Lock The Door: Securing Your Home or Small Business Router

02/10/2018

For most of us, the door to the internet for homes or small businesses is our Wi-Fi router or access point; the path to that door is the network, which is often wireless. We need to secure both the door and our path to that door to help secure our networks. Before going forward, though, I want to emphasize that these steps will go a long way toward securing your router and network, but that they are only steps - necessary steps, but not a panacea.

There are four basic things we need to do to secure the router and Wi-Fi:

Make sure the firmware is current
Turn off WPS and Remote Management
Change the router's password to something secure, and
Change the network password to something secure

Your router or access point also has some other configuration options. These vary significantly by manufacturer and model. Many of these settings are for advanced users, though, so I'll save those for another post.

Update the Router Firmware

Routers run software often called firmware. Router manufacturers update the software to fix bugs, add features, and - importantly for us - fix security issues. Some routers are smart enough to automatically go to the manufacturer's website and update, if necessary. Some ISPs push or send the updates to their customers, but many times users are expected to do the updates themselves.

Here is the update screen on my router. Unless you have the exact same router I do, yours will look different, but somewhat similar. If the router had detected the need for an update, it would have already let me know with a message up by the "Firmware Version" line. I checked by clicking the button and the router displayed the message "No new firmware version available."

If I were to update, I could download the file from the manufacturer (and entering the filename in the box) or clicking on a button that I'd see if an update were necessary. Indeed, it's far easier to do than to type here!

Turn Off WPS and Remote Management

WPS stands for Wi-Fi Protected Setup. You may need it when adding some new devices to the network, but otherwise, it is a path (vector) through which attackers can compromise your router. The attack tools are common and reasonably easy to use. To protect your router and network, turn WPS off. Some older routers with early versions of WPS don't allow for it to be turned completely off, unfortunately. My router requires physically pressing a button on the router itself in order to use WPS which effectively means it is off unless you press the button, and then it is enabled for a short time.

If your router has a feature called "Remote Management" or something similar, you should turn it off unless your ISP requires you to leave it on. This feature allows someone to configure your router over the Internet. If your ISP requires it, they have likely configured your router to only be configured by their management computer or computers.

Change the Router's Passwords to Something Secure

Your router has two important passwords: one for configuring the router, and one for accessing the network. Each is set to a factory default. They may be the same or different. Sometimes one or the other may be, say, the router's serial number. No matter what the default is, it must be changed. If an attacker can figure out either password, your network and the information on the connected devices can be at risk.

The configuration password is sometimes referred to as the "router password". Here is the menu location for my router.

Clicking on the "Set Password" link brings up a page where you can set your password. In my case, it also provides "security questions" I can use in case I forget my password. Since you will not be using this password often, it should be complex. You can store it in your password keeping software. I recommend using the password generator in your password keeper. If it does not do so by default, be sure to include some "special characters" such as punctuation.

The second password to change is the wireless or network password or key. That's the one people use when accessing the network using Wi-Fi. Here is where it is on my router:

This password tends to be used a bit more often, so it needs to be memorable, in addition to being saved in your keeper. It should be fifteen or more characters and include special characters. While there are tools to capture wireless passwords, this is a case where longer and somewhat complex passwords may help mitigate those attacks.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.