Basic Router Security
Volume 4 in John R. Hines’ Computer Security for Mere
Mortals, short documents that show how to have the most
computer security with the least effort
John R. Hines
Net+ Certified, Security+ Certified, Consulting
Security Engineer, LLC
JohnRichardHines@ConsultingSecurityEngineer.com
“Plagiarism is when the author steals from one source; scholarship is when the author steals from many sources.” -- Anonymous
"Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and
evidence." --John Adams
Oholiab's First Law: The Suits' need for computing power expands until all the Geeks' servers are 100% utilized running database queries and printing
reports during business hours.
Corollary to Oholiab's First Law: Development can only access the servers purchased for development when nobody else wants them.
Oholiab's first law of security (Murphy's first law of planning): The important things are simple.
Oholiab's second law of security (Murphy's second law of planning): The simple things are very hard.
these notes, you do not have permission to read these notes!
Copyright © Consulting Security Engineer LLC. All rights reserved. 2016 ISBN N/A
Version 1.201707262300
Suggested reading (when you have time)
Kill Process by William Hertling
Security
Is security a new problem? What is security?
What is computer security?
What is a low-reward measure? What is a reasonable measure? What is an unreasonable measure? What will you find in these notes?
Routers
What about routers? What is a router?
What is a firewall (hardware firewall)? What is a wireless router?
What is a wired router (hard-wired router)? What is router firmware?
What is "flashing the ROM"? Where should my router be placed?
What simple reasonable measures will improve your router security?
Default problem #1: Router firmware (software in hardware) is typically out of date before you buy it.
What is a zero-day attack (zero-day exploit)? What is an attacker?
Mistake #1A: Buying a bargain router.
Default problem #2: The default password is written on the side of the router.
What's a dictionary password attack? What's a strong password?
Mistake #2A: Not saving the changed password in a secure place.
cable issues.
Default problem #4: WIFI networks should always use WPA2 encryption.
Mistake #4A: Using WEP encryption on your router. Mistake #4B: Having no encryption on your router.
Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router.
Mistake #5A: Not saving the changed WIFI password (passwords) in a secure place.
Default problem #6: WIFI signals should not go (too far) beyond your office.
Mistake #6A: Buying a large area router for a small office.
Appendices
Appendix I: What about networks?
What is a network (computer network)? What is a gateway?
What is a LAN (Local Area Network) (Local network)? What is a network address (network number)?
What is a network device? What is a network edge?
What is a network node (computer network node) (network host) (node)?
What is a network segment?
What is a subnet (subnetwork) (network subnet)? What is an intranet (Intranet) (private network)? What is IP (Internet Protocol)?
What is the internet (Internet) (public network)?
What is an IP address (Logical address) (Network address)? What is TCP (Transmission Control Protocol)?
What is wired (hard-wired)? What is wireless?
Appendix II: How does a router link (connect) an intranet to the internet? Appendix III: How do I find my router's IP address?
Appendix IV: What hardware do I need to use my router? Appendix V: How do I access my router?
Appendix VI: How do I reset my router back to the built-in name and password?
Security
Is security a new problem?
No! Security has always been a problem! Even strong men have always had security concerns: "When the strong man, fully armed, guards his own
dwelling, his goods are safe. But when someone stronger attacks him and overcomes him, he takes from him his whole armor in which he trusted, and divides his spoils." (Luke 11:21-22)
Criminals form gangs to defeat strong men. Captain Grose' 1811 Dictionary of the Vulgar Tongue (nineteenth century lexicographer) lists 23 occupations required for a complete "gang of misrule" (crime family). My dictionary
gives these as " … For men, there are fourteen roles: (1) ruffler, (2) upright man, (3) hooker (angler), (4) rogue, (5) wild rogue, (6) priggers of prancers, (7) palliards, (8) frater, (9) jarkman (patricoe) (10) whip jacket, (11)
drummerer (dommerer), (12) drunken tinker (13) swadder (pedlar), and (14) Abram man. For women (and children) there are nine roles: (1) demander for glimmer or fire, (2) bawdy basket, (3) morts, (4) autem mort, (5) walking morts (6) doxy, (7) dell, (8) kinching mort, and (9) kinching cove." (Buy my book if you want to know what all these specialties are.) Add hackers and testers and you have the kind of crime family HP describes in The Business of Hacking, capable of stealing from the strong as well as the weak.
What is security?
The dictionary definition of security is "being free from danger or threat". Experience proves no one is secure, at least in the dictionary sense. Solomon had a different take on security (or, maybe, on the lack of security): "The race is not to the swift or the battle to the strong, nor does food come to the wise or wealth to the brilliant or favor to the learned; but time and chance happen to them all" (Ec. 9:11). (Back in the day, bumper stickers on the back of pickups often summarized Solomon's quote in two words: "Excrement happens".)
So, I suggest a different definition of security that emphasizes our part in keeping ourselves secure: "things done and things left undone that give as much control as possible over the future". Be skilled (the things done), be careful (the things not done), and hope to be lucky.
One more quote: "Luck is what happens when preparation meets
opportunity" (Seneca, First Century AD, possibly misattributed). Prepare for Murphy to knock on your door. A disaster for the unprepared is an
opportunity for the prepared.
What is computer security?
The dictionary says, "measures taken to safeguard code, information, and systems". A more sensible definition of computer security is "(1) reasonable measures taken to safeguard code, information, and systems, (2)
unreasonable measures not taken to safeguard code, information, and
systems, and (3) measures not taken to avoid low-rewards." Unfortunately, reasonable, unreasonable, and low-reward are (like beauty) in the mind of the beholder.
What is a low-reward measure?
A security measure that that has a small payoff for the inconvenience, money and time associated with the measure. Many measures advocated by security professionals are low-reward measures for non-security professionals who do not have an in-house professional to help them.
What is a reasonable measure?
A security measure that that has a significant payoff for the inconvenience, money and time associated with the measure.
Reasonable measures that are not terribly inconvenient for a non-professional and require little money and time should ALWAYS be implemented.
Reasonable measures that are terribly inconvenient for a
non-professional but require only a small amount of time and money should be implemented when possible. (Maybe hire a professional for a half-day?)
definition.)
Reasonable measures that are terribly inconvenient for a
non-professional and require a lot of money should only be implemented if you have suspect you are a potential target. Warning: If you are (1) involved in politics or social issues, (2) are visible in your community for some reason, or (3) have strange family members or neighbors then you should suspect you are a target.
What is an unreasonable measure?
A security measure that that has become popular wisdom but probably is of little value. (A few years ago, one argument for switching from a PC to a Mac was "Macs don't get viruses." If that was ever true, it isn't now but many Mac sales people and users still believe it and repeat it to non-Mac users.)
What will you find in these notes?
What I think are reasonable and unreasonable measures and what are low-reward measures. Send me an email at
Routers
What about routers?
What is a router?
Hardware (with firmware and software) that forwards data packets between networks. Connected to at least two networks, located at gateways (places where two or more networks connect). Does not forward broadcasts or
corrupted packets. Typically implements hardware firewall. Operates at OSI layer 3 (network layer). Full duplex prevents most collisions. In small
networks, same device typically routes packets to and from both
wire-connected and wireless-wire-connected devices. Alternative: Traffic management devices that connect network segments. Note: Router logs may tell if
intruder breached internal systems. Note: Home routers typically controlled by PC (PCs) connected by wires; i.e., no "out of band" port on most home routers.
What is a firewall (hardware firewall)?
Hardware and/or a set of related programs, located at a network gateway server (and usually on each network PC) which protects the resources of a private network (and networked PCs) from users from other networks (and other users on the private network) by examining traffic. (The term also implies the security policy used with the programs.)
What is SPI (Stateful Packet Inspection) (stateful Inspection)?
Keeping track of the state of network connections (such as TCP streams, UDP communication). Useful tool for detecting and preventing (some kinds of) hacking.
What is a wireless router?
Provides network connectivity by WIFI, usually through a WAP built into the router. Note: Almost always have wired ethernet connections. Note: A wireless router with wired connections is always a better buy than a wired router. Eventuall you'll need wired connections.
What is a wired router (hard-wired router)?
speeds. Note: Buying a wired router without WIFI in seldom a good idea: you will eventually want WIFI for your cell phones and tablets (saves money when you're at home) if nothing else.
What is router firmware?
Software stored in ROM. Typically, contains only elementary
basic functions of a device and may only provide services to
higher-level software (such as the ROM BIOS of a personal
computer).
What is "flashing the ROM"?
Changing (usually upgrading) firmware.
Where should my router be placed?
Three things to consider:
1. The farther the router is from the cable modem, the longer the ethernet cable connecting the two. Shorter is better. BTW: Ethernet cables are kinda-sorta robust but they should be protected from pinching and scraping.
2. Routers don't have fans so you want air flowing around the router. If you put your router in a closet or on a high shelf, you might want to buy a small personal fan to blow on it.
What simple reasonable measures will improve your
router security?
Default problem #1: Router firmware (software in hardware) is
typically out of date before you buy it.
Often computer problems are identified by initial users or exploited by hackers in a zero-day attack. By the time your router arrives, it may have known problems that need to be fixed before the world sees your router on the internet.
The low-cost Tenda AC1900 used to test these notes told me a firmware upgrade was available. If I had IT support nearby, I would ask for advice. However, I don't so I'm going to click on "OK" and hope for the best. I suggest you do the same.
What is a zero-day attack (zero-day exploit)?
New kind of attack using a vulnerability the day it is discovered (that hasn’t yet been fixed).
What is an attacker?
Unauthorized person who attempts to access your network or your computer. May also be an authorized person who attempts to misuse your network or computer. A cracker, hacker, rogue employee, rogue relative, script kiddie.
Mistake #1A: Buying a bargain router.
\
Why bring this up? You will spend more time installing a bargain router, have more problems, find the tech support is hard to access, and hard to understand.
What brands of routers should you look at first?
If cost is close for the same features, look at D-Link, Linksys, and Netgear first, then look at Asus if you want more features than the others. If you have more time than money, look at TP-Link and Tenda.
Default problem #2: The default password is written on the side
of the router.
Unless your router is in a locked room and you have the only key, janitors, rogue employees, and rogue relatives can all access your router and change whatever they want to change if you do not change the default password. Change the password to a strong password that is different from the pasword on the side of router.
What's a dictionary password attack?
Attacker uses a dictionary of possible passwords, continuing the attack until he finds the correct password. Works because users like easy-to-remember words. Works well against routers because it's not practical to an account lockout option like computers do.
What is account lockout (Account lockout policy)?
Disables user account after certain number of failed logon attempts within a specified period of time
At least eight characters long, does not contain your user name, real name, or company name, does not contain a complete word, is significantly different from previous passwords, and contains characters from the following
categories: uppercase letters, lowercase letters, numbers, symbols found on the keyboard (all keyboard characters not defined as letters or numerals), and spaces (length, complexity, and unpredictability).
Mistake #2A: Not saving the changed password in a secure place.
If you've read Basic Windows 10 Security, you already know my
recommendation for saving passwords in a secure place. Here's another password to put in that secure place. Typically, one copy in your bank box and one in a "secure" container somewhere hard to get at. NEVER save the password near the router or near your computer. (My eleven-year old
grandson knows how to "toss" a work area to find passwords: he learned how watching NCIS.)
Default problem #3: Most router hacks come from WIFI issues,
not from cable issues.
Yes, cables can be hacked. But, it's hard, it's usually dirty work, and it usually has to be done inside your office. Phones and tablets have to use WIFI but computers don't unless you have a very strange office space. You can pay a professional cabler to run cables but often you can connect every computer in your office using prefabricated cables from Fry's or Micro Center.
Note: You will still need WIFI for phones and tablets but just using cable instead of WIFI will keep the most important parts of your network safe (well, safer).
Warning: Every computer attached to the router by cable has access to router. That's another reason to change the router password.
Default problem #4: WIFI networks should always use WPA2
encryption.
WPA2 is secure. WPA is pretty secure. WEP is NOT secure.
Note: Document the encryption used so you can get a new router up quickly if the old one dies.
Yes, it's a choice on almost all routers but it should never be used. Even PC Magazine knows how to crack WEP!
Mistake #4B: Having no encryption on your router.
Yes, it's a choice on almost all routers but it should never be used.
Default problem #5: WIFI name and passwords defaults are
often chosen to simplify installation, not to secure the router.
WIFI names (sometimes called SSIDs) should be bland and vague, giving no information about the router. Tenda violates this by making default names from "Tenda" plus part of the router name (for example, my Tenda router defaults to "Tenda_19BCC0"). Anyone with a WIFI analyzer on their phone or tablet instantly knows they can hack the router if they can find a crack for a Tenda AC1900. When I change the name to "Hunting_Box", they get no information about the router's manufacturer or model: they have to try random cracks. Note: It is possible to hide a WIFI router name. Some advocate it. I don't: hiding the router name is waving a red flag at hackers that says, "Hey, I've got stuff that is so valuable that I am hiding." Hiding in plain sight is always better than hiding in secrecy.
Warning: WIFI passwords should be strong passwords but NEVER the same as the router password: if a dictionary password attack cracks your WIFI password, the attacker should have to crack your cable password, too, get into your router.
Mistake #5A: Not saving the changed WIFI password (passwords)
in a secure place.
See Mistake #2A.
Default problem #6: WIFI signals should not go (too far) beyond
your office.
The farther WIFI signals go, the easier it is to hack the WIFI part of the router. A guy sitting in front of your office pounding on a laptop is much more obvious than a guy sitting at a table in the park across the street pounding on a laptop.
Warning: Document the acceptable transmit power so you can quickly replace a defective router.
Mistake #6A: Buying a large area router for a small office.
Appendices
Appendix I: What about networks?
What is a network (computer network)?
Connected graph where nodes are computer network nodes and edges are computer-to-computer connections.
What is a gateway?
Network node that is an entrance to another network. Often a router.
What is a LAN (Local Area Network) (Local network)?
Hardware and software that turns terminals, workstations, servers, and hosts into a single network environment in a small geographic region like a
building. Alternative (more modern): A network segment that may or may not be connected to another network. Larger networks are created by "gluing" two or more LANs together, typically with a router.
What is a network address (network number)?
Bit pattern or group of hexadecimal numbers that uniquely identifies a network node. In IPv4, eight hex characters, each pair (except the last) separated by dots. (Four bytes.) In IPv6, 32 hex characters, each quad (except the last) separated by colons. (16 bytes.)
What is a network device?
Component (hardware) that connects ("glues") computers or other electronic devices together to share files or resources. Usually a network node.
What is a network edge?
Single physical connection between two computers. Sometimes used a synonym for connection (network connection). Alternative: Cable with connectors at both ends that connects two nodes
What is a network node (computer network node) (network host)
(node)?
An addressable device attached to a computer network.
What is a network segment?
VLAN, or switch segmentation.
What is a subnet (subnetwork) (network subnet)?
Logical, visible subdivision of an IP network. Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address. Note: The practice of dividing a network into two or more networks is called subnetting.
What is an intranet (Intranet) (private network)?
Private network combining existing LAN and WAN technologies and new Internet technologies. Has all the features of the Internet. Many intranets. Typically use 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x or
192.168.x.x. Typically connected to the (one and only) internet by a router but may be stand-alone. See Internet.
What is IP (Internet Protocol)?
Basic protocol of the Internet. It enables the unreliable delivery of individual packets from one host to another. It makes no guarantees about whether or not the packet will be delivered, how long it will take, or if multiple packets will arrive in the order they were sent. Protocols built on top of this add the notions of connection and reliability.
What is the internet (Internet) (public network)?
Large network with millions of hosts from many organizations and countries around the world. Amalgamation of many smaller networks. Data travels by a common set of protocols (starting with TCP/IP). All (well, almost all-ignore 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x and 192.168.x.x) internet addresses are unique.
What is an IP address (Logical address) (Network address)?
In IPv4, 32-bits or a quad of octets (bytes). In IPv6, 128-bits or a hex of octets (bytes) or 32 hex characters. A software address, not a hard-coded address.
What is TCP (Transmission Control Protocol)?
Network reliable communication protocol, typically sits on top of IP. See UDP.
(Unbounded media)?
Local area wireless technology to exchange data or connect to the internet (usually using 2.4 GHz UHF and 5 GHz SHF).
What is wired (hard-wired)?
Connected to other devices by cables, usually ethernet cables. See Ethernet.
What is wireless?
Appendix II: How does a router link (connect) an
intranet to the internet?
You need an internet address (actually, you need an IP address but they are pretty much the same thing) to be on the internet. Your home network does not have one. So, how do you get one?
You might try to buy one or more IP addresses. However, all (almost all) the usable internet addresses are already owned. It would be really expensive (much more than your lifetime beer and coffee expenditures combined). Worse, you would have to search hard really to find someone willing to sell you one. So, buying one or more is not a workable plan.
Fortunately, both idealism and profit motivate (some) IP owners called ISPs (Independent Service Providers) to lease or let you temporarily use as many IP addresses as you can afford to pay for.
The cost of leasing a single IP address (a dedicated line) is so
expensive (maybe a decade of beer and coffee expenditures for a single year's lease) that you are more likely to temporarily use an ISP's IPs. The cost of temporarily using a single IP address is so expensive (maybe a year of beer and coffee expenditures to pay for a year's temporary use) that most people have access to only one IP and use tricks that allow all your computing devices to use that one.
(Yes, it's more complex than that but why go there?) Warning: You typically use an IP from a pool of currently unused IPs at the ISP so you seldom get the same IP from your ISP. But, you don't need to know what IP the ISP is letting you use, the ISP handles all of that! Just don't assume you always have the same internet IP.
Your ISP will give you access to a single temporary IP address with
reasonable (reasonable, like beauty, is in the eye of the beholder) bandwidth by running a wire to your home (if one doesn't already exist) and installing a cable modem in your house. Warning: If a wire (either from a cable
company or a telephone company) is not already in place near your home, you may have to resort to a cell phone-like connection from cell phone company.
the internet.
Appendix III: How do I find my router's IP address?
Depending on your version of Windows 10, open your admin cmd window or PowerShell window. At the prompt, type "ipconfig [CR]". Ipconfig will return information about your system and its private LAN, something like:
Windows IP Configuration Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : tendawifi.com
Link-local IPv6 Address . . . : fe80::7002:9ba9:d9eb:f7bb%24 IPv4 Address. . . : 192.168.0.185
Subnet Mask . . . : 255.255.255.0 Default Gateway . . . : 192.168.0.1
Appendix IV: What hardware do I need to use my
router?
Appendix V: How do I access my router?
Once you know (1) the IP of the router (read "How do I find my router's IP address?") and (2) the password (look on the back of the router and WRITE DOWN the name and password - you may find both a wired and wireless password, if so write down both and identify which is which).
Connect the ethernet connector on the back of your computer to one of the four (or eight) same color RJ45 connections on the back of the router; then
Open your browser, enter the router's IP address 192.168.0.1 or http:\\192.168.0.1 in the browser address window then press "ENTER".
Warning: You cannot manage the router over WIFI. There are fifty-foot-long CAT 6 cables at most big computer stores, so you should be able to connect with the router over cable.
Appendix VI: How do I reset my router back to the
bui
l
t-in name and password?
What documents are part of this series?
Volume 1: 5-Minute security talk Volume 2: 15-Minute security talk Volume 3: Basic Windows 10 Security Volume 4: Basic Router Security
Volume 5: Basic Network Security Volume 6: Basic Browser Security
Volume 7: Advanced Windows 10 Security Volume 8: Advanced Router Security
Volume 9: Advanced Network Security Volume 10: Advanced Browser Security Volume 11: Basic Windows 7 Security
