Friday, November 27, 2009

10 Steps to securing a wirless router, by synjunkie

I got this from another blog and i find the information very help and comprehensive. It does teach you or show you how to configure your routers but tells you the things that you should know and check for when setting up your own wireless router. Therefore, you can use this as your checklist, if you will to not getting pwned but your inquisitive neighbours.

The following was taken from synjunkies blog:

1. Upgrade Firmware

It's always a good idea to keep firmware as up to date as possible as the vendor may have fixed known vulnerabilities or bugs since the hardware shipped. As a bonus you might even get a bit more functionality thrown in as well with the firmware upgrade. Its also a god idea to check the vendors site every couple of months for updates.

2. Change the default Password


3. Turn off Wireless Administration

This will prevent anyone who is not physically plugged into the network from administering the wireless router.

4. Enable Encryption

Enable the best encryption possible. WPA2 is preferred but if the connecting devices only support WEP then WEP it is. Just be aware that WEP is crap and it can b e cracked in seconds. Ensure that whatever encryption you use it has a long random key. There are plenty of random key generators available so use them.

5. Change & Hide the Default SSID

Don't leave your default SSID as Linksys or Belkin. Change it to something unique but not something that identifies it as your network, such as “Bob Scratchets House”. Even after hiding the SSID it is possible for an attacker to view it but it is another layer in your defense strategy.

6. Apply MAC Address Filtering

Each device that has a wireless card in will have a MAC address. Apply MAC address filtering so only devices with the specified MAC addresses can connect using wireless to you router. This can be bypassed but it's another hurdle to make a potential attacker jump through.

7. Disable UPnP

Universal Plug and Play is a method by which software can open up ports on the router to allow external hosts to communicate through the router with a host on the LAN. This can also be used by malware to open up the router to allow a route in. by disabling UPnP you will need to enable port forwarding when required.

8. Configure the DHCP Settings

If your router allows you to change your DHCP scope you may want to set it to hand out addresses from a range other than the default, such as the 172.16.x.x range. Also by limiting the amount of addresses to the number of hosts you have it might provide an early warning system if someone does manage to bypass your security and hop onto your wireless LAN.

9. Configure DNS Settings

Point your DNS to a provider such as OpenDNS and utilise there free services. OpenDNS can be used to block specific types of sites such as File Sharing or Pornography and also to log where computers from your LAN are going to. It will also block your computer from visiting known bad sites. Another important note, when the DNS flaw was released to the public by Dan Kaminsky at Blackhat 08, Open DNS was one of the first DNS providers to provide protection. At the time of this post many ISPs are still vulnerable.

10. Enable Logging

If your router allows you to enable logging it is worthwhile doing so. By familiarising yourself with the logs regularly you will get to recognise what is normal and what is not. But remember, logs are only useful if you check them!

The functions I have raised in these 10 steps are those that should be available on most consumer grade routers. If you have a router that does have more functionality such as allowing you to use HTTPS to access the administrative interface then that's great, use it.

Get familiar with what your router can do and know where to look to check settings such as port forwarding. And once you have set up the router and gotten it working well, save the config and store it somewhere safe and secure such as in a Truecrypt volume or in an encrypted disk image.


Very interesting and informative checklist. The closing sentences does add some complexity with storing config files on truecrypt volumes or encrypted disk images. Although its a good practice (and most likely madatory)for high security environments, the acerage user doesnt and most likely wouldnt be too concerned about backup up his config files in secure locations. They probly know what encryption is but dont know how to use it to their own benifit and probly wouldn't worry about the hasstle to learn. But those that might be interested in learning about encrypting their data, im gonna do a post of Truecrypt in the near futer, showing you how you can encrypt your data/router configs in an ecrypted volume.

Resources/Good reading:

No comments:

Post a Comment