Day 5. SOHO Security Implementation

Change default username and password—Several settings must be changed to make the device itself secure. First, change the default username’s password and, if possible, try to change the default username as well. Then, most new routers will ask you to create a new username and password. Check to make certain that no other users are enabled that also might need a password change. Be sure to write this information down and store it in a safe location.

Changing default SSID—The second item to change to make the device more secure is the Service Set Identifier (SSID) name. Each router comes with a default name, and it needs to be changed to something unique with upper- and lowercase characters, numbers, and even some symbols. Make certain not to make it the street address or the name of the company, and don’t use any other identifying names.

Disable SSID broadcast—It also is considered a good security practice to disable SSID broadcasting to prevent others such as wardrivers from detecting your network. If the SSID broadcast is disabled, wireless clients will not be able to detect the SSID when scanning for wireless networks without special software. Although this provides a much greater layer of security, it also can add to the maintenance of the device if computers or devices need to be manually connected.

See Figure 5-1 for an example of a modified SSID that is disabled or, in this case, invisible.

Figure 5-1 Renamed and Disabled SSID

Figure 5-2 shows a WPS that has been disabled and an example of an eight-digit PIN code.

Figure 5-2 Disabled WPS and PIN Settings

Enable MAC filtering—Turning on this option in the SOHO wireless router settings requires the user/admin to enter a list of all MAC addresses allowed to use the router. Only the devices with those addresses will be allowed access, which means any new devices will need to be manually added. MAC filtering can be overcome with sniffer software that can detect MAC addresses.

Content filtering and parental controls—These are services that might be available on the router that can block inappropriate and dangerous sites. Parental controls can include access restrictions based on hours of the day, specific days, time limits, and categories. Some devices also provide restrictions based on keywords that can be blocked.

Sometimes specific traffic needs to be allowed through the firewall, such as reaching an internal web or FTP server. In these cases, opening a specific port or all ports is necessary. The following instances can require the use of open ports:

Port forwarding/mapping—Using network address translation (NAT) to redirect an external network port to an internal IP address and port, this enables certain traffic (for example, a multiplayer videogame) to be pointed to a specific IP address on the internal LAN.

Port triggering—Enables you to specify an incoming connection to one computer to be opened automatically based on a specific outgoing connection. The trigger port and the destination port need to be configured so that the outgoing traffic will trigger the router to open the destination port traffic (used for traffic such as bit torrent).

A demilitarized zone (DMZ)—Puts systems with specific IP addresses on the outside of the internal network but still behind the external-facing router. It enables Internet access to these machines and creates an area that is accessible from the Internet but is not actually part of your internal network. It is used for items that need to be accessed by the public, such as email, FTP, or web servers. Outside access is allowed up to the gateway to the internal LAN, which is restricted. See Figure 5-3 for an example of a wireless router with a built-in firewall running a DMZ.

Figure 5-3 Wireless Router with a DMZ

Table 5-1 Possible Encryption Options on a Wireless Router

When wireless was first available, WEP was the best option for providing encrypted traffic. WPA replaced WEP and still exists today. However, because WPA was still vulnerable to intrusion, WPA2 was introduced in 2006. It is the most common wireless protocol and is required for any new device wanting to carry the Wi-Fi trademark. The advantage that WPA has over WEP is that it uses the Temporal Key Integrity Protocol (TKIP). It is 128-bit encryption and generates a new key for every packet sent, making it more secure than WEP. The most significant change between WPA and WPA2 is the mandatory use of AES algorithms.

WPA2 replaces TKIP with Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP), which is an AES-based encryption method. CCMP uses 128-bit keys as well as providing data integrity and authentication. AES is a symmetric block cipher used worldwide that uses stronger algorithms and longer key lengths than TKIP. WPA2 that provides both AES and TKIP is still needed to support clients that do not yet support AES.

WPA2-Personal or WPA2 + AES is the best choice for a SOHO because it does not require the use of a server to provide authentication and it also provides the best encryption possible. WPA and WPA2-Enterprise options are best used when an authentication server is available.

Most wireless routers also act as DHCP servers. The router can come automatically set or be manually set to give out a specific range of addresses. The set of addresses reserved for DHCP can be modified. If a device is shared, such as a network printer, it might be better to assign it a static IP address that doesn’t change instead of using DHCP.

There are some rules regarding the placement of wireless routers that can enhance connectivity when followed. Check to ensure that the unit is not placed near other electronic sources, such as microwaves or any other items that can cause electromagnetic interference (EMI). Try to find a centralized location that is not blocked by walls, doors, glass, or other objects.

Antennas should be oriented vertically if the signal is meant to go wide. If the signal needs to go deep, such as down to another floor, the antenna should be set to a more horizontal angle. It is best to point it toward where most of the computers are located. Some antennas are detachable and can be upgraded to a better model.

Because so many possibilities exist for blocking wireless radio waves, you might need to do a site survey. A site survey can determine the number and the placement of access points to provide full coverage for a large area. Special equipment is used to determine coverage.

Radio power levels—Wireless devices transmit data over radio waves that are either on the 2.4 GHz or 5 GHz frequencies. Other devices that work on the same frequency as the wireless device can interfere with communication. This is something to keep in mind when determining the placement of the router and diagnosing problems with connectivity.

Each of these frequencies has a distance limitation and a maximum data rate capability, depending on the strength of the device’s antenna. A concept known as multipath propagation has enabled wireless devices to increase the data transfer rates. Also known as multiple-input and multiple-output (MIMO) technology, the devices usually have from three to four antennas.

Disabling physical ports—SOHO routers normally come with a built-in switch. The option to disable one of the Ethernet ports on the router is an important part of the physical security of the device. If the router is in a public location, disabling any unused ports prevents access to unauthorized connections by rogue computers.

Updating firmware—Just like the computer, a router has firmware that can and should be updated periodically. Use the website of the device’s manufacturer to check that you have the latest firmware update installed.