Home Network Router Security Secrets
Date: Apr 7, 2006
Article is provided courtesy of Que.
Most people who install a home network never delve inside the netherworld of security settings on their router. Who can blame them—it’s about as frightening as putting your hand in a shoebox full of rabid gerbils. Nevertheless, it’s worth the effort if you know what you’re doing.
That said, here are 10 router settings you can use to make your network more secure. For the purposes of this article, I used a popular router, the DLink DI-524, to show you how to engage the features, because this router doesn’t bite—usually.
To use these features, you need to get inside your router and access its control panel. To do this, type the router’s internal IP address into your web browser on a computer on your network like this address for DLink routers: http://192.168.0.1. For Linksys routers, it’s http://192.168.1.1, and http://192.168.2.1 for several other brands. Check your router’s manual if none of these work for you, or look for the Default Gateway IP address when you use the ipconfig /all command (mentioned in tip #5).
1. Turn off UPnP.
UPnP, or universal plug and play, is a handy feature that lets devices on your network self-configure on a network, but it’s also a security hazard. A Trojan horse or virus on a computer inside your network could use UPnP to open a hole in your router’s firewall to let outsiders in. So it’s a good idea to turn off UPnP when not in use. To do that, click the Tools tab then the Misc button, and click Disabled next to the UPNP listing. Be sure to click Apply to update the router with this new setting. See Figure 1.
)
Figure 1 Turn off UPnP in your router to stop malware on an infected computer from opening holes in the router’s firewall.
2. Change your admin password.
Routers come with a factory default User ID and password to safeguard a router’s configuration panel. On the DLink router, the User ID is admin and the password is left blank. You should change the password so wireless snoopers can’t get into the router and mess around with its settings. Here’s how: Click the Tools tab, then the Admin button, and change the Administrator password by typing it twice. See Figure 2.
)
Figure 2 It’s important to change the default password on your router to stop network hackers from locking you out of your own router.
3. Deactivate SSID broadcast.
SSID is short for Service Set Identifier and is the name of your wireless network that is broadcast by a router into the radio spectrum. It can be seen by Wi-Fi enabled computers looking for a network to connect to. You can turn this broadcasting feature off so that the router appears invisible to casual wireless snoopers. Click the Home tab, then the Wireless button, and choose the Disable button next to SSID Broadcast. See Figure 3.
)
Figure 3 Turning off the SSID broadcast feature hides the router from casual wireless surfers.
4. Turn on the DMZ.
Short for Demilitarized Zone, this feature lets you designate an internal device on your network to appear as if it is outside your router’s firewall. It’s handy if you have a webcam or gaming computer that won’t be blocked by the router firewall. To set up a DMZ, simply assign the computer (or webcam) a fixed internal IP address, and then turn on the DMZ in the router and add the computer’s IP address. DMZ settings can be found on a DLink router by clicking the Advanced tab then the DMZ button. See Figure 4.
)
Figure 4 Use the DMZ feature to make a device inside your network appear as if it’s outside.
5. Filter MAC addresses.
A MAC (Media Access Control) address is a unique identifier—like a fingerprint is to humans—that is assigned during the manufacturing of a network device, such as a network card or Wi-Fi adapter. A device’s MAC address can usually be found on a sticker often on the bottom of a device. On a computer, you can find it in the network settings. See Figure 5.
)
Figure 5 MAC address filtering is a good way to limit which devices are allowed to connect wirelessly to your network.
On a Windows computer, click Start, Run, then type commfand and click OK. At the DOS prompt, type ipconfig /all and look for the Physical Address entry (see Figure 6). It’s a series of six hexadecimal numbers that look like this:
00-13-CE-32-E3-58
It can be used to keep wireless surfers out of your network. Turn on MAC address filtering in a DLink router as follows: Click Advanced tab, then the Filters button, then click on the button next to MAC Filters. Enter a name for the computer and its MAC address, and click Apply. This has to be done for each wireless device allowed on the network. (If you have a wireless TiVo box, you’ll need to add that, too.) Note that devices connected by a physical network cable to a router are exempt from MAC address filtering.
)
Figure 6 Use the Windows DOS emulator to get IP and network information.
6. Customize the SSID.
Change the SSID name on your router from the factory default. On a Linksys router, it is "linksys". On a DLink router, it is "default". Change these to a familiar but unique name that doesn’t give away any personal info like your surname or home address. I always try to call it something humorous like snackcentral, fuzzyslippers (see Figure 7), or tastymackerel. This shows any would-be hacker that you have changed the default settings on your router and know how to work the router. If it’s named the default SSID, it’s an invitation to an outsider to come in and poke around.
)
Figure 7 You can rename your SSID anything you like, just don’t use personal info such as your name or address.
7. Update your firmware.
Firmware is the software that operates inside your router. And just like software on your computer, occasionally it needs to be updated because software bugs need to be patched. Your router manufacturer will periodically issue firmware updates on its website, so it’s worth checking every quarter to see if anything new has been issued. On the DI-524, click the link on the Tools tab then the Firmware button for a link to DLink’s support site where you can download the new firmware file (see Figure 8). Then browse from the Firmware Settings page on the router to the firmware file on your hard drive, and click Apply to install it on your router. It’s a good idea to do this over a wired connection. A failed installation will stop the router from booting, and you’ll have to reset the factory default.
)
Figure 8 Updating firmware inside the router fixes bugs and improves security.
8. Reset the factory default.
If you mess up your settings and can’t get them working right, then restore the router back to the way it was the day you bought it. Click the Tools tab and then the System button. Then click the Restore button on that page. If you have locked yourself out of your router, you can do a hardware reset. There’s a pinhole at the back (or sometimes the bottom) of most routers with the word RESET next to it. Find a paperclip, straighten an end, push it into the hole, and hold it for 10 to 20 seconds. When you release it, the router will restart and be reset to the factory default. Don’t forget to go back in and reconfigure it the way you want and also download any firmware updates. See Figure 9.
)
Figure 9 If you get yourself into trouble, you can always reset the router to its factory settings
9. Engage WEP
WEP is short for Wired Equivalent Privacy. It can be used to scramble the data that moves over your wireless network. To enable WEP, click the Home button, then the Wireless button. From the Security pull-down, choose WEP (see Figure 10). Then enter a series of numbers and letters between 0 and 9 and A to F. For a 64-bit key, enter 10 characters (see Figure 11). For a 128-bit key, enter 26 characters. When you attempt to connect a computer wirelessly to your router, you’ll be required to enter this key again when prompted by your computer.
)
Figure 10 WEP is turned off by default, so to use it you’ll have to activate it.
)
Figure 11 When you activate WEP, you’ll need to invent a customized security key which is a series of hexadecimal characters.
10. Activate WPA
Short for Wi-Fi Protected Access, WPA is the preferred method of encrypting your network. It can be used instead of WEP because it’s a newer, more secure protocol. To enable WPA, click the Home button, then the Wireless button. From the Security pull-down, choose WPA-PSK (PSK also known as personal mode is short for pre-shared key). Then enter a passphrase like "My cat is attached to my trousers." See Figure 12. You can enter 8 to 64 characters, including white spaces. Click Apply. When a computer or other Wi-Fi device tries to connect to the router after it reboots, it will be prompted for the passphrase.
)
Figure 12 WPA is easier to use and provides more security against network snoopers.
Conclusion
There are a lot more features inside your router that can customize your home network’s functionality, but the ones mentioned here are the most common features you’ll likely need to use. Hopefully, these tips have taken the fear away from tweaking your router, and you’ve discovered those gerbils aren’t so rabid after all.