Router Security New Router Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I will be speaking about Router Security at the O'Reilly Security Conference in New York City at the midtown Hilton Hotel (Sixth Ave and 53rd Street). The conference runs from Oct. 30 to Nov. 1, 2017. I am slated for Nov 1st at 3:50pm in the Sutton South room on the second floor.

 

Every set of instructions I have seen from a router manufacturer says to start the new router setup by plugging it into the Internet. I strongly disagree. My secure scheme, detailed below, proposes making some initial changes with the router off-line, then going on-line, but only to update the firmware. But the on-line connection should be via the WAN/Internet port of the new router connected to a LAN port of an existing router. After the firmware is updated, take the router off-line again and make the rest of the changes. Finally, scan the WAN side of the new router looking for open TCP and UDP ports. This final scan is best done with new router, again, connected to another router. For extra credit, monitor the new router with no one using it, to see if it phones home.

First thing: Off-Line Changes

2016 saw a new wrinkle regarding setting up a new router - routers that have to be online to be configured. Prior to 2016, the only router I knew of that worked this was the ZyXEL Armor Z1 router - it did not let you access the routers' administrative interface without an Internet connection. Now, most of the new mesh router systems are paperweights, if they are not connected to the Internet. This was first true of the old Google OnHub line which could not be accessed, even locally, unless they were connected to the Internet. I believe the same is true of Eero and Luma. It is certainly true of the Norton by Symantec Core Router. Two mesh router systems that allow off-line access are the Netgear Orbi and the Ubiquiti AmpliFi.

I much prefer a router that allows off-line configuration. For one thing, if the hardware manufacturer goes out of business, or abandons an old product line, the router becomes a paperweight. Also, you can never be sure what data is being collected by the hardware manufacturer.

Before ever going on-line, I would make these changes.

I would not make all the changes suggested elsewhere on this site because there is a chance that new firmware may modify or wipe out your changes.

Firmware Update

Almost always, a new router is running old firmware (the operating system in the router is referred to as firmware). Thus, it is safer to plug its WAN port into a LAN port on an existing router. The new router will be seen by the existing router as just another device and it will be assigned an IP address on the existing routers' LAN. This puts the firewall in the existing router in front of the new router, yet still lets the new router download updated firmware.

This plan has one potential problem however: IP address conflicts. If the existing router is, for example, 192.168.1.1 and the new router also defaults to the same IP address, bad things may happen if the new router is plugged into the old one. We really want each router to use different IP subnets. That is, if both routers are using 192.168.1.x, then modify the new router to use 192.168.2.x before putting it online. Changing the default IP address of any new router, is something that should be done anyway.

Once the new router WAN port is plugged into a LAN port on the existing router, then update the firmware in the new router. The procedure for doing so varies drastically, so I can not offer any step-by-step advice. However the router updates its firmware, experience has taught me not to trust it. Even if it says that it has the latest and greatest version, I suggest verifying this manually at the website of the router manufacturer.

Be aware that you may need to update the firmware more than once. For example, a router running firmware version 5 may not be able to directly update to version 7; it may have to first update to version 6, then version 7.

The Rest of This Website

After the firmware is brought up to date, take the router off-line (unplug it from the existing router) and make the changes suggested elsewhere on this site. My experience has been that it is faster, easier and more reliable to make these changes from an Ethernet connected computer (plugged into one of the new router LAN ports) rather than WiFi.

While doing the initial configuration, it would be good to save the serial number.

Port Scanning     [Section added January 22, 2017]

The concept of a "port" is fundamental to computer networking with TCP/IP (which underlies the Internet). It can be explained with an analogy: a computer is like an apartment building and a port is a specific apartment. Any computer can carry on multiple conversations on the Internet at the same time. For example, it can be doing messaging, web browsing and email at the same time. The way the computer keeps track of these separate connections is ports. The messaging software uses one port, the web browser uses another (probably a few) and the email program is using yet another port. In fact, when two computers communicate, they do not do it building to building, they do it apartment to apartment.

In the old days, ports could either be open or closed. Now, they can more than closed, they can also be stealth-ed. A closed port tells you that it is closed. A stealthed port tells you nothing.

An open port accepts unsolicited incoming data. Usually, this data traffic is a connection request to start a conversation between the computer with the open port and some other computer.

As a rule, only server computers need open ports. The computer hosting this website, for example, needs to have port 80 open to accept HTTP requests and port 443 open to accept secure HTTPS requests. The computer/tablet/smartphone that you use, is not a server, so it does not need any open ports. Likewise, a secure router will have no open ports.

There are two basic methods for sending data on the Internet, TCP and UDP. TCP is slow and reliable, UDP is fast and unreliable. Web pages use TCP, DNS requests use UDP. There are just over 65,500 ports, but each one can be used with either TCP or UDP. So, while this website accepts HTTPS requests on port 443 using TCP, it does not accept requests on port 443 using UDP.

Time and time again, we have seen routers exploited via open ports. The firewall in a router should block all unsolicited incoming connection attempts. Very often ISPs will leave a port open (that is, poke a hole in the firewall) to allow themselves easy access into the router. At the end of August 2017 we learned that some AT&T U-verse gateways (combination modem/router) had two open ports. This is one reason to avoid the router offered by an ISP.

The best time to test the firewall in a router is before putting it onto the Internet where bad guys can scan it. That is, test a new router while its WAN port is connected to the LAN port of an existing router. This lets us scan the external WAN interface of the new router, from any LAN side device, without the new router being directly on the Internet.

I say this for two reasons. For one, you want to know about any open ports before putting the new router online. Also, the assorted online router tests detailed on the Test Your Router page only test a small percentage of the 65,500 available ports. They limit themselves to the popular or commonly used ports.

The classic utility for testing ports is nmap which comes in a GUI version called Zenmap that runs on Linux, Windows, Mac OS X (now macOS), BSD and more. I am no expert on nmap, but here are some basics.

As a first step, start with the command below to get you feet wet with nmap. It scans the device at IP address 1.2.3.4 for TCP ports 1 through 1,000.

nmap 1.2.3.4

Then run the two nmap commands below.

nmap -p- 1.2.3.4   This scans every TCP port (roughly 65,500)

nmap -sU -p- 1.2.3.4   This scans all UDP ports, and may take a long time

The only reason a port should be open on the WAN side of a router is if Remote Administration has been enabled. If you find an open WAN port, try the command below to learn more about it. In the command, 99 represents the open port number.

nmap -p 99 -sV 1.2.3.4

Limits of Testing     [Section added September 3, 2017]

Scanning the WAN port of a new router is better than not scanning it, but a perfect score does not necessarily indicate perfection. A router may detect the port scan and go into a defensive posture. So, even after running a full port scan, when you first put a new router online, run the port scanners on the Test Your Router page.

Finally, we can never be sure that a router will not respond to unsolicited input from the Internet because of port knocking. This is a secret handshake that opens a port that is normally closed. For example, suppose a bad guy tries to connect to port 100, then tries to connect to port 200, then port 300. While each connection attempt is blocked, the sequence of operations is the secret handshake that opens port 301 for a couple minutes. Then, port 301 closes, to hide this secret activity.

Spies have the upper hand in this game. As best we can, we need to try to get router firmware from a trusted source. Perhaps a company, like Turris, that is selling security as a feature. Perhaps open source firmware, assuming the source can, somehow, be verified.

Guest Network     [Section added October 14, 2017]

Before putting a router into production is a good time to test the security of its Guest network(s). The Security Checklist page has a long list of things to look for to make a Guest Network as secure as possible. Sadly, the latest mesh router systems offer very few, if any, configuration options for Guest networks.

For guest networks, most of the security is focused on isolation. The networks are used by untrusted people and/or untrusted IoT devices. The goal is to give Guest devices Internet access, period. That is, Guest devices should not be able to see or interact with anything else connected to the router. Specifically, test if a Guest user

Also, test any non-isolation options offered by the router. For example, if a Guest network is supposed to be active for only 3 hours, make sure the router really does disable it after 3 hours.

A simple way to test if two devices can communicate is a Ping command. I prefer, however, LAN scanning software such as Fing by Overlook or Wireless Network Watcher by Nir Sofer (Windows only). Despite the name, Wireless Network Watcher also scans for wired devices. A section of the Pepwave Surf SOHO page is devoted to securing its Guest networks.

Phoning Home     [Section added January 22, 2017]

The final step, before putting the router into production, is checking to see if the new router is spying on you.

Routers, like any computer, can both send and receive data. Testing for open ports only addresses the issue of the router receiving data. But what of it sending data? Is it phoning home?

This is the best time to audit the new router to see what data, if any, it is sending and to whom. As before, connect the WAN port of the new router to a LAN port of an existing router and connect nothing to the new router. Then, use the existing router to log any data that the new router sends to anyone.

Of course, many routers can't log the activity of a specific connected device. My favorite router, the Pepwave Surf SOHO is halfway on this. It can log every outgoing connection the new router makes, but can not log the data it sends.

Using one Surf SOHO to monitor another, I found that the router makes a few outgoing connections every 30 minutes. All of these connections are to learn the time of day. Specifically, they all are UDP connections to port 123, which is used by the time synchronization service NTP. Other routers that I have looked at are much more chatty. Again, this is with nothing connected to the new router.


Top 
This page was last updated: October 14, 2017 12PM CT     
Created: June 3, 2015
Viewed 11,174 times since June 3, 2015
(13/day over 873 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2017