25 Ways to Help Secure Your Router

I have received several questions about router security. I thought an article would answer those questions while sharing with the community. Here are 25 ways to help secure your router (in no certain order). Here we go..........

1. Limit physical access: What good are your logical access controls if your router is exposed to public access? Keep your router in a secure location and limit physical access to it. This can prevent someone from tampering with the router. A Rubber Ducky covertly plugged into your router can cause "weeks of grief". As a Penetration Tester, physical access is one of my favorite (and most effective) ways to breach a network environment.
2. Change the default login credentials: Many routers come with default login credentials that are easily accessible to hackers. Make sure to change the default username and password to a strong and unique one. Also, use a strong and unique administrator password for your router's configuration page. This can prevent unauthorized changes to your router settings and create a separate administrator account for your router's configuration page.
3. Enable WPA2 encryption: Wi-Fi Protected Access II (WPA2) is a security protocol that encrypts the data transmitted between your devices and your router. Make sure to enable WPA2 encryption on your router to secure your wireless network.
4. Use a strong passphrase for Wi-Fi Protected Access (WPA): WPA is a security protocol that encrypts your Wi-Fi network traffic. Use a strong passphrase for WPA that includes a mix of uppercase and lowercase letters, numbers, and symbols.
5. Use strong DNS settings: DNS translates human readable domain names (for example, www.amazon.com) to machine readable IP addresses (for example, 192.0.2.44). DNS can be "poisoned", causing traffic to be redirected to malicious addresses. Set up strong Domain Name System (DNS) settings for your router. This can prevent potential attacks that use DNS hijacking to redirect your traffic. Check for a DNS leak here.
6. Disable remote management: Remote management allows you to access your router's settings from anywhere on the internet, but it also makes it easier for hackers to access your router. Disable remote management unless you absolutely need it.
7. Change the default SSID name: The Service Set Identifier (SSID) is the name of your wireless network. Change the default SSID name to something unique and avoid using personal information that can be easily guessed, such as your name or address. The Smith Family is not a good SSID...unless your name is not Smith.
8. Enable MAC address filtering: Media Access Control (MAC) address filtering (also called MAC Whitelisting) allows you to specify which devices are allowed to connect to your network. Add the MAC addresses of your devices to the filter list to prevent unauthorized access.
9. Use antivirus and anti-malware software: Install antivirus and anti-malware software on your devices to protect them from potential threats. Make sure to keep the software up-to-date or this measure is useless.
10. Keep your router's firmware up to date: Firmware updates often include security patches and bug fixes that address vulnerabilities in your router. Check for firmware updates regularly and install them as soon as they become available. As with any update, this has the potential of breaking things but hey, this is the world in which we live.
11. Disable UPnP: Universal Plug and Play (UPnP) allows devices on your network to automatically configure the router's settings. It also opens up potential security vulnerabilities. Disable UPnP unless you need it for a specific device or service.
12. Use a strong Wi-Fi password: I mentioned this before but some folks need to read it again since password-related breaches continue to happen at an alarming rate. Use a long, strong, and complex Wi-Fi password that includes a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable passwords such as "password", "123456", or your pet's name (you know, the one you always post pictures of on social media).
13. Disable guest networks: If you do not need to provide a guest network, it is recommended to disable this feature as it can be a potential security risk. If you cannot live without a guest network, create a dedicated separate network from your main network (never allow guests to access your main network), delete the guests when they no longer need access, deactivate the guest network when not in use, and resist the urge to name your guest network [Name] Guest Network.
14. Disable unused services, ports, and port forwarding: Ports are like the windows and doors to your home (network). Disable any unused services and ports on your router as these can be potential entry points for hackers. Port forwarding allows external devices to access specific services on your network. However, it can also be a potential security risk. Disable port forwarding if you're not using it.
15. Use a VPN: While separate from a router, a VPN helps obfuscate network traffic. Using a Virtual Private Network (VPN) can provide an additional layer of security by encrypting your internet traffic and keeping your online activities private.
16. Enable Two-Factor Authentication (2FA): Yes, some routers support 2FA, which provides an additional layer of security to your login process. When enabled, a code is required in addition to the username and password to log in to the router's configuration page. I should also note that an SMS code sent to your phone is not the strongest of 2FA methods. Use a code generator instead such as Duo, Google Authenticator, or these authentication apps.
17. Enable Firewall: Most routers come with a built-in firewall which can protect your network from unauthorized access. Ensure that your router's firewall is enabled and configured correctly.
18. Change the default IP address range: Routers usually come with a default IP address range. Change the default IP address range to a different one to avoid potential conflicts with other networks.
19. Regularly review connected devices: This measure will allow you to discover unauthorized access to your network, which can include someone using your network for free internet or for serious criminal purposes. Check the list of devices connected to your router regularly and remove any unknown or unused devices.
20. Enable logging: I know, no one likes reviewing logs but this is the best method to discover nefarious things happening on your network. Turn on router logging to monitor any unusual activity on your network. This can also help you detect potential security breaches.
21. Use a network monitoring tool: Consider using a monitoring tool for your network traffic to detect any unusual activity. Some routers come with built-in security features such as intrusion detection and prevention (IDS/IPS), malware scanning, and content filtering. Consider purchasing a router with these features for added security.
22. Disable IPv6: IPv6 is the future but if you're not using IPv6, consider disabling it on your router. This can reduce the attack surface and potential security risks.
23. Consider buying a router with built-in security features: Disable WPS: Wi-Fi Protected Setup (WPS) is a feature that allows you to easily connect devices to your Wi-Fi network. However, it can also be a security vulnerability. Disable WPS if you're not using it. Try a quick IPv6 check here.
24. Segment your network: The idea behind this method is if someone breaches your network, they will not have access to every device on the network. Network segmentation involves dividing your network into smaller sub-networks or segments. Each segment has its own set of addresses, devices and resources, and access to each segment is controlled by the router's security settings.
25. IoT Smart Devices Segmentation: Once your network is segmented (number 24 above), use a separate network segment for your smart devices. This can prevent potential security breaches caused by IoT smart devices on other network segments.

These techniques (used together) can help improve your overall cybersecurity posture but it is only one part of your cybersecurity. If anyone has additional ways to secure a router, drop those ideas in the comments section and share with the community. Be safe out there......

#cybersecurity

About Warren Alford

Warren Alford is a cybersecurity consultant with ALS Cyber LLC located in Florida. ALS Cyber LLC provides consulting services including Business Consulting Services, Risk Management Plans and Risk Assessments, Business Continuity and Disaster Recovery Plans and Testing, Vendor Management Plans and Evaluations, Penetration Testing and Vulnerability Assessments, Open-source Intelligence Analysis (OSINT), and assisting organizations to create a Cybersecurity Awareness Culture.