Router Security | New Router |
Website by Michael Horowitz |
Every set of instructions I have seen from a router manufacturer says to start the new router setup by plugging it into the Internet. I strongly disagree. My secure scheme, detailed below, proposes making some initial changes with the router off-line, then going on-line, but only to update the firmware. But the on-line connection should be via the WAN/Internet port of the new router connected to a LAN port of an existing router. After the firmware is updated, take the router off-line again and make the rest of the changes. Finally, scan the WAN side of the new router looking for open TCP and UDP ports. This final scan is best done with new router, again, connected to another router. For extra credit, monitor the new router with no one using it, to see if it phones home.
2016 saw a new wrinkle regarding setting up a new router - routers that have to be online to be configured. Prior to 2016, the only router I knew of that worked this was the ZyXEL Armor Z1 router - it did not let you access the routers' administrative interface without an Internet connection. Now, most of the new mesh router systems are paperweights, if they are not connected to the Internet. This was first true of the old Google OnHub line which could not be accessed, even locally, unless they were connected to the Internet. I believe the same is true of Eero and Luma. It is certainly true of the Norton by Symantec Core Router. Two mesh router systems that do allow off-line access are the Netgear Orbi and the Ubiquiti AmpliFi.
I much prefer a router that allows off-line configuration. For one thing, if the hardware manufacturer goes out of business, or abandons an old product line, the router does not become a paperweight. Also, you can never be sure what data is being collected by the hardware manufacturer.
Before ever going on-line, I would make these changes.
I would not make all the changes suggested elsewhere on this site initially, because there is a chance that new firmware may modify or wipe out your changes.
Almost always, a new router is running old firmware (the operating system in the router is referred to as firmware). Some routers can update their firmware on their own, perhaps on-demand, perhaps not. Most routers allow you to manually update the firmware. To get the firmware for a manual update, it can either be obtained by the router itself, or you can manually download it to a computer of yours (preferably not using the new router).
If the router only self-updates then there is no choice; it has to be put on-line. More about doing this safely below.
If the router allows for manual updating, it is best to download the new firmware from the hardware manufacturer's website to a computer of yours and then point the router to the file you downloaded. This is the preferred method because it updates the router to the latest firmware before putting it on-line.
A router may also be able to update itself just via its user interface without your having to download a file to your computer. The danger here is putting the router on-line while it is running older firmware.
The safest way to do this is to plug the WAN port of the new router into a LAN port on an existing router. The new router will be seen by the existing router as just another device and it will be assigned an IP address on the LAN of the existing routers. This puts the firewall of the existing router in front of the new router, while it lets the new router download updated firmware.
This plan has one potential problem however: IP address conflicts. If the existing router is, for example, 192.168.1.1 and the new router also defaults to the same IP address, bad things may happen if the new router is plugged into the old one. We really want each router to use different IP subnets. That is, if both routers are using 192.168.1.x, then modify the new router to use 192.168.2.x before connecting it to the existing router. Changing the default IP address of any new router, is something that should be done anyway.
Once the new router WAN port is plugged into a LAN port on the existing router, then you can access its web interface either from a device connected to the new router (preferable) or from a device connected to the existing router (eh). If doing so from a device connected to the existing router, then your access to the new router is Remote and the new router will have to be enabled for Remote Administration (most are not, out of the box).
The procedure for updating firmware varies drastically, so I can not offer any step-by-step advice. Whatever the procedure, experience has taught me not to trust it. Even if it says that the latest and greatest firmware is installed, I suggest verifying this manually at the website of the router manufacturer.
Be aware that you may need to update the firmware more than once. For example, a router running firmware version 5 may not be able to directly update to version 7; it may have to first update to version 6, then version 7.
If the latest firmware is two years old, or older, then the router may no longer be getting bug fixes. If you can, return it. At the least, check the hardware manufacturer's website to see if it is considered End Of Life (EOL). This is the techie term for not getting any more bug fixes.
After the firmware is brought up to date, take the router off-line (unplug it from the existing router) and make the changes suggested elsewhere on this site. My experience has been that it is faster, easier and more reliable to make these changes from an Ethernet connected computer (plugged into one of the new router LAN ports) rather than WiFi.
While doing the initial configuration, it would be good to save the serial number.
When it comes to routers, there are two very different types of ports; one is hardware, one is a networking concept. The hardware ports are Ethernet WAN and LAN (Local Area Network). There is a single WAN port and it connects the router to the Internet, typically to a modem of some type. There are usually either one or four Ethernet LAN ports. You connect your non-Wi-Fi devices to any of these LAN ports.
LAN ports are usually very reliable, still, before putting a new router into full time use, you might want to check that they all work. If one is bad, it is best to know immediately. Don't ask why I make this suggestion.
Testing a LAN port while the router is on-line, is easy. If you can access the Internet, all is well. To test while the router is off-line, you need to know the LAN-side IP address of the router. Then, open a command prompt and try to ping the router using this command: "ping 1.2.3.4" where 1.2.3.4 is the LAN-side IP address of the router. This should work fine. Then plug into each of the other LAN ports and do the same Ping command. Wait 5-10 seconds after plugging into the LAN port before doing the Ping. On a Chromebook, first disable the WiFi. ChromeOS tells you if it has connected to the router via the Ethernet port.
As for the network related meaning of the word "port" ...
The concept of a "port" is fundamental to computer networking with TCP/IP (which underlies the Internet). It can be explained with an analogy: a computer is like an apartment building and a port is a specific apartment. Any computer can carry on multiple conversations on the Internet at the same time. For example, it can be doing messaging, web browsing and email at the same time. The way the computer keeps track of these separate connections is ports. The messaging software uses one port, the web browser uses another (probably a few) and the email program is using yet another port. In fact, when two computers communicate, they do not do it building to building, they do it apartment to apartment.
In the old days, ports could either be open or closed. Now, they can be more than just closed, they can also be stealth-ed. A closed port tells you that it is closed. A stealthed port tells you nothing.
An open port accepts unsolicited incoming data. Usually, this data traffic is a connection request to start a conversation between the computer with the open port and some other computer.
As a rule, only server computers need open ports. The computer hosting this website, for example, needs to have port 80 open to accept HTTP requests and port 443 open to accept secure HTTPS requests. The computer/tablet/smartphone that you use, is not a server, so it does not need any open ports. Likewise, a secure router will have no open ports.
There are two basic methods for sending data on the Internet, TCP and UDP. TCP is slow and reliable, UDP is fast and unreliable. Web pages use TCP, DNS requests use UDP. There are just over 65,500 ports, and each one can be used with either TCP or UDP or both. So, while millions of websites accept HTTPS requests on port 443 using TCP, they do not accept requests on port 443 using UDP. Testing for open ports is usually only done with TCP, but a complete test would involve both TCP and UDP.
Time and time again, we have seen routers exploited via open ports. The firewall in a router should block all unsolicited incoming connection attempts. Very often ISPs will leave a port open (that is, poke a hole in the firewall) to allow themselves easy access into the router. At the end of August 2017 we learned that some AT&T U-verse gateways (combination modem/router) had two open ports. This is one reason to avoid the router offered by an ISP.
There are two sides to a router; for simplicity I will refer to them as the inside and the outside. The outside part of a router faces the Internet. Physically, it is a single Ethernet port, normally labeled WAN. The inside part of a router communicates with all your devices. The wired inside component is represented by Ethernet LAN ports. Single device routers normally have 4 LAN ports, mesh routers often have just a single Ethernet LAN port. The Wi-Fi networks created by a router are also part of the inside half.
We can test the firewall on the inside half of a router at any time. But, the best time to test the firewall on the outside/external half is before connecting a new router to the Internet where bad guys can get at it. This lets us close, or at least try to close, any open ports.
There are assorted online router tests listed on the Test Your Router page, but they are all flawed, in that they only test a small percentage of the (roughly) 131,000 available ports (65,500 for TCP and 65,500 for UDP). They limit themselves to the popular or commonly used ports. It is far safer to test all 131,000 ports before putting a new router into service. Realistically, this can only be done off-line.
By this I mean connecting the WAN (Internet) port of the new router to a LAN port of an existing router. This lets us scan the external/outside/Internet/WAN interface of the new router from any device connected to the old/existing router.
The classic utility for testing ports is nmap which comes in a GUI version called Zenmap that runs on Linux, Windows, Mac OS X (now macOS), BSD and more. I am no expert on nmap, but here are some basics.
As a first step, start with the command below to get your feet wet.
nmap 1.2.3.4
This scans the device at IP address 1.2.3.4 for TCP ports 1 through 1,000. It should run fairly quickly. The result should be something like "All 1000 scanned ports on 1.2.3.4 are filtered." Filtered is good. Needless to say, replace 1.2.3.4 with the IP address of your router.
Then run the two nmap commands below.
nmap -p- 1.2.3.4 This scans every TCP port (roughly 65,500)
nmap -sU -p- 1.2.3.4 This scans all UDP ports (also 65,500 or so), and may take a long time
One reason a port might be open on the WAN side of a router is if Remote Administration has been enabled. Enabling Remote Administration lowers the security of the router. If the router came from an ISP, they may well have left a port open so that they can get into the router. That would be really bad security.
If you find an open WAN port, try the command below to learn more about it. In the command, 99 represents the open port number. Then, contact the company that made the router about how to close the port.
nmap -p 99 -sV 1.2.3.4
There may be another way to do this nmap scanning - connecting the WAN port of the new router to the Ethernet port of a computer with nmap installed. I have not tried this. One problem will be IP addresses; the WAN port will likely expect to be given an IP address by a DHCP server that no one has running on their computers. So, you would first have to connect to the router the normal way (via Wi-Fi or a LAN port) and then configure the WAN interface with a static IP address that is in the same subnet as the computer.
Scanning the WAN port of a new router is better than not scanning it, but a perfect score does not necessarily indicate perfection. A router may detect the port scan and go into a defensive posture. So, even after running a full port scan, when you first put a new router online, run the port scanners on the Test Your Router page.
Finally, we can never be sure that a router will not respond to unsolicited input from the Internet because of port knocking. This is a secret handshake that opens a port that is normally closed. For example, suppose a bad guy tries to connect to port 100, then tries to connect to port 200, then port 300. While each connection attempt is blocked, the sequence of operations is the secret handshake that opens port 301 for a couple minutes. Then, port 301 closes, to hide this secret activity.
Spies have the upper hand in this game. As best we can, we need to try to get router firmware from a trusted source. Perhaps a company, like Turris, that is selling security as a feature. Perhaps open source firmware, assuming the source can, somehow, be verified.
Before putting a router into production is a good time to test the security of its Guest network(s). The Security Checklist page has a long list of things to look for to make a Guest Network as secure as possible. Sadly, the latest mesh router systems offer very few, if any, configuration options for Guest networks.
For guest networks, most of the security is focused on isolation. The networks are used by untrusted people and/or untrusted IoT devices. The goal is to give Guest devices Internet access, period. That is, Guest devices should not be able to see or interact with anything else connected to the router. Specifically, test if a Guest user
Also, test any non-isolation options offered by the router. For example, if a Guest network is supposed to be active for only 3 hours, make sure the router really does disable it after 3 hours.
A simple way to test if two devices can communicate is a Ping command. I prefer, however, LAN scanning software such as Fing by Overlook or Wireless Network Watcher by Nir Sofer (Windows only). Despite the name, Wireless Network Watcher also scans for wired devices. A section of the Pepwave Surf SOHO page is devoted to securing its Guest networks.
Some mobile phones are configured to automatically connect to open (no password) Wi-Fi networks. This is not secure. So, while a new router is online via an older existing router, create a open Wi-Fi network on the new router. Then test your mobile phone, and those of friends and family, to make sure they do not automatically connect to this open network.
Only activate the open network while testing and when you're done, either delete the network or convert it to WPA2 with a long password.
The final step, before putting the router into production, is checking to see if the new router is spying on you.
Routers, like any computer, can both send and receive data. Testing for open ports only addresses the issue of the router receiving data. But what of it sending data? Is it phoning home?
This is the best time to audit the new router to see what data, if any, it is sending and to whom. As before, connect the WAN port of the new router to a LAN port of an existing router and connect nothing to the new router. Then, use the existing router to log any data that the new router sends to anyone.
Of course, many routers can't log the activity of a specific connected device. My favorite router, the Pepwave Surf SOHO is halfway on this. It can log every outgoing connection the new router makes, but can not log the data it sends.
Using one Surf SOHO to monitor another, I found that the router makes a few outgoing connections every 30 minutes. All of these connections are to learn the time of day. Specifically, they all are UDP connections to port 123, which is used by the time synchronization service NTP. Other routers that I have looked at are much more chatty. Again, this is with nothing connected to the new router.