|Router Security||New Router||
Website by |
2016 saw a new wrinkle regarding setting up a new router - routers that have to be online to be configured. Prior to 2016, the only router I knew of that worked this was the ZyXEL Armor Z1 router - it did not let you access the routers' administrative interface without an Internet connection. The Google OnHub line of routers also can not be accessed, even locally, unless they are connected to the Internet. I believe the same is true of Eero and Luma. It is not true of the Netgear Orbi or the Ubiquiti AmpliFi router systems.
I think this is a bad idea. For one thing, if the hardware manufacturer goes out of business, the router becomes a paperweight. Also, you can never be sure what data is being collected by the hardware manufacturer. So, none of what follows applies to a router where the manufacturer requires it to phone home. I have ruled out all such routers from consideration.
Every set of instructions I have seen from a router manufacturer says to start the new router setup by plugging the router into the Internet. I disagree.
While a new router needs to be online to get bug fixes (a.k.a. updated firmware) I would first make the changes below while off-line*.
You may even want to turn off WiFi altogether.
I would not make all the changes suggested elsewhere on this site however, because new firmware may modify or wipe them out.
Even after changing these default values, I would still not put the router directly on the Internet. It is safer to plug it into a LAN port on an existing router. This puts a firewall in front of the new router, yet still lets it download updated firmware (the operating system in the router is referred to as firmware).
This plan has one potential problem however: IP address conflicts. If the existing router is, for example, 192.168.1.1 and the new router also defaults to the same IP address, bad things will happen if the new router is plugged into the old one. When plugging a new router into a LAN port of an existing, online, router you want each router to use different IP subnets. That is, if both routers are using 192.168.1.x, then modify the new router to use 192.168.22.x or anything other than what the existing router is using. Changing the default IP address of the new router, is something that should be done anyway.
Once the new router is plugged into a LAN port on the existing router, then update the firmware in the new router. The procedure for doing so varies drastically, so I can offer no step-by-step advice. However the router updates its firmware, experience has taught me not to trust it. Even if it says that it has the latest and greatest version, I suggest verifying this manually at the website of the router manufacturer.
Be aware that you may need to update the firmware more than once. For example, a router that shipped with firmware version 5 may not be able to directly update to version 8; it may have to first update to version 6, then version 7, then finally version 8.
After the firmware is brought up to date, take the router off-line and make the changes suggested elsewhere on this site.
My experience has been that it is faster, easier and more reliable to make these changes from an Ethernet connected computer (plugged into one of the LAN ports) rather than WiFi.
This section was added Jan. 22, 2017
The concept of a "port" is fundamental to computer networking with TCP/IP (which underlies the Internet). It can be explained with an analogy: a computer is like an apartment building and a port is a specific apartment. Any computer can carry on multiple conversations on the Internet at the same time. For example, it can be doing messaging, web browsing and email at the same time. The way the computer keeps track of these separate connections is ports. The messaging software uses one port, the web browser uses another (probably a few) and the email program is using yet another port. In fact, when two computers communicate, they do not do it building to building, they do it apartment to apartment.
In the old days, ports could either be open or closed. Now, they can more than closed, they can also be stealthed. A closed port tells you that it is closed. A stealthed port tells you nothing.
An open port accepts unsolicited incoming data. Usually, this data traffic is a connection request to start a conversation between the computer with the open port and some other computer.
As a rule, only server computers need open ports. The computer housing this website, for example, needs to have port 80 open to accept HTTP requests. If this site was also available via HTTPS, then the server computer it lives on would also need to have port 443 open. The computer/tablet/smartphone that you use, is not a server, so it does not need any open ports. Likewise, a secure router will have no open ports.
There are two basic methods for sending data on the Internet, TCP and UDP. TCP is slow and reliable, UDP is fast and unreliable. Web pages use TCP, DNS requests use UDP. There are just over 65,500 ports, but each one can be used with either TCP or UDP. So, while this website accepts HTTP requests on TCP port 80, it does not accept requests on UDP port 80.
Time and time again, we have seen routers exploited via open ports. The firewall in a router should block all unsolicited incoming connection attempts. Very often ISPs will leave a port open (that is, poke a hole in the firewall) to allow themselves easy access into the router. This is one reason to avoid the router offered by an ISP.
The best time to test the firewall in a router is before putting it into production. That is, test it while its WAN port is connected to the LAN port of an existing router. I say this for two reasons. For one, you want to know about any open ports before putting the new router online. Also, the assorted online router tests detailed on the Test Your Router page only test a small percentage of the available ports. They limit themselves to the popular or commonly used ports.
The classic utility for testing ports is nmap which comes in a GUI version called Zenmap that runs on Linux, Windows, Mac OS X (now macOS), BSD and more. I am no expert on nmap, but here are some basics.
nmap 220.127.116.11 This scans the computer at IP address 18.104.22.168 for TCP ports 1 through 1,000. It runs quicly and is a first step.
nmap -p 1-65535 22.214.171.124 This scans every TCP port on the computer at IP address 126.96.36.199
nmap -p 1-65535 -v 188.8.131.52 The added -v is for verbose mode.
nmap -sU -p 1-65535 184.108.40.206 This scans all UDP ports and takes a very long time
While the WAN port of a new router is connected to a LAN port of an existing router, run nmap from another computer connected to the old router. The new router will be seen by the existing router as just another device and it will be assigned an IP address on the LAN. This lets us scan the external WAN interface of the new router without its being on the Internet.
Start with the first command to get your feet wet with nmap. Then run the 2nd or 3rd command to test every TCP port. Finally, run the last command to test every UDP port. The UDP scans take much longer than the TCP scans.
This section was added Jan. 22, 2017
Routers, like any computer, can both send and receive data. I say this to put the previous section in context. Testing for open ports only addresses the issue of the router receiving data. But what of it sending data?
I bring this up here, because when a router is new is a a great time to audit it to see what data, if any, it is sending and to whom. Specifically, connect the WAN port of the new router to a LAN port of an existing router and connect nothing to the new router. Then, use the existing router to log any data that the new router sends.
Of course, many routers can't do this. My favorite router, the Pepwave Surf SOHO is halfway on this. It can log every outgoing connection the new router makes, but can not log the data it sends. I have, to date, only done this on one new router and was quite disappointed to see that it was fairly chatty. Again, that is with nothing connected to the new router at all.