data.
- Is HNAP supported?
The correct answer is no and on recent routers the answer will be no.
The Home Network Administration Protocol has been the basis for multiple router flaws.
In April 2015 it was found to make a number of D-Link routers vulnerable.
In Feb 2014 is was used as part of an attack on Linksys
routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers.
As far as I know, there is no way to disable HNAP.
There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical
support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not
support HNAP - I asked them. For a technical test, try to load HTTP://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router.
This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try
it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com.
For good luck, also run this test on port 8080, which would look like HTTP://1.2.3.4:8080
Rare security features
The FRITZ! line of networking devices, from German company AVM, have a couple rare security features. Changing some settings (I could not find exactly which ones) in the FRITZ!Box line of devices requires additional confirmation as described in their KB item: Extra confirmation to configure certain functions. The options for this extra confirmation vary depending on whether the change is being made locally or remotely.
- One option is a standard two-factor authorization (2FA) authenticator app. As far as I know they are the only router vendor offering this feature. This is great as it lets you
make remote configuration changes to the router, but also prevents a bad guy who knows the password from changing things.
- Another option is to confirm the changes by pressing a button on the device. This insures that a change is being made by a human being who is physically at the router.
I don't know if any other routers offer this option.
- Some of their routers also support telephony, so there is also an option to make a phone call to confirm any configuration changes.
(added March 2024, updated June 2024)
The Asus ROG Rapture GT-AC5300 can use Amazon Alexa voice commands to turn on the Guest network and/or pause the Internet. It can also use IFTTT to send an email when a specific device gets on the network. (source).
VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own. The Resources page has a list of routers that can function as VPN and/or Tor clients.
The lifespan of a router is like that of a banana, but the real problem is that it does not turn brown when it goes bad. Router manufacturers, as a rule, are not up-front and honest about how long their devices will be updated with security patches. If you look for new firmware and see the latest release was 2 years ago, does that mean the router has been abandoned (probably), or, have their simply been no bugs in the last two years (unlikely). In November 2018 the German government released router security guidelines and the big gripe was that they said nothing about this.
The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks.
Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to
remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it
very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and
credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials."
Sounds interesting, I hope to fully understand it someday.
This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of
WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists
because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.
Germany
October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless
routers. Three years later (November 2018), they released some security guidelines. See Germany proposes router security guidelines by Catalin Cimpanu of ZDNet and
Germany pushes router security rules, OpenWRT and CCC push back by Richard Chirgwin of The Register.
Question
Many routers are sold as a set of devices, commonly referred to as a mesh. Examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected? As a rule, the main router controls firmware updates on the satellite devices. How? Securely?
Some non-security features to look for
Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and
then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.
Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use,
keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This
can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address.
This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.
Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged
directly into the modem, no router at all. But, a router running its own tests should be good enough.
Current bandwidth: If the Internet seems slow, it can be helpful if the router shows the current bandwidth being used by each attached device. While some can do this, you have a great router if the list of attached devices can be sorted to show those using the most bandwidth at the top. Peplink routers do this.
CPU usage: It can be helpful to see CPU usage as it lets you gauge when its time for a new router. Check it at times when your router is the busiest and/or when streaming a video or two.
I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken.
They can also be upgraded should the need arise.
Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers
have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have
two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps)
and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.
Some routers have done away with the
lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how
it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at
all on the top. The Amped Wireless RTA1750 is
unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus
RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.
Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware,
it is best to have help directly available in the web interface (assuming there is a web interface).
Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the
version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router.
If the manuals are missing basic information, such as a date and version number, the company is running a
second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.
Apple fails this test. The latest setup guide that I could find for the
AirPort Extreme router
has no date and no version number. A check in June 2015 for AirPort manuals
turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012.
Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.
Website blocking is arguably a security feature, but an optional one. In the old days, some routers would only block HTTP access to the site, but not block HTTPS. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.