One way that consumer routers compete is on features. No doubt, the vendors think people will buy the router with the most features.
But features can be bad. The less software that's running, the safer you are. Techies refer to this as reducing the attack surface.
What follows is a list of router features that most people can turn off most of the time. If you need it, fine. But, if not, turn it off.
Every router will not have every feature listed below and there will be times when a certain feature can not be disabled.
- WPS. Always turn this off. Better yet, don't buy a router that supports it.
- UPnP and NAT-PMP are two different protocols that do the same thing - they let devices on your network poke holes in the router firewall. This makes setup of some new devices easier, but is a huge security hole. UPnP was from Microsoft, NAT-PMP was developed by Apple. Many routers only support UPnP, Apple routers support NAT-PMP and higher end routers support both. Turning these protocols off may break something. If it does, then you need to make a choice: either live dangerously or setup the necessary port forwarding manually. For more, see the UPnP section of the Security Checklist page.
- Remote Administration. This is the function that lets someone on the Internet access the web interface of the router. It is also commonly called "Remote Management" and there may be other terms for it, such as "Web Access" too. Peplink calls is "Web Admin Access." Routers with a web interface, require an open port for Remote Administration. See examples from TRENDnet and Cisco. If you need Remote Administration, then try to limit it by source IP address or source IP network. I am not sure how routers configured with a mobile app handle remote access, there may well be different approaches. Chances are, they phone home to the router manufacturer rather than opening a port. If so, instead of creating a hole that anyone could walk through, this approach creates a hole that employees of the router manufacturer can walk through.
- Telnet access to the router on both sides (WAN and LAN). An October 2016 study by ESET found
that Telnet access was available from the LAN side in more than 20% of the 12,000 routers they tested. See a
screen shot of disabling Telnet on a Verizon DSL gateway.
In May 2018, it was reported that an ISP in Brazil shipped routers with Telnet enabled and no password. You can't make this stuff up.
- SSH access to the router. Here is one example of why SSH should be disabled: Akamai Finds Longtime Security Flaw in 2 Million Devices.
Peplink refers to it as CLI SSH (CLI = Command Line Interface).
- IP version 6 (a.k.a. IPv6) then test that it is really off at whatismyv6.com. In 2013 someone discovered a bug
in IPv6 regarding fragmentation buffer overflow. Just having IPv6 enabled made you vulnerable.
- SNMP. It can be used in an amplified reflection attack, where a small command generates a ton of output. Or, it might be buggy: Several Cable Modem Models Affected by SNMP God Mode Flaw (April 28, 2017). Granted the story is about a modem, this time. See too, Australian businesses targeted in Cisco switch and router attacks from Aug. 2017 which targeted SNMP.
- Sharing of devices plugged in to a USB port, if possible. File sharing may be referred to as SAMBA. The NetUSB flaw left an untold number of routers vulnerable to attack.
Asus in particular has had multiple problems sharing files in a USB port. Asus owners should consider turning off all three AiCloud features: 'Cloud Disk,' 'Smart Access,' and
'Smart Sync'. Quanta routers were found to have four
backdoor accounts in Samba.
- FTP. In July 2018 a design flaw with FTP in Netgear routers led to the leaking of military documents. No hacking was needed, the owners of thousands of Netgear routers do not change default passwords. The Netgear KB articles on FTP configuration are shameful in their ignoring security issues. Coverage of the hacking is on the Router News page under July 2018.
- Maybe turn off QoS (Quality of Service). For more on this, see Got a Netgear Router? Disable QoS by Marshall Honorof of Toms Guide July 26, 2018.
- HTTP access to the router. If possible, only use HTTPS
- Access to the web interface on ports 80 and 443. That is, always administer the router via a non-standard port
- Cloud based management. This relatively new feature competes with Remote Administration, it is another way to administer a router. The company
that makes the router will offer a cloud management website from which anyone who knows the password can re-configure the router. To me, this means
trusting every employee of the router vendor. No thanks to that.
- VPN passthrough for PPTP VPNs. PPTP is the least secure type of VPN, this insures you don't use it. If you don't use a VPN at all, then also
turn off passthrough for the other types of VPNs.* But, you should use a VPN, even at home.
- VPN server(s)
- DLNA Media server and/or DLNA media sharing
- iTunes server
- DDNS (Dynamic DNS) If doing Remote Administration, this may be needed.
- DMZ. It places computers virtually outside the router firewall. It should be off by default, but you should check it every now and then in case
router was hacked. See an Asus UI sample.
- Port Forwarding. Should be off by default. That said, there are defensive measures that do port forwarding to known bad IP addresses, so
this feature can swing both ways. Note than TRENDnet calls this feature "virtual server"
- Port triggering. See an Asus UI sample.
- Guest networks, when not in use
- WiFi whenever possible, such as overnight. If you are very lucky, the router can schedule this. If you are somewhat lucky, there will be an on/off
button for WiFi.
- RIP v1, aka Routing Information Protocol version 1. Probably not installed, as the protocol is extremely old, but if its there, turn it off. It is more
likely to be installed on routers running
- If you are using the Google OnHub router, turn off the features that deal with "smart devices", that is: Bluetooth Smart Ready,
Weave and 802.15.4.
*On episode 510 of the Security Now! podcast, Steve Gibson read an interesting note from a
listener who had turned off all VPN passthrough on a router. Sure enough, a user on the network was using a VPN, but the story is more interesting than
that. Search the transcript for "Nathan in Kansas". The episode aired June 2, 2015.