Friday, February 20, 2009

10 Steps to Securing a Wireless Router

I thought about putting together this post following a thread I read on the Ethical Hacker forums. This post is really just my checklist for the steps I take to secure my wireless router and a little explanation as to why I'm setting each option.

1. Upgrade Firmware

It's always a good idea to keep firmware as up to date as possible as the vendor may have fixed known vulnerabilities or bugs since the hardware shipped. As a bonus you might even get a bit more functionality thrown in as well with the firmware upgrade. Its also a god idea to check the vendors site every couple of months for updates.

2. Change the default Password


3. Turn off Wireless Administration

This will prevent anyone who is not physically plugged into the network from administering the wireless router.

4. Enable Encryption

Enable the best encryption possible. WPA2 is preferred but if the connecting devices only support WEP then WEP it is. Just be aware that WEP is crap and it can b e cracked in seconds. Ensure that whatever encryption you use it has a long random key. There are plenty of random key generators available so use them.

5. Change & Hide the Default SSID

Don't leave your default SSID as Linksys or Belkin. Change it to something unique but not something that identifies it as your network, such as “Bob Scratchets House”. Even after hiding the SSID it is possible for an attacker to view it but it is another layer in your defense strategy.

6. Apply MAC Address Filtering

Each device that has a wireless card in will have a MAC address. Apply MAC address filtering so only devices with the specified MAC addresses can connect using wireless to you router. This can be bypassed but it's another hurdle to make a potential attacker jump through.

7. Disable UPnP

Universal Plug and Play is a method by which software can open up ports on the router to allow external hosts to communicate through the router with a host on the LAN. This can also be used by malware to open up the router to allow a route in. by disabling UPnP you will need to enable port forwarding when required.

8. Configure the DHCP Settings

If your router allows you to change your DHCP scope you may want to set it to hand out addresses from a range other than the default, such as the 172.16.x.x range. Also by limiting the amount of addresses to the number of hosts you have it might provide an early warning system if someone does manage to bypass your security and hop onto your wireless LAN.

9. Configure DNS Settings

Point your DNS to a provider such as OpenDNS and utilise there free services. OpenDNS can be used to block specific types of sites such as File Sharing or Pornography and also to log where computers from your LAN are going to. It will also block your computer from visiting known bad sites. Another important note, when the DNS flaw was released to the public by Dan Kaminsky at Blackhat 08, Open DNS was one of the first DNS providers to provide protection. At the time of this post many ISPs are still vulnerable.

10. Enable Logging

If your router allows you to enable logging it is worthwhile doing so. By familiarising yourself with the logs regularly you will get to recognise what is normal and what is not. But remember, logs are only useful if you check them!

The functions I have raised in these 10 steps are those that should be available on most consumer grade routers. If you have a router that does have more functionality such as allowing you to use HTTPS to access the administrative interface then that's great, use it.

Get familiar with what your router can do and know where to look to check settings such as port forwarding. And once you have set up the router and gotten it working well, save the config and store it somewhere safe and secure such as in a Truecrypt volume or in an encrypted disk image.

No comments: