Helping people with computers... one answer at a time.
Securing your router is important to keep your network and your machines safe. I'll show you a few of the settings using my router as an example.
Unsecured routers and access points represent a larger security hole than most people realize. Besides WiFi snooping, malware on your computer can access unsecured routers, completely circumvent the router's firewall, and put into place hidden redirections that can even compromise SSL connections.
In this video excerpt from an Ask Leo! webinar, I'll show walk through some of the more important steps to secure your router and access point by showing you the settings on my own.
Download the video: securing-router-640-web.mp4 (45M).
One of the things that has become fairly obvious with various pieces of research is that people are not securing their routers or their WiFi to the degree that they should be. Routers are often left with default passwords; WiFi is often left open and snoopable. What I want to do with this is step you through some of the settings on, in my case, using my router and my access point, so that you can at least see what the concepts are that I'm talking about. There are several little 'gotchas' when you are securing your router.
Now in my case, I have two devices: my router is a router only; my access point is an access point only. In many cases, in fact, I would venture to say in most cases, consumer-level equipment has them both bundled into one; that's ok, that's fine. Much of what I'm talking about here applies directly to the same kind of devices even though I have them separated out into two.
The other thing that is important to realize here is that why I'll be showing you these steps on my specific router end access point, yours may be different. You won't have the exact same model of router and access point that I do. So the trick here, the goal here is not necessarily to show you to do it on your machine, but to show you the kinds of things to look for when you go to configure your router and your access point if it happens to be separate.
So as in most cases, router is at some IP address, in my case 192.168.1.1 on my local network. It should have a password. My password is not the default password and it will show that shortly. For I think something like half of the Linksys devices that were randomly polled out on the internet, the default password had not been changed which means that anybody could have gotten access to the router configuration.
So one of the very first things we do is we change the password, which on mine, I believe, is here under Administration. So what will happen is, you'll enter a new password. Again, the location on your router may be different , that's fine, just remember to change the password. You'll enter a new password, you'll enter it to confirm and you'll hit Save. What happens when you hit Save is the router, the router will actually install the new password into its nonvolatile memory and then reboot itself. In which you case, you will then have to immediately 're-log' into the router with your new password. That prevents you from, that prevents, like I said, people who don't know you, who have access to your network from being able to just sort of login to your router.
Remote administration should be disabled. Remote administration is simply the ability to access your router's configuration from the internet side rather than the local network side so you can imagine the kind of risk that that has. So if you enable that and you still have the default password now anybody on the internet can come in and start playing with your router. There's rarely a reason to have this enabled. Essentially if you have a technician or someone you trust, who is your technical support person, who needs to play with your router, they may ask you to enable it for a time. Enable it for a time, for them and then make sure to disable it again.
Something that is commonly enabled by default but that I recommend that you disable is universal plug and play, UPnP. UPnP is another way for software running on the PCs on your local area network to configure access through your router. The router acts as a firewall; I've talked a lot about that on 'Ask Leo.' One of the interesting things about UPnP is that it can, it's designed to, explicitly allow software on your computer to configure holes in your firewall. Now on the surface that sounds really good because what it does is it allows instant messaging chat, instant messaging programs, programs like Skype, other programs that may doing different kinds of internet access to automatically configure their access through your router; through your firewall. The problem is once again, is what if you end up with malware? Malware can then do exactly the same thing. They can then start opening back doors to your firewall to allow them to do whatever it is they might want to do.
Router logging is something that is typically worth turning off. If it's turned on? Suffice it to say that if logging is enabled in your router, once again, that's something that should be turned on only when you are attempting to resolve an issue, or see if there's some problem or such. Typically what happens is the log sends information to another PC on your network. It doesn't actually, necessarily save the log on your router but actually establishes communications to a designated machine on your network where the log information is collected. There's no need; 9 times out of 10, there's no need; if nothing else, things will run just a hair faster.
Okay, there's the Log screen I was talking about. Log is disabled on this particular machine and if you were to enable it, Linksys in particular has a little application that you would run on the designated Logviewer computer and you can see you can simply designate that computer with an IP. There is no reason. If this somehow gets turned on, it just seems, to me it seems 'icky' that there's another machine is monitoring what's going on on your router.
For your access point, this is often simply a couple of separate tabs on your router's configuration. In my case, specifically I'm actually looking at a completely different device you can see it as a completely different IP address on my network. I have asterisked out my normal passphrase. The idea here is that 'A' you should be using WPA or WPA2 (typically personal) encryption or security for all of your wireless connections. You should not use WEP, you should not leave it disabled. WEP is, unfortunately, no longer secure and is essentially as easy to crack as if there were no encryption at all.
WPA2 is the current appropriate one and then you would type in an appropriate passphrase or password. That would then be the password that anyone attempting to connect to your wireless network would need to know in order to establish that connection.
If you have this disabled; if you do not have encryption on your wireless access point, and again, I think it's something like half of the wireless access points out there in homes and businesses are unprotected. What that means is any of the traffic between your computer and the internet that flows over a wireless connection can be sniffed by anyone with another computer in range. It's that simple. And it's so easy to do. Simply put a password on it and then configure your laptops and other remote devices to use that password.
The only scenario that I'm aware of that you might want to use WEP is for some older devices; I'm not even sure which ones they are; some older gaming consoles that have wireless don't support WPA. In that case, WEP is better than nothing but in all honesty, I would strongly recommend getting a second wireless access point; having a second wireless network; having only one that has WEP and depending on how paranoid you are, putting that behind a second router. Like I said, WEP is just as good as Disabled if someone is interested in actually cracking your security. If you have a separate device; if you have a separate wireless access point as I do then this is another case where you need to change the password. Make sure that the password to administer the device is not the default. Defaults are well-known and anyone who knows them can easily step into your network and start playing with your access point or your router.
The last step for this and it is something that is so easily overlooked when it comes to computers but particularly when it comes to routers and access points is don't forget the 'physical'. By that I mean anything we are doing here can be trivially circumvented if someone has physical access to your router. They can walk up to it; most routers have a Reset to Factory Default setting. In the case of Linksys, there's a little push button in the back that if you turn it on while holding that push button for 10 seconds, all of your settings have been set back to the default which includes the default password, the default encryption which is 'none'; the default security settings which may not be the security that you want. So just be aware that the device, the physical device, if it's accessible to people who may have less than honorable intent they could cause problems.