ESET Security Researcher Miguel Ángel Mendoza tells us how your routers should be configured.
(Written by Miguel Ángel Mendoza)
Cybersecurity nowadays requires more (and better) protective measures than ever before. These measures range from adopting what is acknowledged as best practices, through helping end-users to stay well-informed about upcoming threats and how to avoid them, to implementing internet security technology and keeping it up to date.
In a dynamic environment where threats continually evolve and new vulnerabilities are identified almost daily, it is necessary to use the most up-to-date security tools, since they deal with protection measures for new and ever-shifting attack vectors.
Whether we are speaking about the work, school or home environment, security must consider and protect all elements that could become gateways for possible attacks. In this article, we will review some security aspects users should look at in a home network ―particularly those related to the configuration of its internet-connected router.
- Conduct router connectivity and authentication tests
We will review important points for the administration and configuration of routers ―in particular, steps pertaining to ports and services.
Routers allow administration and configuration using some ports in the local network; this could be done via Ethernet cable or wireless connection. Usually, you can configure your router via the web, but routers also allow connections for other services and ports, such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), HTTPS (443), or SMB (139, 445).
In addition to these, there are various other well-known and well-used services whose default ports are established as internet standards ―defined by the Internet Assigned Numbers Authority (IANA). Although the blocked port configuration might be set in your router by default, you can review it to ascertain the status and configuration settings. In other words, you can enable only the services you need, disable all others, and block unused ports. Even for remote connections, except where they are necessary.
The same logic applies to the use of passwords for management of services. If possible, you should change both (admin) password and username, so neither is the out-of-the-box default. If the router default password has not been changed, it could be known to, or easily guessed by, attackers; if that is the case, they can log into your router and reconfigure it, or compromise your network.
Also, we advise the use of long and complex passwords or a passphrase for these purposes; you can use a password manager to create and store passwords in a safe place. Therefore, it is important to review the configuration of services and ports, the user accounts and the strength of passwords.
- Perform vulnerability tests on the router
There is another aspect to consider when looking for weak points in your router settings – tests for routers that can be carried out using tools that automate tasks such as looking for known vulnerabilities. This type of tool includes information, options, and suggestions on how to solve these possible problems. Attackers use similar tools to identify vulnerabilities in your router, so it’s a good idea to use them too so that your router is no longer low-hanging fruit.
Some router tests include scanning for port vulnerabilities, malicious DNS server reputation, default or easy-to-crack passwords, vulnerable firmware, or malware attacks. Some also include vulnerability analysis of the router’s web server component, looking for issues such as cross-site scripting (XSS), code injection or remote code execution.
If you don’t know about these attacks and breaches, be sure to find a router test (or a group of tests) that does as much as possible of the hard work for you. While it’s not a complete test, a good way to start could be with the Connected Home Monitor tool.
- Verify connected devices on the network
A third aspect of maintaining the proper functioning and performance of the router and the network is the identification of connected devices. Sometimes, due to bad practices and the use of vulnerable protocols, it’s possible for trusted devices to connect without proper authorization, and also for untrusted devices to connect.
It is, therefore, a good idea to be aware of and able to identify all the devices that connect to your router: firstly, to avoid the consumption of resources by third parties that do so illegitimately and degrade the network’s performance, and secondly, as a security measure, to prevent your information from being compromised.
Whether this verification is done through an automated tool or by manually using the router’s administration options, the appropriate next step consists of permitting allowed devices only, by using filters to restrict access to specific IP addresses or MAC addresses only.
To start this activity, the Connected Home Monitor tool provides an easy-to-access list of connected devices, categorized by device type (e.g. printer, router, mobile device, and so on), to show what is connected to your home network. Then, you must make the changes yourself using your router interface.
- Update all devices on the home network
The recent news of the vulnerability known as KRACK (Key Reinstallation AttaCK), which allows the interception of traffic between devices that connect to an access point in a Wi-Fi network, emphasizes again the importance of updates.
For an attack to take advantage of this vulnerability, its perpetrator would normally have to be near the intended victim’s Wi-Fi network. Success would allow the attacker to spy on communications or install malware. We always recommend updating all devices connected to your network (like computers, smartphones or tablets), once the manufacturers publish the security patches that address the vulnerability; also install the updates to the firmware of the routers, as soon as patches are available.
Other practices, such as configuring computers for “Public Network” mode, increase the security level of the device compared to the “Private/Home” network mode, because it lessens the risk of attack across trusted devices. We would like to stress that the essential thing to do is to keep computers and devices updated.
- Enable security options
A fifth desirable practice is to enable the security options that are available in the configuration of the router, which vary depending on the model and type of device. Regardless of the router model used in your home network, we advise that you enable security options that are designed to offer more protection of your devices and the network.
For example, some recent routers include configuration options that allow increased protection against known Denial of Service (DoS) attacks, such as SYN Flooding, ICMP Echo, ICMP Redirection, Local Area Network Denial (LAND), Smurf and WinNuke. If enabling these options prevents your router and network performing properly, selectively disable them to improve performance.
The protection of information – a never-ending task
We have just touched lightly on five practices that help to improve security levels. It’s important to review the settings of your router and to change them, as needed, to contribute to the overall protection of the network, router, devices and, of course, your data; doing so will help block many of the entry points used by currently prevalent cybersecurity threats.