Network Security – Part 1 – Secure Passwords. Go here.
Network Security – Part 2 – Gateway Devices. Go here.
Routers are the essential but unheralded workhorses of modern computer networking, yet few users realize they have vulnerabilities if not set up properly. Protect your system from these vulnerabilities by properly securing your network. The stakes are higher for larger networking systems because a hack could shut down business for days. Multiple users and multiple IoT devices make securing the network extremely important to protect your business and more difficult. Here are some advanced steps you should take for advanced secure wireless router setup:
- Disable WPS (Wi-Fi Protected Setup). This rarely used feature is designed to set up Wi-Fi networks by using a PIN that is printed on a sticker. It’s best to simply turn off this feature on routers. Instead, connect to the router via a wired connection and access its web-based management interface and configure Wi-Fi with WPA2 with a secure password.
- Restrict services the router is exposed to on the Internet. This is especially true if you haven’t enabled those services yourself. Services like Telnet, UPnP (Universal Plug and Play), SSH (Secure Shell), and HNAP (Home Network Administration Protocol) should not be reachable from the internet, as they pose security risks. Turn them off on the local network if they’re not needed.
- MAC address filtering. Many routers allow for restricting which devices are allowed on the Wi-Fi network based on their MAC address – a unique identifier of the physical network card for the device. This feature can prevent attackers from connecting to a Wi-Fi network, even if they stole the log in credentials, because their computer’s MAC will not be recognized and authenticated onto the network. This can become an administrative burden on larger networks, but it is well worth the effort.
- Port forwarding should be combined with IP filtering. (Wonky, but important.) Services running on a computer behind a router cannot be reached from the internet unless port forwarding rules have been defined. Software programs will attempt to open ports in the router automatically via UPnP, which is not secure. If UPnP is disabled, rules can be added manually to specify the source IP address or netblock that can connect on a specific port to reach a certain service inside the network.
- Isolate at-risk devices via network segmentation. Most decent routers (don’t cheap out on the router purchase, it’s a critical device) offer the option to create VLANs (Virtual Local Area Networks) inside a larger private network. These networks can be used to isolate IoT devices, which tend to have major vulnerabilities. Many IoT devices controlled through smartphone apps don’t need to be able to communicate over the LAN after the initial set-up. IoT devices (especially where data is cloud-based) expose unprotected administrative protocols to the local network, so hackers can easily break into such a device from a malware-infected computer, if both are on the same network.
For most non-IT folks, these steps may seem a little daunting, but if you take your time and concentrate, you can do this!