Network Security – Part 1 – Secure Passwords. Go here.
Lock The Front Door!
For home owners and small businesses, the router is the most important device in the network. It links to virtually every other device and to the world at large. This is the prime target of automated attacks. If hackers can exploit your router, you’re screwed. Many consumer/SMB routers just a few years old have insecure default configurations, firmware riddled with flaws; and some of these problems can’t be fixed by end-users. But there are basic steps you can deploy to protect yourself. Before we go down that list, keep one very important thing in mind:
Try not to use modems and routers supplied by your ISP. Often, these supplied modems/routers have hard-coded remote-support code that users can’t change. And firmware updates (especially security-related) lag well behind routers that are sold on the open market. So, where possible, insist that you are allowed to use your own modem/router. And don’t buy a cheap router – let me say that again – Don’t. Buy. A. Cheap. Router.
- Set up the Administrator Username and Password. After you connect to the router’s management interface for the first time through your browser, make sure the first thing you do is set up a secure username and password. As in, SECURE! Both the username and the password. Both secure.
- Make sure the router’s management interface is not accessible from the internet. Managing the router from outside the LAN (local area network) is rarely advisable. If remote management is needed, consider using a VPN (virtual private network) to establish a secure channel to the local network, and then access the router’s interface.
- Restrict access inside the LAN. It’s best to allow access from a single IP address. For example, configure the router’s DHCP server (for any acronym or suggestion in this article, you can YouTube search and watch the tutorial video – these are standard set up topics) to assign IP addresses from 192.168.0.1 to 192.168.0.50 and then configure the web interface to only allow access from 192.168.0.53 (Admin computer). The Admin computer should be manually configured to use this address when the Admin needs to connect to the router.
- Turn on HTTPS access and always log out when done. Use the browser in the incognito or private mode when working with the router so that no session cookies are left behind. Never allow the browser to save the router’s username and password.
- Change the router’s LAN IP address. Typically, routers will be assigned the first address in a predefined netblock; for example 192.168.0.1. Change this to 192.168.0.99 or something that you’ll remember and not a part of the DHCP pool.
- Use a secure Wi-Fi password and WPA2 security protocol. WPA2 (Wi-Fi Protected Access II) is more secure than the older WPA and WEP protocols – new routers should default to WPA2, but make sure you verify. Also, set up a guest network with a secure password that guests will be able to log in with (make it secure, yet memorable for your guests – see Secure and Memorable Passwords here). Just to be on the safe side, change that guest password every few months.
- Keep your router’s firmware up to date. While you can use the automatic update feature in most routers, it’s more secure to manually and regularly check the manufacturer’s support website for firmware updates.
Spend a little bit of time securing your modem/router and don’t let it be low-hanging fruit for hacking attacks. It doesn’t require advanced IT knowledge and you’ll be one step ahead of automated attacks searching out possible vulnerabilities in your network.
Next week we’ll go into further depth with some advanced steps you can take, especially for larger LAN’s that have multiple users and a lot of IoT devices, especially those controlled by phone apps.