Any Tips for Security Home Wi-Fi Router?

Corrine

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,393
Location
Upstate, NY
I just finished reading an article where a SWAT team raided the wrong house due to an open WiFi network. The actual target was another house on the same street.

With the police empowered to act as they did in the situation of the article, I thought it would be helpful to our members if the "Networking Experts" would share some tips on securing their Wi-Fi router.

~~~~~~~~~~~~~~

(For those interested: SWAT team throws flashbangs, raids wrong home due to open WiFi network)
 
It is risky to leave your wireless network unprotected especially if you have critical information (financial, credit cards, bank accounts, etc..) stored in your home computers. If you live in a location that’s not very crowded you may opt not encrypting your network or go for a low network security if you wish or NO... personally it is still best to secure your network whether you live in a busy location or not . How about those network devices (computers and gaming consoles) that don’t support WPA2? This can be a big issue; it will be smart to buy new wireless network adapters for those devices that doesn't support WPA2 so that they can handshake with your router and utilize the highest network security.

Definitely use WPA2 for your wireless network. Both WEP and WPA have been hacked and it will only take minutes to hours to do this. WPA2 can also be hacked but it takes longer - days or weeks for someone to bypass to your network. If you have an older wireless router that doesn’t support WPA2, you should consider replacing it since routers now have become very affordable.

Also, It’s always best to use complex passphrases. Tips for creating strong Passwords and Passphrases.
http://windows.microsoft.com/en-us/windows7/Tips-for-creating-strong-passwords-and-passphrases

Modern routers also support Guest Network - you may create a separate SSID(wireless network name) or multiple SSIDs for your Guests, make sure that you do not enable the LAN access from your router’s setting to prevent your Guests accessing your network files.

For Home and Small Businesses, it will be best to invest and if you can afford to buy a Security Device (in addition to your router’s security features) e.g…. Sonicwall or Fortinet. It will be worth every penny and will protect your investments; rest assured that your network will be protected.

Hope this helps, this is my honest opinion on securing your wireless networks, others may have a different feedback. :smile9:
 
Last edited:
In addition to 2xg's advice users should use Wireless MAC address filtering also to restrict what devices can connect to the router.

Remove any checkmarks for responding to WAN pings especially with UPNP in mind it can allow an attacker to map your internal network.

If you have the benefit of a radius server on your network, enhance your encryption level to WPA2 Enterprise and use it to authenticate users before connecting to the network either using username or password or digital certificates. Digital certificates can be used to authenticate routers as well so no rogues get onto the network although these functions are usally found on UTM's such as sonicwall, cisco and Fortinet hardware security devices not home routers.

These UTM's also provide anti-virus, spyware, IPS and DNS binding, Mac address spoofing, Arp poisoning protection.

UPNP is not supported at all by default.

Netbios requests should not be allowed from the internet either this is another way to open up your network to be mapped and used for an attack.

Reverse DNS should not be allowed as this is used to retrieve machine names.

Another advantage of the UTM is they have highly configurable firewalls and NAT so restricting services is easy you only allow the neccessry services thru the firewall and discard or deny everything else.

You can drill down the rules to suit.

Now home routers do not have the advanced features of the UTM's so restricting certain services will be difficult that come in from the internet unless you are proficient in using the cmd line of the router but can be a minefield.

Wi-fi is just one component.

Shields up is a good site for testing what services and ports are listening on the router and computers.
https://www.grc.com/x/ne.dll?bh0bkyd2

Hope this helps.

Edit: Never disable or turn off any security features on the router especially the firewall as this will reduce your security significantly.
 
One last thing that you can do with most modern routers... Uncheck the option to "Broadcast SSID"... If the SSID isn't broadcast, then the network will not be "seen" by most devices. Anyone trying to connect to the network will need to enter the routers SSID as well as the passphrase.

Also, if you live in a densely populated area, it may be a good idea to change the passphrase occasionally...
 
2xg said:
It is risky to leave your wireless network unprotected especially if you have critical information (financial, credit cards, bank accounts, etc..) stored in your home computers. If you live in a location that’s not very crowded you may opt not encrypting your network or go for a low network security if you wish or NO... personally it is still best to secure your network whether you live in a busy location or not . How about those network devices (computers and gaming consoles) that don’t support WPA2? This can be a big issue; it will be smart to buy new wireless network adapters for those devices that doesn't support WPA2 so that they can handshake with your router and utilize the highest network security.

Definitely use WPA2 for your wireless network. Both WEP and WPA have been hacked and it will only take minutes to hours to do this. WPA2 can also be hacked but it takes longer - days or weeks for someone to bypass to your network. If you have an older wireless router that doesn’t support WPA2, you should consider replacing it since routers now have become very affordable.

Also, It’s always best to use complex passphrases. Tips for creating strong Passwords and Passphrases.
Tips for creating strong passwords and passphrases

Modern routers also support Guest Network - you may create a separate SSID(wireless network name) or multiple SSIDs for your Guests, make sure that you do not enable the LAN access from your router’s setting to prevent your Guests accessing your network files.

For Home and Small Businesses, it will be best to invest and if you can afford to buy a Security Device (in addition to your router’s security features) e.g…. Sonicwall or Fortinet. It will be worth every penny and will protect your investments; rest assured that your network will be protected.

Hope this helps, this is my honest opinion on securing your wireless networks, others may have a different feedback. :smile9:
Click to expand...

I've been brought to this thread from a spam post lol, but not necessarily, WPA2 can be cracked in a meer few minutes actually. Rainbow tables will make sure of that. If you're doing anything that requires some level of privacy for your own safety and security, use a wired network connection via LAN. Don't use WiFi period in my opinion. The kind of security has been proven to hardly matter that much, some routers enable extra safeguards I believe, but I still don't do any banking on my WiFi.

If more people had any idea lol... :grin1:

TheCyberMan said:
UPNP is not supported at all by default.
Click to expand...

What do you mean? For a router? Mine was configured with UPNP enabled when I first hooked it up from what I can remember. Unless you mean something different... I was port forwarding my web server storage device connected to a personal cloud service automatically with UPNP a few months back I believe, but I didn't have to enable it manually.

GZ said:
One last thing that you can do with most modern routers... Uncheck the option to "Broadcast SSID"... If the SSID isn't broadcast, then the network will not be "seen" by most devices. Anyone trying to connect to the network will need to enter the routers SSID as well as the passphrase.

Also, if you live in a densely populated area, it may be a good idea to change the passphrase occasionally...
Click to expand...

"Most" is a critical keyword here :)
 
Last edited:
What do you mean? For a router? Mine was configured with UPNP enabled when I first hooked it up from what I can remember. Unless you mean something different... I was port forwarding my web server storage device connected to a personal cloud service automatically with UPNP a few months back I believe, but I didn't have to enable it manually.
Click to expand...

You have a sonicwall , Fortinet or similar UTM?
 
TheCyberMan said:
What do you mean? For a router? Mine was configured with UPNP enabled when I first hooked it up from what I can remember. Unless you mean something different... I was port forwarding my web server storage device connected to a personal cloud service automatically with UPNP a few months back I believe, but I didn't have to enable it manually.
Click to expand...

You have a sonicwall , Fortinet or similar UTM?
Click to expand...

Not that I know of? lol, I was just curious as to what you meant. I have a brand new gigabit netgear, and I swapped out my cat5 with a cat6 shielded line a few months ago. You're the networking expert, it's not my thing. I can do all the electronics side, and the programming side of it, but concept wise, it's definitely not my cup of tea. :lol:
 
Yes home routers have UPNP enabled by default although it is best to disable WAN ping respond so a potential attacker is not able to map your network. Yours is not a utm device by the sound of it but without knowing the model cannot confirm so does not apply.

If you look at my post i was referring to a unfied threat management(utm) which does not support UPNP by default and does not have a UPNP checkmark box.

On a utm you would have to use NAT policy rules and firewall rules to forward UPNP ports and netbios services from WAN side.

NAT rule:

Source: Any
Translated source: Original
Destination: WAN IP address
Translated Destination: Private IP address
Service: Netbios
Translated service: original

So firewall rule from WAN to LAN may look like this:

Service: Netbios
Source: Any(can be drilled down to mac address of connecting source)
Destination: WAN IP address

The NAT policy forwards to the actual machine ip address.

Lan side you forward netbios using a firewall rule any to any on same subnet.

For devices on a different subnet you use an app named Ip helper and forward netbios from one subnet to another.

For example you have a Lan subnet 192.168.1.0/24 on XO port and want to allow sharing and network neighboorhood characteristics with another subnet on 192.168.2.0/24 on X2 port.

You set Ip helper to forward netbios from X0 port to X2 port and vice versa.

Then create firewall rule to forward netbios from machine x(XO) to machine y(X2) and vice versa, or a group of machines on each of those ports.

You may or may not get this but may have a little more understanding.

With a home router you do not have to do this all you do is create the portforwarding rule from WAN to LAN and NAT and firewall is taken care of the rules with NAT and firewall are created for you.
 
I know what UTM is, I just don't believe I have it... All the stuff you talked about, some I do not know, some I vaguely remember. But the kind of networking I do is more protocol based, and dealing with OpenSSL, IRC, FTP etc... Thanks for the information though, it was appreciated :thumbsup2:
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top