This site focuses on the security of routers. Period. If you are interested in faster WiFi, look elsewhere. The site covers configuration changes to make a router more secure, and, picking a router that is more secure out of the box.
Why devote an entire site to router security?
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. But, anyone who follows tech news has no
doubt heard of assorted router flaws. After some huge flaws, affecting millions of routers, caught my attention, I started following
the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my
own router security and get more up to speed on the topic.
Non-techies can start at the Introduction to Routers page, which discusses what a router is conceptually, describes
the hardware and the many ways to communicate with a router.
The list of configuration changes to increase router security is far from complete. The topic on selecting a secure router is complete, as is the
Security Checklist page, which lists the security features to look for when buying a router. The
router bugs page will never be complete, but that's not the point. It exists to backup my argument - don't buy a consumer router.
Router security may be a dull and boring topic, but it's important. For proof, see what can happen if your router gets hacked.
This site has NO ADS. If you see ads, either your browser, computer or router is infected with adware.
I spoke on Securing a Home Router at the
HOPE conference in July 2014. This website grew out of that presentation. It's a work in progress.
A PDF of the presentation is available
at box.net (last updated Oct. 4, 2014). Audio is available
at x.hope.net (thanks to 2600). An article about the talk appeared in Toms Guide.
I spoke again about Router Security, at the O'Reilly Security Conference on
Nov. 1st, 2017. The talk was very different from the first one. See a PDF of the slides.
Picking a Router
The first step towards a secure router is choosing a router.
Many people use the device given them by their Internet Service Provider (ISP) which I think is a bad idea for a
number of reasons.
The next decision is buying a consumer router or a business class device. Don't buy a consumer router.
I am not alone in pointing out the sad state of router software/firmware.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. My only
relationship with Peplink is that of a customer.
How secure can a router get? Only as secure as its included features allow. For a list of router security features see my Security Checklist. The most expert person in the world can only make a router as secure as the included features allow.
Finally, some thoughts on Apple routers and Google Wifi and OnHub routers and mesh routers.
Secure Router Configuration - Start With This
- Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
- Turn off WPS
- Wi-Fi encryption should be WPA2 with AES and your Wi-Fi password should be at least 14 characters long
- Turn off UPnP and NAT-PMP to protect both yourself and the rest of the Internet. For more see the Turn
Off Stuff page.
- Be smart about choosing an SSID (network name)
- Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
- Periodically check the DNS servers being used by the router. They should either belong to your ISP or be the ones you manually configured. If not, your router was probably hacked. One site that displays your current DNS servers is www.perfect-privacy.com/dns-leaktest.
- Test Your Router for open ports using some online testers
- Periodically update the router firmware
- Eat your vegetables
Secure Router Configuration in Detail
- Suggestions for setting up a new router. Basic plan: make the most obvious few changes with the router off-line, go online behind another router to get the latest firmware, then make the rest of the changes and, finally, with the router WAN port connected to a LAN port on another router, scan of the WAN/Internet side of the new router using NMAP looking for open ports.
- Set a good router password (not WiFi password). Never use the default password. Don't use a word in the dictionary. If you must use a common word or name, at least precede it with a number (i.e. 3BabeRuth). If your router also lets you change the userid (few do), then change it too.
- Turn off WPS
- Selecting a unpopular range of IP Addresses helps prevent many router attacks
- Turning off features you are not using reduces the attack surface. Among features that should probably be disabled are Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, UPnP, NAT-PMP, etc. etc. Especially turn off UPnP.
- If you need Remote Administration, there are a number of ways to make it more secure. See the Security Checklist page for more.
- If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious
that the network belongs to you. More...
- There is more to encryption than just choosing WPA2. To begin with use AES, not TKIP. Also, Wi-Fi passwords need to be long enough to stall brute force attacks, my best guess is that 14 characters should be sufficient. And, you really should not use a password anyone has ever used before, ever. More...
- Guest networks are your best friend. Use them not only for visitors but also for IoT devices. They should be password protected. Guest networks are usually isolated from the main network. Review all the configuration options your router offers for the Guest network to insure they are isolated. The Security Checklist page has a list of options you might find.
- Network Isolation: Guest networks are merely the appetizer, using VLANs for network isolation is the actual meal. See the VLAN page for more.
- Lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic)
- The router operating system is referred to as "firmware" and like all operating systems it needs to be updated
periodically. Some routers, such as Google Wifi, Eero, Synology, Orbi, Luma and Velop, can self-update. I have a list of those I know about on the Resources page. That said, router self-updating can be done well or not. If your router does not self-update, then register it with the hardware manufacturer on the chance that they notify you of firmware updates. Netgear, for example, has a security newsletter that announces bug fixes. If you are on your own, at least set a reminder, somehow, to check for new updates every month or so. The procedure for checking varies by manufacturer. That said, all firmware updates are not good. Netgear, for example, introduced some analytics with updates in April 2017. If you didn't want them watching your network, you needed to login to the router and disable the new analytics.
- The Ubiquiti AmpliFi mesh router defaults to using the same password for Wi-Fi and administering the router system. Regardless of the router being used, don't do this; each function should have its own password. Likewise, all guest networks should be password protected. Too many passwords? Write them down on a piece of paper and tape them to the router, face down.
- Turn off Ping reply. Sadly, different routers use different terminology for this. To test it, have someone ping your public IP address from outside your network.
- Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
- Test if your router supports HNAP. If so, it should be replaced.
- The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
- A common router attack changes the DNS servers. This is extremely dangerous and normally invisible. Fortunately, many websites can display your current DNS servers and there is a list of them on the Test Your Router page. Its good to check on this periodically. Consider making one of them to your web browser home page to insure that you check it periodically.
- Don't let DHCP give out the full range of available IP addresses. Reserve some for static assignment. I know, its not really a security issue.
- More to come ...........
When you are all done making configuration changes to a router, it is a good idea to back them up. Routers normally can export a file with the
current settings. On a Pepwave Surf SOHO router, go to the System section, click on Configuration, then click the Download button to Download Active Configurations. With a TP-LINK Archer C8, go to the Advanced
tab, click on System Tools, then on Backup and Restore, then the Backup button.