Post: Wireless Router Security Knowledge 101
Options
05-12-2008, 12:56 AM
#1
NGU_AcEsUpMaSlEeVe
Guilty UNTIL Innocent
You have High Speed internet access (DSL or Cable) now and more than one computer. How do you get them all online? The answer is a router. A router will connect to your High Speed modem and then your computers will connect to it. A router has a built in firewall. If you have broadband access then you need some sort of firewall to keep people from getting into your computer. A router can do that but only if set up properly. There are many different types of routers and with the wrong setup of the router your computers may be no safer than before you got it. This paper will explain the common steps you can take to avoid making your router an easy target.
Steps for all routers
1. Update Firmware
When you take your router out of the box, chances are the software inside (firmware) that controls the device is already obsolete. In order to update it you'll have to visit the manufacturer's website and download the firmware update. Then you'll have to follow the instructions to install it. But, once it's installed you'll have all the latest fixes and any new features that your router can do, some of which will be discussed later.
2. Block WAN Requests/Stealth Mode
When your computer/router is on the internet it gets an IP address. This address is unique to your computer/router. By default your computer/router will respond to any other computer that asks if your computer/router is on. This means that a hacker can see if there is a computer/router to try to hack into at your IP address. By turning off this feature it will look like nothing is at your IP address and will make you less of a target of any hacking attempts.
3. Default Username/Password
Most Routers have a default username and password to access the router's setup pages. The default on Linksys routers is a blank username and admin for the password, on a Netgear it's admin for the username and password or 1234 for the password, on a D Link it's admin for the username and a blank password. If Remote Access is enabled (discussed later) it is easy for anyone in the world with internet access to log onto your router and make changes to it. Those changes would then allow them to log onto your computer(s).
4. Ports for specific uses
All internet traffic (web surfing, email, instant messaging, etc.) gets to your computer/router via a port. Ports are numbered and go from 1-65535. Typically Windows uses the bottom 1056 ports. If you have programs (like file-sharing, VPN, servers, etc) that need specific ports open to work try to keep them above 1056. For example, if you have port 80 open (used for web servers) then hackers have an opportunity to hack into your system even though you have a router.
5. DMZ
DMZ stands for DeMilitarized Zone. It's used to put one of your computers outside the firewall and allow all ports to be open on that computer. All incoming internet traffic to your IP address will go to that computer. This is an easy way to let a hacker get into your system. Only put a computer into the DMZ if you know what you are doing, otherwise never put anything into the DMZ field.
6. MAC Spoofing
Every piece of equipment has a unique MAC address. MAC stands for Media Access Control. While that doesn't mean anything to you, it means that your piece of equipment can be identified by that MAC address. For example, Linksys routers' MAC addresses start with 0004.5a. If you don't want your ISP knowing what equipment you have hooked up or you want them to think only one computer is hooked up you'll have to put your computers network cards' MAC address in the MAC Spoofing field. You can find out what your computers network cards' MAC address is by typing ipconfig /all in a Command Prompt or MS-DOS Prompt and looking at the Physical Address.
7. Remote Management
Many routers come with a feature to allow you to log onto the setup pages for the router from outside of your home. This remote access feature is handy if you want to see if your internet connection is still working at home while you are away or if you want to check the router's log of activity while not at home. But with the remote access ability turned on anyone else can try to guess your password and get into your router (or they can use the default username/password if you've never changed that). Changing the default port for remote access is another way to try to keep people from easily getting access to your router (available on some routers).
8. UPnP Services
Universal Plug and Play services are supposed to allow for easy connecting of things. What things? For most home users this option should be turned off to avoid any hacking attempts via UPnP Services.
9. Filtered MAC Address
The MAC Address is unique to every network card that connects to the router. Therefore, some routers have the ability to only let certain MAC addresses on to the router. If it's a wired router in your home, this function is not necessary, but if you live with other people and don't want just anyone hooking up to your router you can allow only your computer's MAC address to be given access.
Extra steps for wireless routers
1. MAC Address Access Control
Similar to a wired router's MAC filtering, a wireless router can specify which MAC addresses (i.e. which computers) can connect to the wireless portion. Since a wireless connection doesn't have to have a physical plug connected anyone within range can connect to your wireless router. With MAC address access control you can specify your wireless card(s) MAC address(es) to be the only one(s) given access.
2. SSID Broadcast
By default on most wireless routers the SSID (Service Set IDentifier) name is broadcasted out for anyone to hear. In English, the name of your wireless network is always being sent to any computer that can hear. This means anyone else can try to log onto your wireless network without your knowledge because they know the name of it. By turning off this broadcast, the other computer would need to already know your wireless networks' name to log on to it.
3. default SSID
A wireless router will come out of the box with a default SSID. On a Linksys the default name is simply linksys. If you are not broadcasting your SSID, but have not changed it from the default then someone trying to get into your wireless network would need to perform the easy task of guessing the default one and getting on to your network.
4. WEP
WEP stands for Wired Equivalent Privacy. By turning this on you can keep most people out of your wireless network. A WEP key is put in on the router and that same key is put in to the settings on any of the wireless computers you want to connect. Any computer that does not have the WEP key you put in, does not get access to your wireless network. There are different levels of WEP, the most common being 64-bit and 128-bit. This method of protecting access has been beaten, but it isn't going to be done by your regular neighbor. So overall this is pretty secure, but not 100%.
5. WPA
WPA stands for WiFi Protected Access. It is similar to WEP, but half of the key it uses gets changed on a rotating basis. This form of security has not yet been beaten, but you must take the right precautions when generating a key. The router can generate a key based on a "passphrase". If that passphrase is less than 20 characters and is just a plain word(s) then it can be guessed and then people can get into your wireless network.
If you update your wired routers' firmware, block WAN requests, change the default username and password, and turn off remote access then you are decently protected from the easiest of hacks. With the wireless router if you limit access by MAC, change the default SSID and stop broadcasting it, and enable WEP or WPA then you can keep other people from getting onto your network and/or using your internet access. Doing these things will save you headaches down the road and make your computing experience more enjoyable.
05-26-2008, 05:32 PM
#3
DirtyDudeOnline
:y::n:
Originally posted by SHELLEY
Man this is quality shiot
200th post classic
200th post classic
I agree but 197 posts class
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
