The topic is an important one: how do you make sure you have a secure router? As your firewall, it’s your first line of defense against malware trying to get at your computer from the internet.
You’ll want to make sure there aren’t big gaping holes. And sadly, very often and by default, there are.
Here are the most important
seven eight steps to a more secure router.
(Updated 18-Dec-2016 to include checking for firmware updates, after a high profile vulnerability disclosure by a major router manufacturer.)
My router versus your router
I have to start with a caveat: there are hundreds, if not thousands, of different routers. Different brands and different models with differing capabilities, power, and, of course, at differing cost.
Most importantly, they have different administration interfaces.
What that means is, I can’t tell you exactly how to make changes to your router, step-by-step. The concepts I’ll cover apply to almost all consumer-grade routers, and I’ll be using an old and popular LinkSys BEFSR81 router, and LinkSys WAP54G access point as examples.
You’ll need to “translate” the examples to the equivalent settings on your own router or access point. Make sure you have access to the documentation that came with your router, or locate the user’s manual online.
Already we see a common difference: you may well have a single device that combines both the router and wireless access point. You probably refer to it as simply your “router”. In reality, there are two separate devices – a router that deals with network access, and a wireless access point that provides your Wi-Fi connectivity – that happen to be housed in a single box. In my case, they’re in separate boxes.
1. Change the default password
If you do nothing else to secure your router, change the default password. Change it to be something long and strong. If your router supports it, a passphrase of three or more words might be ideal.
The reason for this is quite simple: it’s a common gaping security hole.
For many years, almost every router and access point from the same manufacturer was shipped with the same default password. For LinkSys, if your login is a blank username and a password of “admin”, as outlined in its manual, then anyone and everyone knows it. And anyone can log in to your router and undo any or all of the rest of the security steps we’re about to take.
Then, any malware that takes advantage of the default passwords on routers can make changes without your knowledge.
Fortunately, in recent years, most – though sadly, not all – router manufacturers have been getting smarter. If the instructions that came with your router included checking a sticker on the actual router for the admin password, and that looks like a strong password, then the security hole is significantly smaller. Now only those people who can walk up to your router and look at that sticker can get in.
I’d change the password anyway.
2. Disable remote management
“Remote Management” is a feature that allows your router to be administered from anywhere out on the internet.
While this setting (coupled with a very strong password) might make sense for a handful of people1, for most folks there’s absolutely no need to administer the router from anywhere but the local machines connected to it.
Make sure the remote management setting is off.
3. Turn off Universal Plug and Play
Universal Plug and Play (UPnP) is a technology that allows software running on your machine to configure services like port forwarding (a way of allowing computers outside your network to access your local computers directly) without you having to go in and administer the router manually.
It seems like a good idea, right?
Nope. Turn it off.
It turns out that malware can also be UPnP aware, and can make malicious changes to your router without your involvement or awareness.
(Note: UPnP is unrelated to Windows “Plug and Play” hardware detection; it’s just another unfortunate collision of similar names.)
4. Add a WPA2 key
It’s time for another password, this time to secure and encrypt your wireless connection.
First, use WPA2, not WEP. WEP encryption turns out to be very easily crackable2, and even WPA (without the 2) has been shown to be vulnerable.
Second, just as you did for the router’s administration password, select another good, secure key / password / passphrase (the terms are roughly interchangeable here). You only need to enter it once here, and once on each machine allowed to connect to your wireless network.
Having a strong WPA2 key ensures that only machines you allow on your network can see your network, your traffic, and your router.
5. Disable WPS
WPS, or Wi-Fi Protected Setup, doesn’t live up to its name – it’s not very “protected” at all.
WPS was intended as a way to make setting up a protected Wi-Fi network easy. WPS would, with the push of a button, set up Wi-Fi encryption between the router and clients that supported it.
The problem with WPS is that the protocol is flawed in such a way that it is vulnerable to a brute force attack. A malicious entity within range can force their way onto your network bypassing any encryption keys you might have set up.
WPS is enabled by default on many routers. Turn it off.
6. Turn off logging
This has less to do with configuring a secure router, and more to do with maintaining your privacy.
This is also really about making sure logging is still turned off, since if a router supports any kind of logging at all, it’ll likely be off by default.
Disable the logging, and no information will be kept on the router, or sent to any other machine. This should also clear any log the router has.
It’s worth pointing out that most consumer-grade routers do not have the capacity to actually keep complete logs themselves. If they keep anything, it will only be a shorter, partial log. When enabled, some will offer to send the log to one of the computers on your network for storage. Simply disabling logging will not erase any logs stored elsewhere.
7. Secure your router physically
As we’ve already seen, even if the default administrative password is unique to your device, it’s still visible to anyone with physical access to the router who can see the sticker on which it’s printed.
In fact, your secure router may not be secure at all if anyone can just walk up to it.
All of your router’s security settings can be reset in a flash if someone has physical access to the device. Almost all routers have a “reset to factory defaults” mechanism (typically by holding a reset button for a certain amount of time). If someone can walk up to your router and do that, all the security settings you’ve just enabled may be instantly erased.
Only you can judge whether or not you need this extra level of physical security, but make sure to consider it.
8. Check for firmware updates
Routers (and access points) are really just small computers dedicated to a single task: handling network traffic. Normally the software – referred to as “firmware” since it’s stored within the device’s hardware – is solid and just works.
Unfortunately security vulnerabilities are sometimes discovered, requiring you to update your router’s firmware to stay secure. This usually involves downloading a file for your specific router, and then using its administration interface to install the update. Some routers can fetch and install the update directly. Either way, the update is a manual step you need to take.
Checking to see if there’s a firmware update for your router is also a manual step. Some routers will perform the check at the push of a button in the administration interface. If not, you’ll need to visit the manufacturer’s support site, look for information pertaining to your specific model, and determine if a newer version of the firmware is available.
Two steps that aren’t steps
Each time I mention this article I get folks making two additional suggestions for Wi-Fi specifically that, in fact, are not steps that improve security at all. In fact they may harm security by providing a false sense of added security.
The first is MAC address filtering. I discuss this in more detail in Is MAC address filtering a viable wireless security option? but the bottom line is that like a cheap padlock MAC address filtering only keeps out honest people. If someone wants to access your network MAC address filtering is easily bypassed.
The second is turning off SSID broadcast on wireless networks. Even when not being broadcast the SSID is still visible – unencrypted – in the packets of traffic sent to and from the router. Disabling the broadcast, once again, does nothing to prevent someone with the skills from easily discovering it. I discuss this in more detail in Does changing or disabling the broadcast of my wireless SSID make me more secure?
When it comes to Wi-Fi, puting a WPA2 password on the connection is currently your best security measure.