In a recent article, we covered the basics of Wi-Fi network protection. We discussed the types of attacks bad actors generally conduct against home routers, and we examined the steps users can take to defend against them.
Let's now discuss some more advanced tips that users can follow to up the ante of their Wi-Fi and router security.
Specify which IP addresses can manage the router and how
When we're talking about routers and wireless internet access, we need to touch on something called wireless local area networks (WLANs). They're exactly what they sound like: wireless computer networks that link two or more computing devices together using some wireless signal distribution method in a limited area such as a building or office.
Home users generally manage a router and gain access to its web-based management interface only from within the WLAN. There's normally no need for them to manage the router remotely. But sometimes that's not the case.
If remote access is needed, users should employ a virtual private network (VPN) to first securely connect to the local network and then access the router's interface. That way, attackers can't directly access the router from the web.
Once that's out of the way, users can further lock down their routers by specifying a single Internet Protocol (IP) address from which they can manage the router. They can do this by manually configuring a computer to automatically use a specific IP address not already assigned to other devices on the WLAN via the router's Dynamic Host Configuration Protocol (DHCP) whenever it needs to connect to the router.
While they're at it, users should also see if they can change their router's LAN IP address to something other than the first address in the DHCP pool. They should ideally restrict the router's entire netblock such as by assigning it to those addresses reserved for private networks. Doing so will help protect the router against cross-site request forgery (CSRF) attacks.
Disable Wi-Fi Protected Setup (WPS):
Most new users connect to a router by turning on Wi-Fi on their devices, selecting the right router network, and entering in the Wi-Fi password (otherwise known as pre-shared key, or PSK).
Apparently, router manufacturers thought this process took too long, so they outfitted their products with something called Wi-Fi Protected Setup (WPS). The feature allows new users to join the network by entering in an 8-digit PIN that, when submitted correctly, transmits the more complex PSK to their device with instructions to store it from now on.
WPS might sound like a good idea, but there's a ton wrong with it.
The biggest flaw emerged back in 2011 when the security community discovered that an attacker within radio range could brute force the WPS PIN, gain access to the Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) password, and mount additional attacks once they connect to the network.
There's no universal patch for that flaw, as it depends on manufacturers rolling out firmware updates. Without knowing if their devices are vulnerable or, if they are, when they could be patched, users should disable WPS on their routers and set them up the regular way.
Consider network segmentation and MAC address filtering:
Some consumer routers give users the ability to set up what are known as virtual local area networks (VLANs) within larger networks. VLANs are perfect means of segmenting those pesky (and oftentimes incredibly vulnerable) Internet of Things (IoT) devices from the rest of the network. If an attacker compromises a device and gains access to a VLAN, they won't be able to move to the larger network in most cases.
To take it one step further, users can leverage each computing device's media access control (MAC) address, or its unique hard-coded identifier, to whitelist that device and approve its access to the Wi-Fi network. Taking this step will prevent rogue devices that might have access to a network's name and password from connecting to the router.
Combine port forwarding and IP filtering:
Many consumer routers come with a firewall that blocks all devices on the internet from connecting with a device on the local network. To get around that setting, both routers and computing devices alike oftentimes come with a feature called Universal Plug and Play (UPnP). Activating UPnP enables devices on the network and Internet to "discover" one another dynamically and set up a connection.
Not all computers come with that capability, however. In some cases, users might not want wayfarers on the internet to discover a certain device on their network. To accommodate that type of scenario, users can set up what is called port forwarding. It's a set of inbound firewall rules that tells the router to read each incoming data packet's source IP address, destination TCP port number, and other characteristics. Depending on those traits, the router will either send the data packets a device on the network or will block it outright.
When users combine port forwarding with IP filtering, or specifying which IP addresses can use a specific port to reach services on the network, they strengthen their router's security that much more.
Factory firmware is weak. Custom is the way to go!
Let's face it: most of the time, the firmware that comes pre-installed on a router is weak in terms of its security. Users would be better off installing custom firmware they can find online... that is, just as long as they know what they're doing!
There you have it! The more advanced version of our Wi-Fi security series. Now I know some of the tips above might not work with some users' needs and routers. But the fact of the matter is the recommendations above are meant to cover the widest pool of users.
With that said, I hope you found something in the guide that will help you strengthen your router's security.
Hat tip to PCWorld.