Helping people with computers... one answer at a time.

Securing your router is important to keep your network and your machines safe. I'll show you a few of the settings using my router as an example.

Unsecured routers and access points represent a larger security hole than most people realize. Besides WiFi snooping, malware on your computer can access unsecured routers, completely circumvent the router's firewall, and put into place hidden redirections that can even compromise SSL connections.

In this video excerpt from an Ask Leo! webinar, I'll show walk through some of the more important steps to secure your router and access point by showing you the settings on my own.

Download the video: securing-router-640-web.mp4 (45M).

View in HD (1280x720)

Transcript

One of the things that has become fairly obvious with various pieces of research is that people are not securing their routers or their WiFi to the degree that they should be. Routers are often left with default passwords; WiFi is often left open and snoopable. What I want to do with this is step you through some of the settings on, in my case, using my router and my access point, so that you can at least see what the concepts are that I'm talking about. There are several little 'gotchas' when you are securing your router.

Now in my case, I have two devices: my router is a router only; my access point is an access point only. In many cases, in fact, I would venture to say in most cases, consumer-level equipment has them both bundled into one; that's ok, that's fine. Much of what I'm talking about here applies directly to the same kind of devices even though I have them separated out into two.

The other thing that is important to realize here is that why I'll be showing you these steps on my specific router end access point, yours may be different. You won't have the exact same model of router and access point that I do. So the trick here, the goal here is not necessarily to show you to do it on your machine, but to show you the kinds of things to look for when you go to configure your router and your access point if it happens to be separate.

So as in most cases, router is at some IP address, in my case 192.168.1.1 on my local network. It should have a password. My password is not the default password and it will show that shortly. For I think something like half of the Linksys devices that were randomly polled out on the internet, the default password had not been changed which means that anybody could have gotten access to the router configuration.

So one of the very first things we do is we change the password, which on mine, I believe, is here under Administration. So what will happen is, you'll enter a new password. Again, the location on your router may be different , that's fine, just remember to change the password. You'll enter a new password, you'll enter it to confirm and you'll hit Save. What happens when you hit Save is the router, the router will actually install the new password into its nonvolatile memory and then reboot itself. In which you case, you will then have to immediately 're-log' into the router with your new password. That prevents you from, that prevents, like I said, people who don't know you, who have access to your network from being able to just sort of login to your router.

The other scenario that the router password is critical to protecting you from turns out to be malware. There are certain forms of malware, typically executing as javascript on malicious websites, that once they get onto one of your PCs, they actually go out and try; they will just go out and try to connect to 168.1.1 and if it responds and if it looks like a Linksys that's responding, they'll try the Linksys default password and, as I said, in half the cases, it will just work which means your malware now has access to your router configuration and they can reek all sorts of havoc. All of that, all of that you are protected from by simply changing your router password. If you do nothing else, from what you take away here, immediately go change your router password.

Remote administration should be disabled. Remote administration is simply the ability to access your router's configuration from the internet side rather than the local network side so you can imagine the kind of risk that that has. So if you enable that and you still have the default password now anybody on the internet can come in and start playing with your router. There's rarely a reason to have this enabled. Essentially if you have a technician or someone you trust, who is your technical support person, who needs to play with your router, they may ask you to enable it for a time. Enable it for a time, for them and then make sure to disable it again.

Something that is commonly enabled by default but that I recommend that you disable is universal plug and play, UPnP. UPnP is another way for software running on the PCs on your local area network to configure access through your router. The router acts as a firewall; I've talked a lot about that on 'Ask Leo.' One of the interesting things about UPnP is that it can, it's designed to, explicitly allow software on your computer to configure holes in your firewall. Now on the surface that sounds really good because what it does is it allows instant messaging chat, instant messaging programs, programs like Skype, other programs that may doing different kinds of internet access to automatically configure their access through your router; through your firewall. The problem is once again, is what if you end up with malware? Malware can then do exactly the same thing. They can then start opening back doors to your firewall to allow them to do whatever it is they might want to do.

Router logging is something that is typically worth turning off. If it's turned on? Suffice it to say that if logging is enabled in your router, once again, that's something that should be turned on only when you are attempting to resolve an issue, or see if there's some problem or such. Typically what happens is the log sends information to another PC on your network. It doesn't actually, necessarily save the log on your router but actually establishes communications to a designated machine on your network where the log information is collected. There's no need; 9 times out of 10, there's no need; if nothing else, things will run just a hair faster.

Okay, there's the Log screen I was talking about. Log is disabled on this particular machine and if you were to enable it, Linksys in particular has a little application that you would run on the designated Logviewer computer and you can see you can simply designate that computer with an IP. There is no reason. If this somehow gets turned on, it just seems, to me it seems 'icky' that there's another machine is monitoring what's going on on your router.

For your access point, this is often simply a couple of separate tabs on your router's configuration. In my case, specifically I'm actually looking at a completely different device you can see it as a completely different IP address on my network. I have asterisked out my normal passphrase. The idea here is that 'A' you should be using WPA or WPA2 (typically personal) encryption or security for all of your wireless connections. You should not use WEP, you should not leave it disabled. WEP is, unfortunately, no longer secure and is essentially as easy to crack as if there were no encryption at all.

WPA2 is the current appropriate one and then you would type in an appropriate passphrase or password. That would then be the password that anyone attempting to connect to your wireless network would need to know in order to establish that connection.

If you have this disabled; if you do not have encryption on your wireless access point, and again, I think it's something like half of the wireless access points out there in homes and businesses are unprotected. What that means is any of the traffic between your computer and the internet that flows over a wireless connection can be sniffed by anyone with another computer in range. It's that simple. And it's so easy to do. Simply put a password on it and then configure your laptops and other remote devices to use that password.

The only scenario that I'm aware of that you might want to use WEP is for some older devices; I'm not even sure which ones they are; some older gaming consoles that have wireless don't support WPA. In that case, WEP is better than nothing but in all honesty, I would strongly recommend getting a second wireless access point; having a second wireless network; having only one that has WEP and depending on how paranoid you are, putting that behind a second router. Like I said, WEP is just as good as Disabled if someone is interested in actually cracking your security. If you have a separate device; if you have a separate wireless access point as I do then this is another case where you need to change the password. Make sure that the password to administer the device is not the default. Defaults are well-known and anyone who knows them can easily step into your network and start playing with your access point or your router.

The last step for this and it is something that is so easily overlooked when it comes to computers but particularly when it comes to routers and access points is don't forget the 'physical'. By that I mean anything we are doing here can be trivially circumvented if someone has physical access to your router. They can walk up to it; most routers have a Reset to Factory Default setting. In the case of Linksys, there's a little push button in the back that if you turn it on while holding that push button for 10 seconds, all of your settings have been set back to the default which includes the default password, the default encryption which is 'none'; the default security settings which may not be the security that you want. So just be aware that the device, the physical device, if it's accessible to people who may have less than honorable intent they could cause problems.

Article C4859 - June 29, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
Dennis Niemczyk
July 5, 2011 10:50 AM

You failed to mention the additional measure of turning off the broadcasting of the router's SSID.

There's certainly no harm in doing so, and can prevent accidental discovery of your network, but it also give you a false sense of security; as I understand it the SSID is still in the packets and could be sniffed by someone trying to actively gain access.
Leo
06-Jul-2011

Nils Torben
July 5, 2011 11:05 AM

Thanks for a clear and easy understandable survey over router features. I have a question about the UPnP. I find it very difficult to open ports and all that, it's a jungle to me of mysterious abreviations and concepts. Now, if you turn UPnP on and let it do its job with the programs that need it, and then turn it off, will the settings that it has made, remain or be removed? If they remain it is all you need.
If they do not, I would appreciate another course about ports and how to use them. Video is a handy way of teaching.
A linguistic observation: I was surprised by your pronunciation of the word "router". In Denmark we say "rooter", I suppose it is inspired by the french word "route" or "en route". I guess you are right, I wonder who invented the word..
Thank you.

Richard Bravo
July 5, 2011 1:07 PM

This webinar also failed to mention how to secure a wireless router using MAC Addresses of each computer.

I'm actually not a huge fan of that technique. While there are definitely scenarios where it can be helpful, it can also be fairly easily defeated by a determined hacker.
Leo
06-Jul-2011

jhosil
July 5, 2011 2:20 PM

Very interesting...except that there is no information as to where i can locate the router software. In short, where do i start?

With the manual for your router. This differs from manufacturer to manufacturer. Mine was an example - the software exists on the router, and you access it using your web browser as demonstrated in the video. Your specifics will vary based on what router you have, so the place to start is with that router's documentation.
Leo
06-Jul-2011

Ron
July 5, 2011 10:21 PM

Dennis N, if you do some more research you'll find that disabling SSID is a trivial security measure. More a case of "Security Theater" than effective security.

jhosil: although there is router software you can load on your machine, 99% of the time the router is a separate piece of hardware (roughly the size of a paperback book) that sits between your computer and your internet connection. The software is loaded there. Many routers allow you to login from a browser using the local IP http://192.168.1.1. Check the user manual for the process specific to your router.

jes
March 21, 2012 11:55 AM

A quick note on a device which requires me to use WEP to connect: my ereader, specifically the first generation Nook by Barnes & Noble. I use the wifi connection to download books.

Also, my daughter had difficulty connecting her iphone 3gS until I switched to "WEP, Open," terms I do not fully understand but am beginning to think are "bad.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.