14 Step Network Security Checklist

by on Jul 1, 2008 | 0 comments

This simple checklist of tasks should get you started on using your router to its best ability, enhancing your LAN security. These are generic features that should be on most routers out there; consult your router’s user manual if you have doubts about where to find these settings. If you are still in the market looking to buy a router, a good idea is to go through the online manual to see if these settings are available on the router in your budget. Some of these security settings are to be used in conjunction with others; some provide an additional layer of security to what another setting already provides.

1. Administrative password

Establish an administrative password, there are far too many users out there running their routers on the factory default password. Make sure you choose a strong password, remember if your router password gets compromised, your entire LAN could be compromised. On the plus side, even if you forget your admin password, resetting the router will default your password to factory settings (and will remove all your other configurations). If you are administering a LAN that is frequented by people whom you do not entirely trust (or it is your job not to trust them); make sure that you set your browser not to save your username and password to the router’s configuration page. In addition, it is good practice to clear the history and cache of the browser you use to configure the router – using this in conjunction with a router IP address that isn’t the factory default 192.168.0.1 (see 3. Router IP address) will add an additional layer of security.

[hidepost=1]

2. Firmware version

Your router’s abilities are determined by software embedded, your router may have shipped with an older version of this software. Always check with the manufacturer’s support website for that product for the latest versions of the firmware. Newer firmware versions are usually released to fix bugs, refine features or provide entirely new capabilities to your router. I’d recommend using this step as one of your first for your new router; updating your router firmware may erase all your configuration, so update before proceeding with the rest of the steps.

An important note: Firmware flashing for your router is a rather straightforward step; consult your router’s manual before attempting it. If you are using a wireless network, do not attempt to make changes to your router’s firmware over a wireless link. Any random set of variables might cause your wireless link to break, and you may have a router with an unusable partially loaded firmware (almost like trying to drive your car midway through an oil change).

I’d also recommend keeping two versions of your router’s firmware on one of your local computer’s hard drive – the new one that you uploaded and the one your router came with. In case of unforeseen bugs and you aren’t able to get back to the internet, you still have the firmware with you. Additionally, some routers have a crash recovery mechanism that allows you access to the router in cases where you are unable to connect to the router and the reset button does not work. Go through your manufacturer’s knowledge base to see if there is a crash recovery method for your router.

3. Router IP address

Most routers out there have a default IP address of 192.168.0.1, some of them even allow you to change the router’s IP address to one of your choice. While, it’s real easy to determine what the router’s IP address is from within the LAN (hint: check the gateway address or DHCP server), it will help your router from being bothered by curious LAN users with lower than average network skills.

4. The router DHCP Server

One of the great features of routers is the ability to assign an address to computers on your LAN as they show up on the internet. This is especially wonderful when you consider a number of network devices popping up on your LAN and your router automatically welcoming them in with an IP address. It can also be a source for an exploit because your router has got its welcome mat out for anyone it thinks is a member of your LAN. A good security measure is to disable your DHCP server and assign IP addresses statically. Let’s face it, most routers are used in home LANs where you just need one hand to count the number of NICs connecting. So why run a DHCP server when you know exactly how many machines you have. Disable the DHCP server if you can provide static IP addresses to the machines on your network.

If for some reason you must run a DHCP server, limit the number of machines that can be connected to it to one that is realistic of your network size. For example if you have just 5 regular NICs connecting to the router, then allow your router to assign IP addresses from 192.168.0.100 to 192.168.0.107. This ensures that 2 additional machines can get addresses from your router without having to go through the router configuration to accommodate your guests. Some routers now sport static DHCP in addition to the Dynamic DHCP; allowing the router to assign or reserve the same IP addresses to a specific NIC. This is a useful tool especially when you are familiar with the machines that will be connecting to it.

5. Access to Virtual Servers or Port Forwarding: DISABLE

Virtual servers are those that reside in the LAN but need to allow interaction with users from the internet. For example, if you are running your own web server from the LAN; you must open up a virtual server or port forwarding allowing traffic from the internet to a specific computer on your LAN. Most home users do not use that feature, and it is best to actively disable such servers or port forwarding.

6. Exclusive Applications: DISABLE

Some routers ship with configurations allowing specific applications access to and from the internet for their own needs. They may involve allowing access to a certain range of ports or specific protocols. If you aren’t going to be using these applications it is highly recommended that you disable access rights for these programs; if you are using one of these, allow access to the specific software only.

When software is not able to establish a connection through a router to the internet, most people consider it to be an annoyance or a failing of the router. I believe that this is actually a confirmation that your router is providing adequate security, because it doesn’t allow just any program to have free access to and from the internet. Most software developers that code programs with specific port or protocol requirements will enumerate exactly what they need to function correctly. I would also caution against using programs that do not spell out their network needs and recommend searching for other solutions that perform the same tasks – not only is this disclosure necessary to configure your security settings, but it is also information that you need to know, after all it is your computer and your network; you need to know what program is trying to access what feature.

Some routers prefer to bunch together games that require online access under a different setting, if you aren’t an online gamer then these must be closed down till you actually require it.

7. MAC filters: ENABLE ACCESS TO KNOWN MACs

Every network device ships with a physical address hardcoded into it, called the Media Access Control or ‘physical address’ (MAC) address. This usually follows a format like 00-3A-BF-EF-B1-4E. While a network device may get a variety of IP addresses from different networks, its MAC address does not change. (Of course given the ying-yang of security and insecurity, I should have rightly said that the MAC address does not usually change. MAC addresses can be spoofed, but it requires a higher level of expertise than most average hackers care to possess.)

Tip: If you are using Windows XP or 2000, you can get the MAC address of your network card by typing: ipconfig/all in a command prompt window.

Enable MAC filters to deny all computers from access to your router except those that you recognize as coming from your LAN. Since the popularity of MAC filters, I’ve noticed a number of people on wireless connections disabling WEP or WPA security believing that MAC filters will do just as well. I would like to stress that this is ENTIRELY untrue; a MAC filter was never designed to replace WPA or WEP and must never be thought to be one and the same. Consider owning an oil refinery (hey if we’re going to dream big…) with pipelines running to various locations. As anyone who’s read the news in apprehension of their SUV’s fuel gauge hovering over the ‘E’, it isn’t enough just to protect the refinery; the pipelines must be secured from breaches. Well a MAC filter is designed along the same lines, it protects your router (refinery) from intrusions; however your wireless data is hovering all over its vicinity, you need to ENCRYPT the data from being read from somewhere along the way.

8. Remote Management: DISABLE

Your router may have settings to allow you to access these settings and administer changes from a computer outside your LAN. If you aren’t going to perform these activities outside your LAN – disable it.

9. Discard Ping from WAN side: ENABLE

A ping is a utility that sends a packet of information to a specific IP address and waits for a reply. The ping (packet internet groper) sends an ICMP echo request to test reachability of a particular computer and looks for a response. Under ideal security situations, your computer or your network should appear non-existent to others outside your network. It is best to set your router not to respond to these ping requests.

10. UPnP: DISABLE

Universal Plug and Play is a feature especially used in newer versions of Windows to allow your operating system to recognize and manage stand alone devices like routers. However, real world tests have shown that UPnP can be a vulnerability that is best closed. Ideally your router should be allowed to handle decisions on what to allow and what to deny, and your OS to send data out without trying to dictate needs to the router. Unless you have very specific program requirements UPnP must be disabled by your router as well as your OS.

11. Wireless AP

Most routers now come with the ability to function as a wireless access point. If you do not have any computers that connect without wires, then it stands to reason that you should DISABLE the wireless AP.

The proliferation of Wireless networks has revolutionized our thinking of where we can sit with our PCs. However, I should point out that in the interests of security – NOTHING beats wired networks. The rule of thumb should be that, wherever possible you should be using a wired network, and a wireless network should be employed only under circumstances that make physical wiring or maintenance a severe limitation. A cable running around your room might upset the feng shui, but a wireless network opens bigger security holes; and you must make an informed decision about whether you need to be wireless. Granted mobile computing devices have become all the rage today, I recommend using wireless only when you need to be beyond the range of your network cable, and if you are performing activities on the net that shouldn’t be subject to prying eyes (like internet banking etc). Given that wireless security protocols, authentication and encryption are a work in progress, we do have a relatively secure working model out there, but it is by no means perfect. The following list of security settings concentrate on using good security practices for wireless networks

12. SSID Broadcast: DISABLE

SSID (Service Set Identification) is a wireless broadcast network name, akin to a porch light. It allows your (and others) to home in on your specific address and start receiving data. SSID broadcast has some demonstrated vulnerabilities, and it is an increasingly secure option to disable it.

Tip: for best results configure your router to broadcast the SSID, configure your wireless computers to authenticate themselves to the network for the first time; then disable SSID broadcast.

13. SSID Name: change from default

Most routers ship with a default SSID name, usually the highly imaginative ‘default’. Change away from it, and use something that is unique. It prevents other users on other networks from erroneously trying to connect to your network (even if they are unsuccessful you still shouldn’t have to be bothered with the incessant knocking on your router).

14. Authentication: WPA or WEP

WEP (Wired Equivalent Privacy) was the first step to establishing secure Wireless LANs (WLAN) by allowing an administrator to create a master key string and share it between the nodes that will access the WLAN. Without any sort of encryption, anyone can potential see the packets and look at the contents of the packets being exchanged across the wireless network. WEP in typical routers of today come in 2 flavors – 64bit and 128bit encryption (the greater bits represent greater encryption). However this method of encryption was later deemed rather insecure; and unauthorized decrypting proved to be quite simplistic.

WEP has now given way to WPA (Wi-Fi Protected Access) as a more robust standard for encryption, and as an improvement over WEP. WPA uses a Temporal Key Integrity Protocol (TKIP); TKIP takes a master key string as a starting point and then derives its encryption keys mathematically from the key; further changes these encryption keys regularly so that the same encryption keys are reused. While WPA typically requires a central authentication server to identify a user, for our intents and purposes WPA has a PSK (Pre-Shared Key) implementation that allows you to set a password on your router; and then share it with the users. TKIP then takes over and generates encryption keys.

Set up your router to use WPA-PSK and a strong pass phrase to go with it. If you find that your router does not have WPA as an option, look for a firmware upgrade (you might need to check for newer driver versions and WPA supplicants for your wireless NIC to get WPA-PSK to work on non Windows XP computers – windows XP ships with a WPA-PSK supplicant. It should be noted here that Windows XP Service Pack 2 has shown remarkable advances in the use of wireless networks that users will benefit from – especially in the stability of connections using WPA). If you really cannot use WPA, then WEP at 128bit encryption is a passable solution for that occasional wireless node; however at no time should you be running a wireless network that is insecure.

[/hidepost]

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: