Focus on Personal Security: Home Router Security
This article expands on the security recommendations made in the companion piece "Secure Wireless at Home and on the Road", going into depth on the features you should look for in a home router and how to secure it. It is based on a presentation made by Bob Fletcher, IT Security engineer and part of ISG, to the Departmental Computing Coordinators on November 11, 2009. To supplement the outline presented below, you can view Bob's presentation -- slides with audio -- for a detailed explanation of each bullet point.
Recommended Features
- NAT & SPI (Statefull Packet Inspection)
- WPA2 Wireless Security
- Ability to Adjust Signal Strength
Optional “Power User” Features
- Segment Traffic (Vlans)
- Ability to Use 3rd Party Firmware (e.g. OpenWRT)
Securing The Router
- Enable Admin over Secure Protocols (HTTPS & SSH)
- Change the Admin Password
- Update the Firmware
- Disable Remote Administration
- Disable Universal Plug & Play (UPnP)
- Enable Logging
- Disable DMZ
- Configure WPA2-AES for Wi-Fi
- Use a Strong Pre-Shared Key (PSK)
- Adjust Signal Strength if Available
- Use Static IP Addresses or DHCP Reserved Addresses
- Customize Wi-Fi SSID & Hide It
Additional Features
- Utilize Vlans and AP Isolation
- Use Port Mapping for Local Servers
- Set Schedules for Mapped Ports
- Power Off Router When Not in Use
Summary
- Keep Firmware Updated
- Change your PSK & Admin Passwords Regularly
- Shutdown Any Unnecessary Features
Related Resources
- http://openwrt.org/ (Linux distribution for embedded devices)
- http://wigle.net/ (Wireless Geographic Logging Engine)
- http://www.netstumbler.com/ (Windows tool for detecting wireless LANs)
- http://www.kismetwireless.net/ (software used to analyze wireless network traffic; packet sniffer)