Securing Your Network

by Sanjeeva Wijeyesakere

Disclaimer: Please read through this entire article before attempting to install or configure software. Also note that any software installations you undertake are at your own risk and you should ensure that you have thoroughly read and understood the manufacturer/developer’s instructions and caveats for each software package you install. You should also make sure you have backed up ALL your files and data (just in case anything goes wrong).

 Network Security Tips
 

Given recent announcements of vulnerabilities in the Wi-Fi Protected Setup (WPS) implementations used by many router models, it is prudent to implement the appropriate measures to secure your home or small-office network. Here are some tips on how to protect your network from unauthorized access and intrusion:

  1. Modern routers are feature-rich and as such, you should only enable features that you require. For example, if all your systems are networked using ethernet cabling and you do not require Wi-Fi access, it is best to turn it off.
  2. If you must use wireless networking, enable encryption. At the very least, you should use WPA2-PSK (sometimes called WPA2 personal) encryption. WEP and WPA are much less secure and should not be used. If you have a home / small-office server (see my article on setting up a home server), you may want to consider using it as a RADIUS server and using WPA2-enterprise as your authentication protocol.
    If you use WPA2-PSK encryption, make sure to select a secure passphrase that is long (>20 characters long) and consists of a mix of lower and upper case letters as well as numbers and special characters.
  3. Enable network address translation (NAT). This will turn on the router's firewall and create a private network that is isolated from the outside world.
  4. Change your router's admin password. Ideally, this should be long (>25 characters) and consist of a mix of lower and upper case letters as well as numbers and special characters.
  5. Disable WAN administration. This feature is not necessary for the vast majority of users.
  6. If feasible, disable access to the router's administration utility to systems that are connected via Wi-Fi.
  7. Change the SSID of your router to something unique that does not contain information about the manufacturer or model of the hardware.
  8. Do not put any computer in the DMZ. Doing so will deny the system the protection afforded by your router's firewall and expose it to attack.
  9. Disable universal plug and play (UPnP). This is a (very) poorly thought out protocol that allows services to open ports on your router without your knowledge. Most users (I’d hazard a guess and say >95%) don't need this service and it should be disabled. If you need to open a port on the router, you should setup port forwarding on an as-needed basis.
  10. Disable Wi-Fi protected setup (WPS). Recent security flaws in the implementation of this protocol allow your router's security features (like WPA) to be circumvented.
  11. Make sure your router is running the latest firmware. Manufacturers frequently issue firmware updates to address security flaws and other software-related issues with their routers.
  12. Enable the setting that tells your router to ignore ping requests. Certain vendors call this setting ‘stealth mode’.
  13. Enable the 'guest network' feature in your router when allowing friends or visitors to access the internet. This protects your network from exposure and allows you to easily change the WPA2 passphrase associated with your guest network once your visitors leave.
  14. Change your WPA2 passphrase on a regular basis (at least 2-3 times a year).

 

Other commonly employed techniques such as disabling your router’s SSID broadcast and MAC address filtering are of questionable value as far as security id concerned and only serve to hinder legitimate use of a network rather as opposed to preventing malicious attacks and intrusions.

 

Tools to check the security of your router and network

  1. ShieldsUP! - Port scanning tool provided by GRC
  2. Cyber Security tips from US-CERT (US Computer Emergency Response Team)