How to Secure a Wireless Router

Router Security 2A basic wireless router can have massive security flaws. Also called SOHO routers (for small office, home office), they can be wide open for hackers even when fresh from the box and updated.

How bad are they? Bad enough that one company is holding a contest just to highlight terrible router security.

The contest, SOHOpelessly BROKEN, challenges the hacker community to find new, undisclosed vulnerabilities in 10 popular routers. It will take place next week at DEF CON 22, a hacker event in Las Vegas.

Ready to secure your wireless router? Two approaches are below.

Steps to improve router security

If you must rely on a wireless router to manage and secure your network, then follow these steps to lock it down:

1. Update the firmware

Go to the manufacturer’s website and download the current software for the router. This will patch the disclosed security vulnerabilities that the manufacturer has bothered to address. Regularly check the website for new updates.

2. Require a password

Encrypt traffic on the network with WPA2 (do not use WPA or WEP). Make the password at least 10 characters long and use a mix of uppercase, lower case, numeric, and special characters.

3. Change the SSID

In Windows, the service set identifier (SSID) is the name you will see when the router is listed as an available wireless connection. Change this from the default ID to anything you like.

4. Enable MAC address filtering

This is a feature best handled by a security device such as AccessEnforcer. But if that is not an option, enable MAC address filtering on the router. Then register each device you want allowed on the network. This will prevent other devices from connecting.

5. Disable remote administration

This will prevent anyone from logging into the router’s administration panel through a wireless connection. Only a machine plugged into the router with an ethernet cable will be able to log in.

6. Enable router firewall

Ideally, you want a real security device to protect your network instead of flimsy SOHO router. But, if you’re stuck with only basic router security, then enable the firewall. It’s better than nothing.

7. Disable all guest networks

Some routers have optional wireless connections that allow people to join without a password, giving them internet access without access to other resources like shared drives. Disable this feature.

8. Disable all other services, such FTP, that you do not use

Every feature enabled on a router is another potential way for hackers to break in. Limit your exposure by shutting off all unnecessary features and services.

9. Change the default IP address range

By picking a custom IP address range, you can avoid attacks directed at the millions of wireless routers that use the default settings.

10. Enable HTTPS for administrative connections

Not all routers have this feature, but if possible, only allow administrative access over encrypted, HTTPS sessions.

11. Disable WPS

Wi-Fi Protected Setup (WPS) provides an easier way to secure and connect to a wireless network. Though widely used on consumer routers, WPS is not secure, so disable it.

Note: You may have trouble disabling WPS. Some routers do not provide an option to disable it, and others have the option but it does not work. This is one of many reasons why you should not depend on a SOHO router for security.

12. *Bonus*

Independent Security Evaluators, sponsor of the hacker contest mentioned above, has two more recommended practices in a related case study:

After logging into a router for administration, always (1) Log out and restart the device, and (2) Clear browser cookies and active logins.

Better Approach: Do not rely on router security

A basic wireless router is not enough to protect your network, so the best approach is to use it as little as possible.

How? Use the router only as a wireless access point. Then use a security device like AccessEnforcer to direct and filter traffic on the network.

With this approach, the router does not “route” traffic. It simply provides a wireless connection and allows a security device to handle the rest. That way you do not depend on spotty router security to protect you.


Related resources

Wireless Router Security is Dangerous: 6 Reasons

Top Threats: How to prevent Cryptolocker

Top Threats: Heartbleed Bug in OpenSSL

Top Malware Sites and Unsafe Servers

Written by Calyptix

 - July 31, 2014

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram