One way that consumer routers compete is on features. No doubt, the vendors think people will buy the router with the most features.
But features can be bad. The less software that's running, the safer you are. Techies refer to this as reducing the attack surface.
What follows is a list of router features that most people can turn off most of the time. If you need it, fine. But, if not, turn it off.
Every router will not have every feature listed below and there will be times when a certain feature can not be disabled.
- WPS. Always turn this off. Better yet, don't buy a router that supports it.
- UPnP and NAT-PMP are two different protocols that do the same thing - they let devices on your network poke holes in the router firewall. This makes setup of some new devices easier, but is a huge security hole. UPnP was from Microsoft, NAT-PMP was developed by Apple. Many routers only support UPnP, Apple routers support NAT-PMP and higher end routers support both. Turning these protocols off may break something. If it does, then you need to make a choice: either live dangerously or setup the necessary port forwarding manually. For more, see the UPnP section of the Security Checklist page.
- Remote Administration. This is the function that lets someone on the Internet access the web interface of the router. It is also commonly called "Remote Management" and there may be other terms for it, such as "Web Access" too. Peplink calls is "Web Admin Access." Routers with a web interface, require an open port for Remote Administration. See examples from TRENDnet and Cisco. If you need Remote Administration, then try to limit it by source IP address or source IP network. I am not sure how routers configured with a mobile app handle remote access, there may well be different approaches. Chances are, they phone home to the router manufacturer rather than opening a port. If so, instead of creating a hole that anyone could walk through, this approach creates a hole that employees of the router manufacturer can walk through.
- Telnet access to the router on both sides (WAN and LAN). In January 2020, a hacker published a list of Telnet credentials for more than 515,000 devices. The list included each device's IP address, along with its Telnet username/password. The list was compiled by scanning the Internet for devices that were exposing their Telnet port and making educated guesses. In May 2018, it was reported that an ISP in Brazil shipped routers with Telnet enabled and no password. You can't make this stuff up. An October 2016 study by ESET found that Telnet access was available from the LAN side in more than 20% of the 12,000 routers they tested. See a screen shot of disabling Telnet on a Verizon DSL gateway.
- SSH access to the router. Here is one example of why SSH should be disabled: Akamai Finds Longtime Security Flaw in 2 Million Devices.
Peplink refers to it as CLI SSH (CLI = Command Line Interface).
- IP version 6 (a.k.a. IPv6) then test that it is really off at whatismyv6.com. In 2013 someone discovered a bug
in IPv6 regarding fragmentation buffer overflow. Just having IPv6 enabled made you vulnerable.
- SNMP. It can be used in an amplified reflection attack, where a small command generates a ton of output. Or, it might be buggy: Several Cable Modem Models Affected by SNMP God Mode Flaw (April 28, 2017). Granted the story is about a modem, this time. See too, Australian businesses targeted in Cisco switch and router attacks from Aug. 2017 which targeted SNMP.
- This is a really annoying topic, starting with the fact that it goes by two different name. Some routers call it Application Layer Gateway (ALG) and other routers call it Passthrough. Linksys uses both terms. I am no expert on this, but when the ALG/Passthrough options are off, you are safer. Not only do the names differ, but different routers offer different options. Will turning any of these off cause a problem? The only way to know, is to try it. As I said, annoying. Here are examples from eight different vendors.
- On Peplink routers, these options are in the Advanced tab, in the Service Passthrough section. On firmware version 8, the SIP gateway is always enabled and the ones for FTP and IPsec NAT-T are enabled by default. The options for H.323 and TFTP are off by default. I disabled FTP and was still able to use a secure FTP (SFTP) program just fine.
- Asus calls them NAT Passthrough and they offer PPTP, L2TP, IPSec,
RTSP, H.323, SIP, PPPoE Relay and FTP.
- TP-Link calls it ALG (in the Security Section) and they offer: PPTP, L2TP, IPSec, FTP, TFTP, RTSP, H323 and SIP.
- Linksys has both an Application Layer Gateway section (with just SIP) and a
VPN Passthrough section with IPSec, PPTP and L2TP.
- Draytek uses the term ALG and their only options are SIP and RTSP.
- In their UniFi line, Ubiquiti calls it Conntrack Modules and they offer FTP, GRE, H.323, PPTP, SIP and TFTP.
- In their AmpliFi line, Ubiquiti does not support any Passthroughs or ALGs. I checked this in Feb. 2021 with an AmpliFi router running firmware 3.4.3 and the iOS
app version 1.14.1.
- The Eero mobile app is targeted at non technical consumers and thus has very few configuration options. Eero supports no Passthroughs and no ALGs. I tested this in Feb. 2021
with eeroOS version 6.1.1 (released Jan. 2021) running on the main router.
- Like the above consumer routers, Google Nest Wifi also has no support for Passthroughs or ALGs. I tested this in Feb. 2021 with firmware version 13099.118.19 from Dec. 2020
on the router and iOS app version 2.28.1.
- Sharing of devices plugged in to a USB port, if possible. File sharing may be referred to as SAMBA. The NetUSB flaw left an untold number of routers vulnerable to attack. Asus in particular has had multiple problems sharing files in a USB port. Asus owners should consider turning off all three AiCloud features: 'Cloud Disk,' 'Smart Access,' and
'Smart Sync'. Quanta routers were found to have four
backdoor accounts in Samba.
- FTP. In July 2018 a design flaw with FTP in Netgear routers led to the leaking of military documents. No hacking was needed, the owners of thousands of Netgear routers do not change default passwords. The Netgear KB articles on FTP configuration are shameful in their ignoring security issues. Coverage of the hacking is on the Router News page under July 2018.
- Maybe turn off QoS (Quality of Service). For more on this, see Got a Netgear Router? Disable QoS by Marshall Honorof of Toms Guide July 26, 2018.
- HTTP access to the router. If possible, only use HTTPS
- Access to the web interface on ports 80 and 443. That is, always administer the router via a non-standard port
- Cloud based management. This relatively new feature competes with Remote Administration, it is another way to administer a router. The company
that makes the router will offer a cloud management website from which anyone who knows the password can re-configure the router. To me, this means
trusting every employee of the router vendor. No thanks to that.
- VPN passthrough for PPTP VPNs. PPTP is the least secure type of VPN, this insures you don't use it. If you don't use a VPN at all, then also
turn off passthrough for the other types of VPNs.* But, you should use a VPN, even at home.
- VPN server(s)
- DLNA Media server and/or DLNA media sharing
- iTunes server
- DDNS (Dynamic DNS) If doing Remote Administration, this may be needed.
- DMZ. It places computers virtually outside the router firewall. It should be off by default, but you should check it every now and then in case router was hacked.
See an Asus UI sample.
- Port Forwarding. Should be off by default. That said, there are defensive measures that do port forwarding to known bad IP addresses, so
this feature can swing both ways. Note than TRENDnet calls this feature "virtual server"
- Port triggering. See an Asus UI sample.
- Guest networks, when not in use
- WiFi whenever possible, such as overnight. If you are very lucky, the router can schedule this. If you are somewhat lucky, there will be an on/off
button for WiFi.
- RIP v1, aka Routing Information Protocol version 1. Probably not installed, as the protocol is extremely old, but if its there, turn it off. It is more
likely to be installed on routers running
- If you are using the Google OnHub router, turn off the features that deal with "smart devices", that is: Bluetooth Smart Ready,
Weave and 802.15.4.
*On episode 510 of the Security Now! podcast, Steve Gibson read an interesting note from a
listener who had turned off all VPN passthrough on a router. Sure enough, a user on the network was using a VPN, but the story is more interesting than
that. Search the transcript for "Nathan in Kansas". The episode aired June 2, 2015.