The following are some helpful tips on ensuring a secure network from the experts at Cluely Associates.
Tip #1 Specify which IP addresses can manage the router and how
When we're talking about routers and wireless internet access, we need to touch on something called wireless local area networks (WLANs). They're exactly what they sound like: wireless computer networks that link two or more computing devices together using some wireless signal distribution method in a limited area such as a building or office.
Home users generally manage a router and gain access to its web-based management interface only from within the WLAN. There's normally no need for them to manage the router remotely. But sometimes that's not the case.
If remote access is needed, users should employ a virtual private network (VPN) to first securely connect to the local network and then access the router's interface. That way, attackers can't directly access the router from the web.
Once that's out of the way, users can further lock down their routers by specifying a single Internet Protocol (IP) address from which they can manage the router. They can do this by manually configuring a computer to automatically use a specific IP address not already assigned to other devices on the WLAN via the router's Dynamic Host Configuration Protocol (DHCP) whenever it needs to connect to the router.
While they're at it, users should also see if they can change their router's LAN IP address to something other than the first address in the DHCP pool. They should ideally restrict the router's entire netblock such as by assigning it to those addresses reserved for private networks. Doing so will help protect the router against cross-site request forgery (CSRF) attacks.
Tip #2 Disable Wi-Fi Protected Setup (WPS):
Most new users connect to a router by turning on Wi-Fi on their devices, selecting the right router network, and entering in the Wi-Fi password (otherwise known as pre-shared key, or PSK).
Apparently, router manufacturers thought this process took too long, so they outfitted their products with something called Wi-Fi Protected Setup (WPS). The feature allows new users to join the network by entering in an 8-digit PIN that, when submitted correctly, transmits the more complex PSK to their device with instructions to store it from now on.
WPS might sound like a good idea, but according to the security and data privacy company Sophos, there are many reasons this is not a good idea.
The biggest flaw was seen in 2011 when the security community discovered that an attacker within radio range could brute force the WPS PIN, gain access to the Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) password, and mount additional attacks once they connect to the network. There's no universal patch for this flaw, as it depends on manufacturers rolling out firmware updates. Without knowing if their devices are vulnerable or, if they are, when they could be patched, users should disable WPS on their routers and set them up the regular way.
Tip #3 Consider network segmentation and MAC address filtering:
Some consumer routers give users the ability to set up what are known as VLANs within larger networks. VLANs are perfect means of segmenting those pesky (and oftentimes incredibly vulnerable) Internet of Things (IoT) devices from the rest of the network. If an attacker compromises a device and gains access to a VLAN, they won't be able to move to the larger network in most cases.
To take it one step further, users can leverage each computing device's media access control (MAC) address, or its unique hard-coded identifier, to whitelist that device and approve its access to the Wi-Fi network. Taking this step will prevent rogue devices that might have access to a network's name and password from connecting to the router.
Tip #4 Combine port forwarding and IP filtering:
Many consumer routers come with a firewall that blocks all devices on the internet from connecting with a device on the local network. To get around that setting, both routers and computing devices alike oftentimes come with a feature called Universal Plug and Play (UPnP). Activating UPnP enables devices on the network and Internet to "discover" one another dynamically and set up a connection.
Not all computers come with that capability, however. In some cases, users might not want wayfarers on the internet to discover a certain device on their network. To accommodate that type of scenario, users can set up what is called port forwarding. It's a set of inbound firewall rules that tells the router to read each incoming data packet's source IP address, destination TCP port number, and other characteristics. Depending on those traits, the router will either send the data packets a device on the network or will block it outright.
When users combine port forwarding with IP filtering, or specifying which IP addresses can use a specific port to reach services on the network, they strengthen their router's security that much more.
Factory firmware is weak. Custom is the way to go!
Let's face it: most of the time, the firmware that comes pre-installed on a router is weak in terms of its security. Users would be better off installing custom firmware they can download from online. For help choosing what is best for your setup, consult the article found here.