Router Security   Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
 

This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration changes to make a router more secure, and, picking a router that is more secure out of the box.

Why devote an entire site to router security?

I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. But, anyone who follows tech news has no doubt heard of assorted router flaws. After some huge flaws, affecting millions of routers, caught my attention, I started following the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic.

Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, describes the hardware and the many ways to communicate with a router.

The list of configuration changes to increase router security is far from complete. The topic on selecting a secure router is complete, as is the checklist page which lists the security features to look for when buying a router. The router bugs page will never be complete, but that's not the point. It exists to backup my argument - don't buy a consumer router.

I spoke on Securing a Home Router at the HOPE conference in July 2014. This website is planned to contain all the information in that presentation and be kept up to date with new developments. It's a work in progress. A PDF of my HOPE presentation is available at box.net (last updated Oct. 4, 2014). Audio is available at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.

I will again be speaking about Router Security, this time at the upcoming O'Reilly Security Conference in New York City at the midtown Hilton Hotel in Manhattan. The conference runs from Oct. 30 - Nov. 1, 2017. No exact date/time yet for my presentation.

Router security may be a dull and boring topic, but it's important. For more, see what can happen if your router gets hacked.

This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware.

Picking a Router

The first step towards a secure router is choosing a router.

Many people use the device given them by their Internet Service Provider (ISP) which I think is a bad idea for a number of reasons.

The next decision is buying a consumer router or a business class device. Don't buy a consumer router.

I am not alone in pointing out the sad state of router software/firmware.

Which router do I recommend? The Pepwave Surf SOHO router from Peplink. My only relationship with Peplink is that of a customer.

How secure can a router get? Only as secure as its included features allow. For a list of router security features see my Security Checklist. The most expert person in the world can only make a router as secure as the included features allow.

Consumer Reports is no help in picking a secure router. Here's a screen shot from the ratings on their website. Each router is graded on security which they define as "features such as encryption, remote administration default settings and filtering and firewall compatibility." Useless.

Finally, some thoughts on Apple routers and Google Wifi and OnHub routers and consumer-focused mesh routers.

Secure Router Configuration - Start With This

When complete, this site will list dozens of tweaks to make a router more secure. But, at the least, make these changes:

  1. Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary. If you must use a common word or name, at least precede it with a number (i.e. 26Michaels). If your router is the rare bird that also lets you change the userid, then do so.
  2. Turn off WPS
  3. Wi-Fi security should be WPA2 with AES (do not use TKIP)
  4. The Wi-Fi passwords need to be long enough to stall brute force attacks. Opinions on the minimum length differ, my best guess is that 14 characters should be sufficient. A totally random password is not necessary, "999yellowtulips" is both long enough and easy to remember.
  5. Turn off Remote Administration. It may also be called Remote Management, Remote GUI or Web Access from WAN. (its probably off already)
  6. Turn off UPnP and NAT-PMP to protect both yourself and the rest of the Internet. For more see the Turn Off Stuff page.
  7. Test the firewall in the router at Steve Gibson's ShieldsUP! site (click the gray Proceed button). Start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test. Finally, do the Instant UPnP Exposure Test (orange button).
  8. If any of your Wi-Fi networks (a router can create more than one) use the default name (a.k.a. SSID) then change it. Also, if they use a name that makes it obvious that the network belongs to you, then change it. More...
  9. Use a Guest Network whenever possible. It should require a password, one different from the main network. If you leave the Guest network on all the time, its password also needs to be at least 14 characters long. If the router offers Guest Network configuration options, turn off all sharing.
  10. A common router attack changes the DNS servers. This is extremely dangerous and normally invisible. The websites dnsleaktest.com and whoer.net tell you the DNS servers used by your computing device. They are your friend. Use one of them often to insure that the DNS servers have not changed. Maybe make it your web browser home page. For dnsleaktest.com, check everything it tells you: the IP address, hostname, ISP and country of the DNS server(s) you are currently using.
  11. Periodically update the router firmware (its operating system), or, better still, use a router that can self-update, such as Google Wifi, Eero, Synology, Orbi, Luma and Velop. If your router does not self-update, then register it with the hardware manufacturer on the chance that they notify you of firmware updates.
  12. For extra credit, turn off wireless networks when not in use. Some routers let you schedule this, others have a Wi-Fi on/off button. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
  13. Eat your vegetables

Secure Router Configuration in Detail

  1. Suggestions for setting up a new router
  2. Setting a good router password (not WiFi password) is almost always the best first step for both new and existing routers
  3. Selecting a unpopular range of IP Addresses helps prevent many router attacks
  4. Don't let DHCP give out the full range of available IP addresses. Reserve some for static assignment.
  5. Turning off features you are not using reduces the attack surface (added June 18, 2015)
  6. Be smart about choosing an SSID/network name (added July 11, 2015)
  7. There is more to encryption than just choosing WPA2 (added July 13, 2015)
  8. Of course, upgrade the firmware (added Aug 19, 2015)
  9. Test if your router supports HNAP using the procedure on the Test Your Router page. Hopefully it does not. (added Nov. 14, 2016)
  10. MUCH more to come ...........

When you are all done making configuration changes to a router, it is a good idea to back them up. Routers normally can export a file with the current settings. On a Pepwave Surf SOHO router, go to the System section, click on Configuration, then click the Download button to Download Active Configurations. With a TP-LINK Archer C8, go to the Advanced tab, click on System Tools, then on Backup and Restore, then the Backup button.


Top 
This page was last updated: August 2, 2017 4PM CT     
Created: January 30, 2015
Viewed 361,496 times since January 31, 2015
(387/day over 935 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2017