Texting is a form of the spoken word, not writing. If you look at it in terms of how it is used, etc. The spoken word is generally ephemeral, for comm...
August 3, 2014
Childhood Memories, Coincidences and a Dog named for a Monkee
May 6, 2012
The twitterverse erupted today when a popular talk show host expressed his disdain at the prospect of Idris Elba, a black actor of modest following, w...
Black James Bond?
December 24, 2014
Securing Your Router
June 14, 2012
Your “Router” is that small box provided by your ISP to connect your computer to the Internet. Usually it has antennas on it and functions as a WiFi Access point for your Laptops, Tablets and other networking widgets. Sometimes there are two boxes, one being the “modem” and the other being the “router”. Other cases, the modem and router are combined into a single box. In rare instances, you may not have a router at all, and no WiFi, but merely a modem hardwired to your computer. If this is the case, there is nothing to secure, as your ISP totally controls security on your connection. This is rare today, so we will assume it is not the case.
The generic case we are addressing is the most common situation, where there is indeed a Wifi Access Point, and you can use your portable devices via WiFi without needing to connect wires directly to the router, although often a desktop may be connected by a cable, “hardwired” in the vernacular, and portables may still use the WiFi connection. There are many different brands of routers, and while they can be very different, they have many things in common.
Routers frequently ship from the factory with default security settings that are rather irresponsible. Passwords are well known, and the manufacturer does not force a change when setting up the router. Network wireless settings are often set “wide open” or to lowest common denominators since users complain when they have difficulty connecting their computer. This creates security exposure for the users that bad guys can all too easily exploit. Let's fix that now.
There are three points where security matters for the average user. The first is what we call the “Management Interface”. Formal terminology may vary a bit, it might be called the “Admin Interface” or similar. This is the way you access the internal configuration of the router.
The second security point is the radio side. That is, securing the wireless interface so that unauthorized devices may not gain access to your network.
The third security point is the Internet side, that is, making sure no one can reach into your network from outside. This is less important and usually not an issue, but still should be looked at.
Let us address the Management Interface first. Most routers today have a little web server built into the box. You connect to it simply by using your Browser, and you are then presented with a nice, slightly intimidating graphical interface. Precisely how you connect varies depending on the manufacturer, and you may have to consult your documentation that came with the device. Or simply Google the model number of the device. However, most devices can be “guessed” easily enough.
Often you can simply connect to a generic IP Address. Simply entering http://192.168.1.1, or http://192.168.0.1 as the URL will do the trick. In other cases the router will recognize a generic name. Most D-Link Routers will connect via the URL http://dlinkrouter, for example.
Once you connect to your router's management interface, you should be prompted for a username and password. All routers ship from the factory with a default password. Again, consult your documentation. It should be in the manual, or sometimes it actually appears on a label on the bottom of the router itself. If you do not have it handy, there is an online web site that lists most routers default password. Log in to your router's Management Interface using the default password.
The menus and screens you see in the Management Interface can be a little confusing at first, so before proceeding, I suggest you spend a little time browsing the various screens and options and familiarizing yourself with them. Don't change anything yet, just poke, observe and learn. We'll fine tune things in a bit.
Clearly, allowing your router to operate on the network with only the factory default password keeping anyone from getting into the Management Interface is a big security risk. You want to change this immediately. You want to pick a good, secure password that you won't forget, and change the default to something secure.
Most modern routers provide an automated “setup wizard” that will guide you thru setting things up. I find most of these are pretty pathetic. For example, the Dlink wizard won't even let you change the factory default password. Needless to say, this is unacceptable. So generally, I select Manual Setup, and ignore the “Wizard”, but if your wizard will allow you to change the management access, then do so. If not, then forget the wizard and dig into the manual screens. Do not let them intimidate you. They may look complex at first, but they are really quite simple once you get familiar with them. If you need clarification on terms and such, don't forget that many an answer is just a quick Google Query away.
Once you have set something decent and reasonable as the password to your router's Management Interface, the next step is to secure the Wireless Access side of things.
Again, the built-in Wizard may be able to do this for you with a minimum number of steps, but often you will resort to manual setup. Simply use what works.
Securing the wireless side requires setting three things. They are SSID, or Network Name, Encryption, and Network Key. Network Name is simply the identification your router broadcasts to the world. Periodically, your router shouts out this name for all to hear, and anyone looking can see it. Of course this is set to something generic from the factory. You want to change it to personalize it a bit. But not too personal. Something generic, but specific to your home is ideal. I know one that uses the name of the dog, “Daisys_Doghouse”. Names from movies are popular. Skynet, Cyberdyne, and Opitmus_Prime are popular. Something that will be relatively unique to you, but not so specific as to easily identify you specifically to the world.
After choosing and setting the SSID, we want to set the encryption mode. There are several options. Most routers support WEP, and many default to it. DO NOT USE WEP!!! It is worthless, easily broken. The best encryption is WPA2 if your router supports it, or at least WPA. WPA also requires selecting a cipher type, usually either TKIP or AES, or “Auto” which will allow either to be used depending on the client PC or tablet. Either is acceptable, but AES is slightly better. Set AES only if supported by all devices.
Last we set the Network Key. This is essentially the password your laptop needs to “log in” to the Internet via the router. This needs to be a good, secure, but easily remembered password. Treat it much the same as you would any other password, because if the bad guys get it, they can get into your network. You do not want that.
These things should have secured your router pretty well. There are two additional points that can add a bit of gilding to the lilly. The first item is back in that Wireless setup process. When we set the SSID, there should have been a checkbox that says something like “Disable SSID Broadcast” or maybe “Enable Hidden Wireless”. Remember I described the SSID as being shouted out to the world periodically? Well, once you have set everything up, and all your portable devices are connected and working, disabling the SSID broadcast will add a tiny bit of additional security. Your network will be hidden from view to the casual observer. Someone with the right tools can still find it of course, so the additional security added is small, but every little bit helps. The downside is that not broadcasting the SSID can make the first connection of a new laptop or tablet a little harder. This can be inconvenient, but once everything is working, you can turn off the broadcast. However the additional security is small, and there can be inconvenience as a result, so you can weigh the trade-offs and decide whether you want to bother. I recommend turning it off, but am not a stickler about it.
The final security item is to lock down remote management access, that is, allowing access to the management port from the Internet. This is not usually an issue because most routers disable it by default. However your ISP may have enabled it so THEY can get in. They might think this is a good idea, but WE don't. So we want to check it.
In most routers, the remote management option is located in the Maintenance section, usually near the place where you changed the username and password to the Management Interface. Just check and make sure it is not enabled. Some routers, but not all, will also permit blocking management access from the wireless side. If yours has that option, select it too. This will mean that even if someone knows the password, they must physically connect to the box.
While you're poking around in the Management Interface, check the firewall settings. Most are on by default. If you see a checkbox that says something like “Enable SPI” make sure it is on as well. In most cases the firewall is on by default and you really do not need to muck around with it. But if you are interested, there is a ton of information to be found via Google. I will leave that topic for another day.
The important points are (1) setting the Management Interface password to something secure, and (2) getting the wireless set using a good encryption (NOT WEP!) and secure Network Key. If you do those things, your network will be orders of magnitude more secure than most, and unlikely to be bothered by the bad guys.
I have mentioned DDWRT1 router software in the past, and it is indeed much better than what ships on most routers. Nonetheless, it is for the somewhat technically advanced, and many simply will not feel as if they want to venture there. If so, that is fine. It's not really all that difficult to install, but it is also not necessary for the average non-techie user. So if you are not comfortable with the idea of changing out your router's software, do not concern yourself. If you have secured the management Interface, and set good wireless encryption you have covered the big things. On the other hand, if you are feeling adventurous and want to play with some good software and learn more about networking, then by all means go for it and upgrade your router to DDWRT.
1See http://www.infoworld.com/d/networking/teach-your-router-new-tricks-dd-wrt-174050?source=footer for a much more extensive article on DDWRT