Network Security (part 1) The Home Router
Today in this new story, I am going to explain a quick easy tips but also to go in depth a bit about what network security means applied to our domestic gateways. Hope to cover almost every important thing to defend probably the “first layer of defense” that everybody has at their home or their SOHO.
The first thing I’ll say is “DON’T BE AFRAID”. I know a lot of people, even IT students like me or computer/telecom engineers that are afraid of breaking their routers, or afraid of making a change and screw up the whole router config, interrupt home internet for days or whatever. The worst thing that could happen is a internet line down for a couple of hours.
I strongly encourage to do it. Why not? Reconsider it and remember:
if anything goes wrong, just push the reset button, or upload a backup. Doing it that way you are always safe.
< The first step here is: Why? />
Well, there is a lot of reasons but the mainly one is that usually home or SOHO routers have not always the appropriate configuration.
Usually your ISP company buy a ton of crappy routers, so they can earn money easy pretty fast (any Internet issue you have they will always try to solve it replacing it with a new one, think about “why”).
But also is really easy to find routers opened to the Internet, because a lack of configuration or maybe the firmware is like outdated for years or just open to the Internet. Consider your router as it is. A door to your house or your office. The router is the only thing that could stop attackers to compromise every device in your house and is not hard to do it to be honest. You need to see your router as the main Wall or the main Shield.
To go a little bit more in depth about this, there are a lot of building configurations in network architecture, but usually an enterprise for example will always use a layered defense or “defense in depth” which means, there is an ABR or Border Router (like your home router), then a firewall, sometimes software, but usually as a physical device more like an “CISCO ASA5055 series” and then one more router. Why? Because a company usually need to reach the office from remote or because the business depends on the services they offer, or maybe because is one of the most used strategies to protect one or more areas.
Once started with a little bit of theory, let’s begin. I will use a couple of routers for this demonstration or guide: an Asus with Open WRT(linux) and a Mitrastar with ISP firmware.
< The Login />
It has a good password? It should. If is not the case, change it for an strong one. Then you can write it on a post-it and then leave it on the fridge for example. It is ok if you do it in your own home, but not if you are doing this at your office. The password, for security reasons on any company should be secret and only available for the usual systems/network administrator. Change password, change login admin name, change ports and control access to your router.
About your firmware. Is it updated? There’s a ton of vulnerable routers on the Internet, and any port opened could be exploitable remotely.
Make sure the software is updated. Do not take it for granted. The company is not forced to update your router and if they use the crappy ones, the mix could be terrible. Check your router model and make sure it is up to date. Open ports + bad config + old firmware = bad mix.
About popular routers, if you are wondering what a good router should have or you just want a new one for your home or your office, go for any linux distro like Tomato, OpenWrt or DDWrt. If you need one for a company bigger than the tipical small business office, you should go for CISCO, D-Link or Linksys for example.
< Walling the SOHO/>
Don’t take security by default for granted, specially if we talk about electronic devices or IoT. It is better to check and see if everything is OK.
A router “shouldn’t” be listening to the Internet, but the reality is that thousands of routers are open to the World as I said before. Unless you need to use a specific service, make sure everything is closed and your firewall activated.
Go to your control panel and click “Firewall”. It should be on, but if is not, switch it to on. Then, depending on the router, we will talk about our different options. Usually a router’s firewall is managed pretty much like a real one (well..) or like IPTables, but I’ve notice nowadays ISP companies give less and less access to the end user to make sure they can’t modify almost anything.
They also install some kind of “backdoors” in the router, so they can reach it even if you manage your router to not allow them to get in. (cof cof, buy a linux router e_e ).
About the rules, you could find “accept” rules, which allow traffic, “drop” rules which makes the router to drop the packet, so basically the firewall don’t answer the request, and “Reject”, which means the router’s firewall will respond with an icmp packet to the sender to let him/her know that the port is closed.
That’s basically what you need to know to start. By default, in some routers, depending on the country-company has a generic DROP rule that drops any inbound connections. Then you can add exceptions. So you decide destination, port protocol, and maybe some more details. If this is your situation, just don’t worry. You can leave it just like that, but is a good practice to make sure everything is as it should.
If your router allows the options, I would recommend to:
Drop everything coming from the Internet. Usually related-stablished connections (which means, you started that connection first, like when you visit a website) are allowed. Then if possible, set a drop rule for echo-request /ICMP type 8.
If you need for any reason, to open a port to allow a service, like L2TP-IPSec/PPTP(avoid PPTP btw) tunnels for the SOHO, or maybe if you have an FTP service port on the router always change the port number. The logic behind this is really simple:
A way to evade standard port scans, is to change the port to a higher than 1024, which are the standard ports. Some scan even further, because databases uses ports like 3306 (MySQL) but takes a lot of time. The most common attacks are to SSH and Telnet ports(22&23).
For example, if you have an FTP server in the router, I would recommend to: use always SSL enabled in this service of course, but why not to change the port from the 21 to the 20021? This will reduce a big amount of traffic scanning and trying to bruteforce it.
Think about I’ve told you before. Don’t allow Internet kids to get into your gateway! Always disable remote management.
< Plus info about Firewalls />
If you can choose the interface in which it is applied, protect the services in every interface. Of course could be rare, but not impossible to suffer an attack from inside(we talk about a home gate, rigth?) but it could happen. So deny the WAN and LAN access to router ports like for example telnet, ssh or httpS login panel. An extra good practice is to filter authorized access to the main control panel to the router by MAC or IP address. Maybe it doesn’t exists in a lot of them, but models like this one allows it :)
Port Trigger: is basically a feature some routers have to temporarily open ports when LAN needs to access Internet. Enabling port triggers you open the port when any resource from LAN requires to open a service(like for a web service), is automatic an not static like Port Forwarding.
Port Forward and DMZ:
When using the router as service platform, you need to setup two basic features, the port forward and the Demilitarized Zone. On one hand Port forward is basically a route table to forward a client behind NAT.
This means, the router sets a static route from your computer, like for example, an Apache web server at port 80 when is opened to 8080 in to your router, allowing anyone from the Internet to reach your self-hosted website at “myrandomip:8080”. Port Forward is useful specially for p2p services, video games, IRC or VPN servers.
By the other hand DMZ is different. This is a zone completely out the Firewall rules in your home router, but different in professional firewalls, when you can set up zones, interfaces and specific rules between zones and control how Internet can interact with your servers on the DMZ.
DMZ offers a whole server or computer to the Internet and is useful for companies to setup a mail server or web servers for example, that needs to be accessed at any moment, but nowadays this is disappearing as companies migrate their services to the cloud like AWS or Azure.
An alternative for your home DMZ could be a good configured firewall on each server with IPTables, an awesome tool I will explain in the future. But keep in mind DMZ is for servers and Port Forward and Port Triggers for a single computer and specific services.
NAT Passthrough as the name says, is a feature to make some services easy to install and use on NAT. This is specially useful when we talk about VPNs, because IPSec have some problems when using it inside NAT. It makes troubleshooting easier for some services.
~Advice~
->Check your firewall status and rules by default
->Switch off remote management.
->Use Access Lists to filter connections to WAN or LAN to your router login panel or SSH port.
->DROP ICMP (echo-request) from WAN (Internet)
->Set a good password to access your router. Use a post-it if you want(only for home routers please)
->If you don’t need IPv6, just disable it. It requires time and knowledge to configure an IPv6 firewall. Unless you know what you are doing, I would recommend you to disable it.
< Fighting DoS/>
Some routers have a Denial of Service menu to enable a simple protection against this kind of attacks. As you can see in the picture, we can set up a threshold to stop TCP SYN flood attacks and UDP, which are the most common layer 7 DoS attacks. Also some protection against massive echo requests and protection against ICMP redirect. Enough for a home router.
< About the Wireless settings />
BSSID: Basic Service Set Identifier, the MAC address of your Access Point.
ESSID: Extended Service Set Identifier, the name of your network.
There’s a lot of stuff that people have said about this, but I find a lot of devices with vulnerabilities everyday, in every place or network. Let’s go then.
WPS pin: What is that? Is a button, usually in the back of the router and allows a direct connection between the router and a device.
The problem. Is easy to bypass and to activate remotely letting an intruder to join a network. Keep it disabled always.
WPA,WPA2, WPA/WPA2 and WEP: We already know (or not) that WEP is an unsecure protocol because the problems it had inside the algorithm. That’s the reason why WPA generation came out and his 2 version emerged some years ago. Nowadays we are talking about WPA3 coming soon.
Always if possible, switch to WPA2 and don’t use the mix. WPA is considered as secure, but WPA2 is safer. One of the differences is WPA uses TKIP algorithm while WPA2 uses AES. Keep it easy, use WPA2-PSK(Pre-Shared-Key / WPA2 as it is known, are the same) with AES and choose an strong password with at least 20 char.
WPA2-Enteprise, is WPA2 version which allows Authentication using a Radius Server, allowing us to set specific names from for example Windows Active Directory to set wireless access with different and personal passwords and usernames for each one of the users.
Depending on your needs and of course the device, you can change the rotation key time. Key rotation time is the time in seconds between each encryption key rotation cycle in the WPA algorithm.
A good amount is 3600 seconds. More would make your network more vulnerable, but less time could make problems on the network.
< Security options/>
Isolation AP: basically isolates every device in the network using a virtual LAN or VLAN (vlan for each device in this case).
Access point & additional channels: Makes an extra AP, useful for temporary or non-regular users. This way, you don't need to share access and your key. A secret key its called “secret” for a reason, remember that.
Simple Wi-fi Advices you should follow
->Disable WPS(Please… )
->Force the router to WPA2 + AES. Not WPA. Not WPA/WPA2.
->Use a +20 char strong password.
->Don’t enable MAC filtering for WIFI, is useless.
->Forget about to hide your network.
You may think your network is more protected that way but it doesn’t. Any person who knows how to attack wireless networks knows how to make it pop up in just few minutes and it will pop up their curiosity too.(I think I am not the only one who think on the hidden networks first)
To make it easier, the wireless security unless you could use WPA2-Enteprise which is not the case at home or small offices, will be always as strong as your router WPA2 password. Forget about anything else.
Make sure to use a long one, easy to remember and use upper case, lower case and symbols to increase entropy on WPA2 keys and rotate the passwords in some months, or a year at least. WPA2 cracking takes lot of time but is not impossible. A good trick to make a good password is to mix things that could make sense to you but not for anyone else, or something funny like “This.router_isCRAP.100%sure0$crap” 33 char long, upper, lower, symbols, funny and easy to remember because it is probably true.
< OpSec and Privacy />
About your privacy as user, there’s what you can do.
Check in your router if you could set a client VPN. If this option exists then you could set a routine and rotate networks, countries, servers or even companies, ensuring all your network’s traffic are forwarded to an encrypted tunnel using OpenVPN, securing every device inside the network.
Almost every VPN company has configured client for linux routers. If this is not the case, you can always use a client per each computer, set a proxy in the network and from that point, forward the traffic to the VPN... There’s a lot of possibilities.
The same using onion routing instead of VPN or could be even better if you mix both by the way.
Recommended VPN companies I’ve tested and are loyal to Internet’s privacy:
Mullvad
ProtonVPN
NordVPN
An easy thing you could do too, is to set different DNS servers in your router. By default ISP DNS servers are set in the companie’s router, which basically means they basically know what are you looking for every time you are online. Set different DNS or you could even setup your own DNS server (One of the future post will be about this).
I would recommend to use CISCO Umbrella’s DNS servers on :
208.67.222.222 (OpenDNS Home Free/VIP)
208.67.220.220 (OpenDNS Home Free/VIP)
208.67.222.123 (OpenDNS FamilyShield)
208.67.220.123 (OpenDNS FamilyShield)
2620:0:ccc::2
2620:0:ccd::2
You also have the new IBM DNS servers (IPv4 address 9.9.9.9 ), and in last place you can use Google’s ones, but as you know, I would recommend to use google’s stuff as less as you can for obvious reasons.
Hope you like it!
