Tips on securing Home Router !
It is very important to pay attention to the home router as compromise of our home router will lead to compromise of our home computer / laptop and even mobile phone (if it is connected via wireless to the router). Compromise leads to leakage of data, stealing of information, creation of backdoor in our computer and much more.
We provide attention to our office workstation which is anyway protected by the various mechanisms (like perimeter firewall, IDS/IDP, Centralised Antivirus solution, end point security solution)by our organisation in addition to policies and procedures that we have to abide with. However we do not pay the same kind of attention to our home environment because either we neglect it or we think that information on our personal computer is not that crucial or confidential. However we tend to forget that we do online shopping, online banking, using email accounts, use social media accounts as they are important part of our day to day work. Such compromise leads to financial losses as well as loss of reputation. Hence we should pay attention to it.
The first thing that the outsider, hacker, cyber criminal encounters (from the internet) is our router and hence it is our first line of defence.Therefore one must make sure that it is not vulnerable and should not be a sitting duck on internet.
Hence, we must secure the home router. Let us see how to secure home router,
Change the Default Settings : When we buy router, the vendor provides us the router with default settings. One can say that it is pre-configured for certain parameters like default SSID, default login password, default IP address and such other parameters. These default settings for most of the product vendor is well known to bad actors as they keep the database of default settings for various vendors available with them and is also available online on numerous websites. Therefore it is extremely dangerous to keep the default settings as it is. Make sure that you change those default setings are changed when you connect your router to the network for the first time. Do not use it unless and until you change those settings.
2. Disable Remote Administration : To ensure more features and facilities to the customer (end user), the routers are equipped with remote Administration/ Management capabilities. However this could be a big issue if an outsider is able to login to the interface (using methods like Default password, Brute force password, Easily guessed password) then he can change parameters such as DNS Server settings (that can divert you to malware infected websites) or may change wireless encryption from WPA to WEP, thereby weakening the encrypted communication and steal the data via MiTM attacks.Therefore make sure that "Enable Remote Management" is unchecked.
3. Enable Firewall : Most of the routers have inbuilt firewall feature that can restrict the inbound and outbound traffic through the router thereby making sure that your computer will remain secure. Hence make sure that the firewall is enabled on your router and is configured properly. You can even block specific traffic used by your other family members (such as torrents and Peer-to-Peer traffic that may be used to download illegal contents).
4. Disable SSID broadcast : The access point also known ass AP on the wireless network announce itself to the network about its presence so that the wireless client can connect to it (AP is built-in the router).Though this is helpful feature but the bad actors can find it easily and even your neighbours can find it and try to connect to it for free internet (of course if they can authenticate to it). Many War-drivers can find your broadcasted SSID as well that can be later used for some nefarious purpose.Therefore it is always a good idea to hide your SSID. That way nobody can casually find out your wireless network (eventually router). This is of course act like a deterrent and not a actual security solution.
5. MAC address Filtering : This feature helps the router to allow only those nodes to connect to the router whose MAC (Media Access Control) address (which is unique to every network card on your computer/laptop/Device) is part of white-listing. This means that you configure only those mac address in your router white-listing for which you have control and want to connect via your router and get connected to internet.You can find out your arp address easily 9 it may be mentioned on your device/accessory, ifconfig (Linux), ipconfig/all or getmac (Windows), ifconfig (OS-X)).
6. Allocate limited IP address : In the home router one can setup a DHCP server so that the router (with a built-in DHCP server), can allocate only limited number of IP addresses to the clients/nodes that are connecting
to the router. Keep this number of IPs exactly matching to the number of client/nodes that you are having/using. Also make sure that the DHCP lease time is kept to maximum possible/allowed value so that the ip address will remain mapped to the mac address. Also make sure that the DHCP reservation is enabled and configured so that only particular mac address (of a device) will get a particular IP address from the range allocated by the DHCP server.
7. Disable WPS : WPS (WiFi Protected Setup), is designed for easy to add new devices to an existing network without entering long passwords.There are multiple approaches to network setup within WPS and they are push-button, PIN, and NFC. You can find the WPS pin printed on the router itself. However it is found that the WPS configuration is vulnerable to both online brute-force attack as well as offline brute-force attacks (also known as pixie-dust attack). Hence it is a good idea to disable WPS configuration feature on the router.
8. Keep Firmware updated : Just like your computer's OS, the router does have its own system that is designed to route the traffic from one network to another. There are also applications running on router that supports features like an inbuilt web server for remote GUI operations. However this tends to have vulnerabilities that gets exploited as and when found over a period of time.If these vulnerabilities are exploited than your computer is also at risk of being compromised in more than one way. The vendors of the router keep on providing patches / fixes whenever a new vulnerability is found in their product. Hence make sure that you apply those patches as and when made available by the vendor so as to keep the risk at bay.
9. Disable Port Forwarding : Port forwarding is a feature available in NAT (Network Address Translation) so that traffic can be forwarded from a port of one network to port on another network. This feature is used generally in home router so that an outsider who wants to access particular application/service of an inside computer (home computer), can reach it by accessing the external ip/internet ip/real ip . Here the port traffic from external ip is routed to a port of internal home computer. However, if the port forwarding feature remains available it provides extra point of attack on your home computer. Therefore if such service is not required or if the job is done then make sure that port forwarding is disabled.
10. Disconnect router if not in use : Once you finished using internet or network, it is always a good idea to disconnect/switch-off the router so that it A) is not accessible from internet B) The WiFi is not accessible for any kind of attacks. Remember WiFi is very much prone to various kind of attacks and can be used further to compromise the computers connected to the routers via WiFi connection.
11. Enable brute-force protection : This feature is available on new routers and may not be available on older routers(depends). Hackers, to get access to your router, try brute-force attack so that they can find out password of your router. This brute-force attack can be executed against various servers/services on the router. These services could be http,ftp, telnet etc... Hence make sure that you have enabled the option for brute-force protection on the router.
12. Use WPA for secure wireless communication : Most of us are aware that WEP (Wireless Equivalent Privacy) is already broken and even the ISP technician who comes to your home to connect/configure the router, suggest you to use WPA when you use WiFi network. It is a well known fact that WEP can be broken in a matter of few minutes and therefore should not be used. The other option that is available for secure wifi communication is use of WPA/WPA2 ( Wi-Fi Protected Access) as it is more secure as compared to WEP.
13. Use WPA3 compatible routers (new routers) : Though we have said (just now) that one should use WPA/WPA2, however the fact is WPA is also broken and if sufficient time is given, WPA can be broken. Now what could be a better or secure option ? . This option is made available with the WPA3 which is hack proof (as of now). WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, deliver increased cryptographic strength for highly sensitive data, and maintain resiliency of mission critical networks.However this feature is available only in new routers and they are stamped as Wi-Fi CERTIFIED WPA3™ .
14. Turn Off UPnP : It is universal plug and play feature that is used to let devices on your network configure itself on an internal network. A malware ot trojan on the inside network may use this feature to open backdoor in your router’s firewall and allow outsiders (that is people on internet) to enter your inside network. Hence it is advisable to turn off UPnP feature if feasible. On the router configuration menu, there is option to Enable or Disable UPnP feature. Just disable it.
15. Avoid using ISP provided DNS server settings : It is always a good idea to trust well known, publicly available DNS servers, just like Google DNS server (22.214.171.124) and Quad9 (126.96.36.199) rather than using your ISP's DNS server as they may not be properly configured or properly secured. This I can say because not all the small ISP's can have specific expertise to handle a particular issue in hand , here it is securing DNS server. This does not mean in any way that the ISP's don't pay attention to such issues. This is just as a part of precautionary measure.
16. Turn Off unnecessary services : As more services are available,there is more attack surface exposed. Therefore the way we disable unnecessary services on our operating systems, we should apply the same principal to router as well. Services like Telnet, SNMP, SSH should be turned off and only one port/service should be made available to access the interface of the router.
17. Verify your router settings and security : Test your routers accessibility from the internet using websites like censys.io that provides you information such as whether your router has publicly accessible services that can be accessed via internet or may use tools like nmap to find out open ports on the real ip side of the router.