Securing Router Access Inside the Network and Out

Your router is the center of your network. All your traffic passes through it, and it controls every aspect of your internet connection. Once traffic leaves your network, it passes through your ISP and out into the wider internet through paths that may vary daily according to the traffic and its destination, but the router remains the sole point through which this traffic always passes going in or out. Even devices on the network must communicate through the router.

So, given its position as the central station of your home internet traffic, it's understandably important to secure your router so that only you and your chosen IT professionals have access to it and ability to change its configuration. Completely securing a routing is not always simple, and even a security-hardened router can still have vulnerabilities, but you can at least take some basic steps that will make sure your router isn't low-hanging fruit online.

Change is Your Best Friend

When you first get your router, it comes with predefined settings that are often the same for all the devices that manufacturer produces. Or, if you flash your router with an open source or third party firmware, it will often have its own defaults. These are readily available for any potential attacker to know and use to compromise your network. These settings include your router's wireless SSIDs (the wireless networks you see broadcast), passwords for those wireless connections, the router's administrative username and password (often as simple as admin/admin), and open services to which external users can often connect to gain access to your router.

So when you first set up the device, we recommend changing *all* of these settings. Change your SSIDs to something unique, change your wireless passwords (and perhaps change them regularly for future security), and definitely change the administrative username and password--that is the most important. If you follow no other step in this blog, change your admin username and password, preferable to something secure. (Passwords are more important in terms of security, and of course periodically changing the admin password for your router is best, but picking a unique and unusual username is also helpful in preventing unwanted access to your router.)

Security-conscious users often take the additional step of preventing their routers from broadcasting SSIDs. This prevents the wireless network from showing up immediately when any computer checks for existing wifi connections in the area. That may seem like a good idea, but it mostly results in more headache than it's worth because it adds an extra step when connecting new devices that invites typos to make life harder than necessary. Additionally, an attacker with rudimentary knowledge can figure out the unbroadcast SSID from existing traffic. The net result of such steps is that you make it harder for users you want to connect and don't really add much difficulty for attackers looking to breach your network security. Instead, a well-chosen password coupled with setting more secure wifi parameters (do not use WEP, for example) is much more effective.

Another WiFi security measure users commonly deploy are MAC-based filters. These are much like not broadcasting the SSID in that they might frustrate the average user, but they don't do much to keep out experienced attackers, and are a poor measure compared to regularly changing your wireless password and using a well-chosen password.

Good Locks Make Good Doors

Just preventing unsolicited access to your router is only step one. When you visit your router's interface, you may inadvertently leak your access credentials because you're not using HTTPS. Plain HTTP is unencrypted and basically anyone with the ability to view your traffic can view your username and password. To solve this, you need to enable HTTPS in the router's control panel. This comes with one small downside that's an inconvenience rather than a problem: your browser will almost always complain about your router having a self-signed certificate.

Normally when you visit a secure website its certificate is signed by a trusted third party, and your browser already has that trusted third party's certificate, so it doesn't need the site's certificate to know it can be trusted. Your router, understandably, has no way of directly securing such a certificate signature (and there are technical reasons this is difficult, including that certificates are issued for domains like www.google.com not for IP addresses like 192.168.1.1 and to do the latter would be a security risk). For this reason, every time you visit the router your browser will complain that the certificate is not trusted. This is only an issue if you suspect that you are not in fact visiting your router but some MITM machine with the same IP. This is unlikely on your home network, but if you are a suspicious person you can note your router's certificate signature, usually a long hexadecimal number like 41:6A:C6:A7:39:CF:1B:C9:56:B3:CF:2C:2E:E2:F9:51:D8:E1:D3:3B:D4:4D:1C:84:89:3A:0C:22:B1:CE:B5:BE (sha256, more secure) or 9F:53:0B:65:F7:35:70:24:9F:0F:FF:7F:78:F0:41:66:64:5B:07:67 (sha1, not very secure). Typically these can be compared in a few points to make sure they are not different, since certs often have very different signature values. For instance, here are two signatures from Google and Google Image search:

80:C9:13:3D:6A:D6:05:7D:A6:7D:8A:AE:25:E3:D5:54:E9:81:B9:44:3B:4E:8D:D6:3D:42:95:39:6C:6A:20:4E

39:15:3D:00:2D:F0:83:86:D3:97:C2:B6:FB:69:37:79:0A:C4:55:AA:2D:ED:90:62:8B:24:5A:C8:55:1B:4A:81

By checking this signature before clicking through the browser's warning screen or adding it as a trusted cert, you can be sure it's the same certificate, and therefore the same router.

Having HTTPS enabled and a cert in place is important mainly because it allows you to have securely encrypted sessions. When you connect to www.example.com you have no initial way of knowing that the machine responding is example.com, so the cert's *authentication* feature is important. When connecting to 192.168.1.1 or whatever your local router's IP is, you can be fairly sure that you are connecting to the right machine, so only the encryption is important.

Once HTTPS is enabled and works, if possible, disable HTTP access entirely to make sure that all connections are secured.

Another feature it's important to keep secure is your router's remote access feature. Normally, your router will listen on the LAN (at that 192.168.1.1 or similar IP) for web connections to its interface. However, many routers also allow WAN connections to your internet IP for access to the web interface. For this, the best option is disabling this feature entirely, thus preventing any unauthorized access from outside your network. It's still possible for someone to get into your network and access your router, but the entry points inside your network are far, far smaller than those outside your network--the entire internet!

However, if for logistical reasons you must have external access to your router's interface, enabling HTTPS is a must. Additionally, while it only adds a little, changing the port on which the HTTPS server listens also helps. This mostly frustrates automated attacks which will typically only search on commonly used ports. However, there are more sophisticated options available for accessing your router as well.

Secure Shell: SSH

SSH is almost as old as the Internet as a public phenomenon, having been developed in 1995 around the same time most people were using AOL, Prodigy, or even Compuserve CDs and floppies as coasters. It was developed as a replacement for programs like telnet, which is completely insecure. SSH uses a public key installed on the server machine to authenticate clients connecting with a private key, and then encrypts that connection using cryptography based on those keys.

It's possible to connect to a machine using SSH and just a password, but this is not recommended. Along with disabling telnet, we recommend that you disable SSH's password login option and instead generate a key pair to use for access. How you generate that key pair depends on the client software you use, but once you have a public key, install it on your router and use it to connect. It's typical for a user to check that key-based connections work before disabling less secure connections (like the password-based one), and we recommend only allowing SSH over the LAN until you have a key installed and password login disabled for SSH.

Once you have SSH reliably connecting and secured, you can open it to connections from the internet at large. This is common practice and considered safe as long as it's secured by keys. You may also consider running SSH on a different port than the default, but like HTTPS this is only a technique that will frustrate automated attacks, it's not in and of itself a huge addition to your security.

But SSH allows a further special feature: remote forwarding. Using this, you can disable WAN access to your router entirely, and instead connect over an SSH forward using the -L argument to SSH. Note that how you set up forwards will vary depending on your client software, but for command line SSH this option usually looks something like this:

-L 3443:192.168.1.1:443

This forwards the port 3443 on your local machine to the port 443 on 192.168.1.1 on the server machine's network, where 192.168.1.1 is expected to be that server machine here. This allows you to securely connect to your router via SSH, then use the forward to connect to the interface at the address https://localhost:3443 in your browser without having to have the router's web server open to the internet at large.

Not Any Port in a Storm

Open external ports are always a security concern, especially when they point to an insecure service like HTTP. Port forwarding is an essential technique for getting some important services to work correctly, and routers have automated services to help ports get forwarded: UPnP and NAT-PMP. While these services are not necessarily a security risk, they are only as good as the device making the request to have ports forwarded. If you can live without the convenience, disabling UPnP and NAT-PMP and manually adding port forwards to services will keep your network more secure, in particular because you will be aware of every open port and where that traffic is going.

Your router may also have a 'DMZ' option that is sometimes recommended as the nuclear option for getting something to work. We recommend *never* using DMZ, because it places your network security completely on the device that DMZ points to. DMZ basically forwards *all* ports to the DMZ device, bypassing the router completely.

Another small step some users find helpful is disabling ICMP ping, a service that allows your router to be easily found online. If you don't need it, disabling it is best.

A Yellow-Brick Road

For users who want to keep their home network secure but still would like to be able to access services on that network, we built the Home Server. It allows you to remotely connect to your home network without opening security vulnerabilities or using more complicated technical solutions.