Monday, May 7, 2018

Router Security Checklist

Router Security Checklist

Security Checklist

 

The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure. That list includes a number of actions, like changing the default password, that are common to all routers and thus not in the list below. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.

  1. WPS   (updated March 30, 2017)
    • Is WPS supported? WPS has been such a security disaster that I would not want to use any router that supports it. Since WPS is required for WiFi certification, it is widely present in consumer routers. Yet another reason, not to use a consumer router.
    • At the end of March 2017, I added a new WPS page to this site with everything you ever wanted to know about it, and more.
    • If you are using a router that supports WPS, then check to see if it can be turned off. There are two aspects to this. When the security issues with WPS first came to light at the end of 2011, some routers would not disable WPS even when told to do so - a bug. Then too, some routers, such as the D-Link DIR 890L do not let you disable WPS.
    • WPS status: To verify that WPS is disabled use a WiFi survey type application such as the excellent WiFi Analyzer on Android. On Windows, look into WiFiInfoView from Nirsoft - it is free and portable.

  2. NO DEFAULT PASSWORDS (added Nov. 21, 2015)
  3. Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
    • When initially configured, does the router force you to provide new, non-default WiFi passwords for every Wi-Fi network?
    • When initially configured, does the router force you to provide a new, non-default password for logging in to the router itself?
      One router that does is the Synology RT1900ac (User Guide, screen shot). I have read that DD-WRT also does this.

  4. LOCAL ADMINISTRATION
  5. A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The router also needs to be protected from malicious web pages that exploit CSRF bugs.
    • Is HTTPS supported? In 2013, Independent Security Evaluators tested 13 consumer routers. Some supported HTTPS, some did not. Every router that supported it, however, had it disabled by default.
    • If HTTPS is supported, can admin access be limited exclusively to HTTPS?
    • Can admin access be limited to Ethernet only?
    • Can the TCP/IP port used for the web interface be changed?
    • Can access be restricted by LAN IP address? To really prevent local admin access, limit it to a single IP address that is both outside the DHCP range and not normally assigned.
    • Can access be restricted by MAC address? The TP-Link Archer C7 supports this. See screenshot.
    • Can router access be restricted by SSID and/or by VLAN? The Pepwave Surf SOHO can do both of these since it can assign an SSID to a VLAN (screenshot).
    • Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
    • Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
    • Is there a CAPTCHA option for logging in? (D-Link offers this)
    • Can you logout of the web interface? You should be able to. I have seen Linksys and D-Link routers without a Logoff button.
    • Does it time out? It should, and you should be able to set the timeout period. See Cisco example.

  6. REMOTE ADMINISTRATION
    • Can it be limited to HTTPS only? To me, this is an absolute must. The Netgear Nighthawk R700, despite great reviews, only supports remote management over HTTP which means your password travels in the clear. I have seen this too with low end Asus routers, while their higher end models do offer HTTPS.
    • Can the port number be changed? (also a must)
    • Can access be restricted by source IP address or source network?
      Here is an example of this, from a Pepwave Surf SOHO router running Firmware 6.2. The "Allowed source IP subnets" is where you can set multiple IP addresses (yes, its a bit confusing) and IP subnets from which remote administration is allowed. In reference to the two previous issues, the security for remote administration can be HTTP only, HTTPS only, or both. In the screenshot, it is HTTPS only. The "Web admin port" is the port used for remote administration, in the screenshot it is 12345. The "Web admin access" can be set to LAN only or, as in the example, both LAN and WAN.
      Most of us, at home, have a dynamic IP address from our ISP which at first glance would seem to rule out using this security feature (anyone who works in an office with a static public IP address can, of course, use it). But, a couple VPN providers offer static IP addresses. One is Nord VPN, which lets an account be assigned a static IP address. TorGuard, another VPN company, also offers a static IP address ($8/month as of April 2015). If you know of another, email me.
    • Does it time out? (it should) That is, if you forget to logout from the router, eventually your session should time out, and, you should be able to set the time limit, the shorter, the more secure.
    • Is it off by default? It should be. The Linksys AC1900 (EA6900) has Remote administration enabled by default.
    • Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
    • Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.


  7. WIFI
  8. No one can hack into a network that does not exist.
    • Can the wireless network(s) be scheduled to turn off at night and then back on in the morning? Two routers that offer this feature are the Amped Wireless RTA1750 and the Synology RT1900ac.
    • Is there a WiFi on/off button? This is a rare feature. Some routers with it are the TP-Link Archer C9, D9 and C3150, the Asus RT-AC68U, The Netgear R6220 and the Synology RT1900ac. The idea is to make it easier to disable WiFi when its not needed. When this is easily done, more people will do it. The routers I have seen with a WiFi on/off button all had a very small button that was hard to reach. An exception is the NETGEAR R6400-100NAS which has the button in an easy to locate position on the top of the router. So too some FRITZ!Box routers, popular in Germany and Australia (closeup). The Synology RT2600ac has the button on the side where it should be easy to reach. Same for the Asus RT-AC1900P.

  9. WPA2
  10. Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
    • Verify that the router offers WPA2 exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as WPA2.
    • After opting for WPA2 encryption, a better router will always use AES or CCMP (two terms for the same thing). Some routers offer TKIP as an option with WPA2. TKIP is not as secure. Meraki is high end wireless vendor owned by Cisco. I have seen a network running their hardware offer WPA2 with TKIP. If there is no secondary option after you select WPA2, then you will need to use a WiFi scanner app, such as WiFi Analyzer on Android, to see if it is using AES, CCMP or TKIP.

  11. GUEST NETWORKS
  12. In general, a guest network is a good thing. I blogged on this December 2015: To share or not to share - a look at Guest Wi-Fi networks. But, all guest networks are not the same.
    • Is the network defined normally or does it require a captive portal? For more on this see Warning: Guest Mode on Many Wi-Fi Routers Isn't Secure. Normal is good, captive portal is bad. For more on why this is see my blog Linksys Smart Wi-Fi makes a stupid Guest network.
    • Is WPA2 supported on the Guest network? This comes from the article linked to above which points out that Belkin and Linksys Smart WiFi routers do not support WEP, WPA or WPA2 on their Guest networks. On a related topic, Ubiquiti AmpliFi routers default to not having a password on the Guest Network.
    • Perhaps the biggest security feature of a guest network is that it keeps guest users away from the private network. When this is working properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest wireless network from the same router. Put another way, you want guests to see the Internet and nothing but the Internet. Sadly, this feature is assigned many different names. Asus calls it "Access Intranet". TP-LINK calls it "Allow Guests to access my local network". D-Link calls it "Internet access only". TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
      Verify this!
      One way to verify it is with a LAN scanner app such as Overlook Fing which runs on iOS, Android, Windows and OS X. The scan should not see any devices on the private network. Another option is, from a guest network, to try and access a NAS or a network printer or any other LAN device exposing a web interface.
    • Some routers have a configuration option for guest users being able to see each other. It is more secure if they can not, but there may be times where you want to allow this. Like the feature above, this too, may be called "isolation". TRENDNET calls it "Wireless Client Isolation" and they explain that it "isolates guests from each other". TP-LINK calls it "Allow Guests to See Each Other". If there are multiple guest networks (often one on the 2.4GHz band and another on the 5GHz band), then the question becomes whether guest users on one guest network can see guest users on another guest network.
    • NOTE: According to a March 2015 article at How-To Geek, older Netgear routers had an option to "allow guests to access my local network" and a separate option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6 router no longer supports two options. They were combined into a single option called "allow guests to see each other and access the local network." Not good. As the article says "There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN)..."
    • Some routers let you schedule the guest network(s). It would be great if you could turn it on for X hours and then have the router de-activate it. Probably the worst thing about guest networks is leaving them on all the time. One router that can do this is the Trendnet TEW-813DRU. The company has an online emulator from which I took a screen shot.
      If the network can't be scheduled, the next best thing is making it easy to turn it off and on. To that end, a smartphone/tablet app for controlling the router may provide an easier interface.
    • Time limits: The Ubiquiti AmpliFi system can limit the life span of the Guest Network. The Norton Core router goes further, it can apply different time limits to each individual user. Five minutes before a users time is going to expire, the Norton Core can alert you, so that you can extend the time.
    • The Norton Core router is the only one I know of that can alert you whenever a new user joins the Guest Network. See the User Guide
    • A Guest user may or may not be able to login to the web interface of a router. Obviously, locking them out is more secure. A reader of this site, Sudhakar, raised this issue for the first time in Dec. 2015. I have not seen this discussed by any consumer router. The Pepwave Surf SOHO can limit router access to a single SSID, thus blocking guest users.
    • Subnets: the Guest network may share the same subnet as the private network or use a different one. I prefer different subnets. The Linksys Smart WiFi line does this.
    • Nice to have: Some routers, such as the Ubiquiti AmpliFi, let you limit the total number of concurrent guest users.
    • Nice to have: Some routers let you limit the bandwidth of guest networks. In the TP-LINK example above, it is not clear if the limit applies to the entire network as a whole or to each user individually.
    • Although not a security issue per se, some routers do not let you chose the Guest network name. The Linksys Smart WiFi line, for example, always uses the SSID of the private 2.4GHz network and appends "-guest" at the end.
    • Vouchers: The Ubiquiti UniFi system can run a Guest network based on vouchers. Users are forced to enter a voucher ID on a captive portal page. Vouchers can be single-use or multi-use. They last for a customizable amount of time and can also be linked to a bandwidth quota or bandwidth limits. You can print a sheet of codes, cut it up and give them out. The down side is that this requires Ubiquiti controller software. More here and here and here.
    • FYI: Kick the tires on how an Asus router configures Guest networks and see documentation on guest networks from TP-LINK, Netgear and Linksys.
    • Google Wifi lets guest users see devices on the main LAN, according to this April 2017 article.

  13. ROUTER USERID
    • Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration. An October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
    • Is there a read-only user? Most routers only allow for one userid, but some allow for two: one with full admin privileges and one that is only allowed to view stuff but not make changes.
    • Many users: this seems like overkill to me, but some routers let you define multiple userids. A Verizon DSL gateway, the D-Link 2750B lets you go so far as defining groups of users.

  14. ROUTER PASSWORD (updated Nov. 15, 2015)
    • How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from his article: "I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ... ... my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters .... when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear. So, test if your router allows a 17 character password. It should.
    • How short can the router password be? Very short passwords should not allowed.
    • Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords? That is, does it say anything about the length of the password or if any characters are not allowed?
    • Does the router allow brute force password guessing? After a certain number of wrong passwords does the router do anything to prevent further guessing?

  15. FIREWALL   (updated Nov. 25, 2017)
  16. There are three aspects to the security of a router firewall.
    • What ports are open on the WAN/Internet side? The most secure answer is none. If you are using old school Remote Administration, then this will require an open port. Every open port on the WAN side needs to be accounted for, especially if the router was provided by an ISP; they often leave themselves a back door. The Test your router page links to many websites that offer firewall tests. That said, none of them will scan all 65,535 TCP ports or all 65,535 UDP ports.
    • What ports are open on the LAN side? Expect port 53 to be open for DNS (probably UDP, maybe TCP). If the router has a web interface, then that requires an open port. The classic/standard utility for testing the LAN side firewall is nmap. There are some instructions for using nmap on the New Router Setup page. As with the WAN side, every port that is open needs to be accounted for.
    • Can the router create outgoing firewall rules? There are all sorts of attacks that can be blocked with outgoing firewall rules. Here is an example of a Peplink firewall rule that blocks access to a domain. Generally, consumer routers do not offer outbound firewall rules while business class routers do.
  17. MAC ADDRESS FILTERING
  18. I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to your network. Many people say not to bother with it, both because its a big administrative hassle, and, because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
    • The big question with MAC address filtering is whether this feature applies to all networks created by the router, or, to all networks on the same frequency band (2.4GHz or 5GHz), or, in the best case, if there are separate MAC filtering lists for each individual network/SSID? If a router supports independent filtering lists for each SSID, then MAC address filtering can be used for the main, private SSID and not used on guest networks. This makes it a practical solution as the maintenance hassle is so low.
    • Another aspect that can make this much easier to deal with is comments. That is, instead of just maintaining a list of black- or white-listed MAC addresses, the router should also let you add a comment to each MAC address. This way you can easily check if computer X is already in the list or not. And, when tablet Y is lost, it makes it easy to remove it from the list. Of the routers I have seen, only AirOS firmware running on a Ubiquity AirRouter offered the ability to add a comment. It looked like this.

  19. UPnP (Revised Oct 9, 2016)
  20. Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices poke a hole in the firewall. It was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on the LAN side.
    • Can you disable UPnP in the router?
    • NAT-PMP is very similar to UPnP but most often found on Apple devices. If a router supports NAT-PMP, check whether it can be disabled. According to Apple, NAT-PMP is included in OS X 10.4 or later, AirPort Extreme and AirPort Express networking products, AirPort Time Capsule, and Bonjour for Windows.
    • Steve Gibson's UPnP exposure test is the only way that I know of to test for UPnP being enabled on the WAN/Internet side of a router. Start at his ShieldsUP!, then click they gray "Proceed" button. On the next page click the big orange button labeled "GRC's Instant UPnP Exposure Test". I would take any router that fails this test out of service.
    • pfSense supports both UPnP and NAT-PMP but not only does it let you disable them, it also has some extra security of its own.
    • From How To Disable the UPnP Feature On Your NETGEAR Router: "By default, NETGEAR home routers have UPnP enabled, while the business routers have it disabled."
    • The D-Link DIR-880L router does not let you disable UPnP.
    • Eero enables UPnP by default, but you can disable it.
    • According to page 7 of the User Guide the Ubiquiti AmpliFi router has UPnP enabled by default, and it can be disabled.
    • The Google OnHub routers enable UPnP by default, but you can disable it.
    • To disable UPnP and NAT-PMP on a Pepwave Surf SOHO running firmware 6.3, go to the Advanced tab -> Port Forwarding. There are checkboxes for both UPnP and NAT-PMP. Each is disabled by default.
    • Based on reading the full documentation, two lousy sentences, Luma routers were initially running UPnP and you could not disable it. As of a software update from August 2016, UPnP can be disabled.
    • If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. One router that does a great job of this is the TP-LINK Archer C7 and there is an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more. Netgear KB Article 23020 has a screen shot of the UPnP Portmap table which shows what's going on with port forwarding due to UPnP.
    • An example of the router security enemy is the UPnP PortMapper program that can be used to "manage the port mappings (port forwarding) of a UPnP enabled internet gateway device (router) ... Port mappings can be configured using the web administration interface of a router, but using the UPnP PortMapper is much more convenient". Ugh.

  21. PORT FORWARDING
    • Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
    • Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.

  22. Is HNAP supported?
    The correct answer is no. The Home Network Administration Protocol has been the basis for multiple router flaws. In April 2015 it was found to make a number of D-Link routers vulnerable. In Feb 2014 is was used as part of an attack on Linksys routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers. As far as I know, there is no way to disable HNAP. There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not support HNAP - I asked them. For a technical test, try to load HTTP://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com. For good luck, also run this test on port 8080, which would look like HTTP://1.2.3.4:8080

  23. FIRMWARE
    • Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware? Peplink does this. See an example from December 2015, announcing firmware version 6.3. Most routers require you to seek out firmware updates on your own.
    • For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
    • For an existing router: can it automatically update the firmware on its own? If so, see the next topic. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to be in charge. This lets me install bug fix releases fairly quickly but delay new versions/releases.
    • How easy is the upgrade process? Better routers can completely handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means that the firmware upgrade can be done by a remote user.
    • The new firmware may reset some options. To protect against this, its a good idea to manually backup all the current settings before upgrading. The Pepwave Surf SOHO always reminds you to do this. Does your router?
    • If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is notoriously inconsistent at keeping their auto-update servers up to date..." Tests run by the Wall Street Journal in early 2016 found 2 of 20 tested routers incorrectly reported their firmware was up to date.
    • Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded by the router itself or by you manually from the vendors website. Good luck answering this question.
    • Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
    • Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you easily reboot into the prior firmware. This can also help if a configuration change causes a problem. The Linksys EA6200 can also restore a prior version of the firmware.

  24. SELF-UPDATING FIRMWARE (added Sept 29, 2016, revised Feb 15, 2017)
  25. Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.
    • Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
    • Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is working correctly. Also, if you experience network problems, it is vital to know when the last firmware was installed.
    • How often does the router check for updates? Can you control this?
    • Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
    • If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
    • Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
    • Can you force the router to check for new firmware?
    • Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
    • If you do nothing, how quickly will newly released firmware be installed? Eero promises to install new firmware "within a few weeks"
    • When the router phones home looking for updates does it do so securely with TLS?
    • When the router downloads new firmware does it so securely with TLS?
    • Is newly downloaded firmware validated in any way, such as being digitally signed?
    • Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
    • Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
    • Does the vendor document the changes in each firmware update? If so, do they do it well?
    • Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
    • How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
    • Can you backup the router settings to a file? Pretty much any router can do this, but with auto-updating I wonder if that feature still exists.
    • In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
    • In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?

    As for answering these questions, my experience with self-updating routers has been minimal. However, someone from Linksys was kind enough to address these issues (Feb. 2017) for their routers. I created a new page here for Self Updating Router Firmware and hopefully I can get answers from other router vendors too.



  26. Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this means they shipped extremely old software.

  27. Can it block access to a modem by IP address? See my blogs on this part one and part two.

  28. LOGGING: (revised Nov. 23, 2015)
    • Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files: System, Firewall & Security and Router Status.
    • Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
    • Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
    • Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
    • Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
    • Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
    • Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO.

  29. EMAIL: (added Nov. 19, 2015)
  30. Can the router send an email message when something bad happens?
    • If so, what types of errors can it email about? At the least, it should be able to send an alert if one of the log files fills up.
    • This is particularly useful for multi-WAN routers, that is, routers that are connected to two or more ISPs. When one Internet connection fails, it can use another to send an alert email. Peplink is great at this.
    • Can messages be sent to only one recipient or to many?
    • I have not seen a router that can send a text message, but there are services that convert emails into texts.

  31. DDNS:
  32. Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
    • Does the router phone home to the DDNS provider using HTTP or HTTPS? Good luck trying to figure this out. The DDNS provider may have a log file that you can check or use this as a test of technical support.
    • How many DDNS providers are supported? The more the better. Also good, not being limited to Dyn.

  33. MONITORING ATTACHED DEVICES:
  34. Its nice to know who/what is connected to the router
    • A good router will offer, at a glance, a list of all the attached devices. Having them all shown on one screen makes it easy to spot anything out of the ordinary. This screen shot from a Pepwave Surf SOHO shows that it uses a space-saving single line per attached client.
    • Along with this, a great feature to have, is the ability to give friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. This too, should make it easier to spot new devices. The name column of the Surf SOHO display of attached clients is editable, allowing you to enter anything that makes sense to you. The Ubiquiti AmpliFi could not do this initially, but a later firmware update added this ability.
    • I used to have a router that would only show devices with a DHCP assigned IP address. You never knew about any devices with static IPs, which stinks. In December 2014, Chris Hoffman wrote "Many routers simply provide a list of devices connected via DHCP". Hopefully this gets phased out over time.
    • Internet sessions/sockets: It can be very handy to see all the connections a LAN-resident device has to the Internet. For one, you can verify that a VPN is working the way it is supposed to, that all traffic flows over a single encrypted link to a VPN server. You can also use it to verify that an online banking app really has a secure connection to the bank. And, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits. Among the routers that report on this level of detail are the D-Link DIR860L and my favorite, the Pepwave Surf SOHO. (added Nov. 17, 2015)
    • Non-security: If the router is creating multiple WiFi networks, it is nice to see which devices are connected to which network. The Pepwave Surf SOHO does this in the "Network name (SSID)" column.
    • Non-security: Its nice to be able to see the signal strength, from the routers perspective, for each attached wireless device. The Pepwave Surf SOHO does this in the "Signal" column.
    • Non-security: Another nice monitoring feature is showing the current bandwidth used by each connected device. The Pepwave Surf SOHO does this in the "Download" and "Upload" columns. It defaults to kbps but can be changed to Mbps.
    • Non-security: Its nice to have a bandwidth history. The Pepwave Surf SOHO offers a daily bandwidth summary showing total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.
    • Hiding on the LAN: Here is an oddball case that I ran across. A device may be able to hide from the router, if it only talks to devices on the LAN and never makes a request out to the Internet. That is, if it only makes use of the switch in the router, but never the higher level functions of the device. You can test this if you have a printer or a NAS with a static IP address. Reboot your router, then, from a computer on the LAN, send an HTTP request to the device with the static IP address and get back a web page. Then check the router list of attached devices. Does the router show the printer/NAS/whatever as being on the network? Maybe not. Yet, it communicated with a device on the LAN.

  35. Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software. NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed files plugged into a USB port to the Internet at large.
    If you must use a router to share files, then look for one that offers a way to safely disconnect the USB storage device. At least some Linksys routers have a Safely Remove Disk button. TRENDnet labels their button Safely Remove USB Device. And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without a hard drive. QNAP seems to start around $120, also without a hard drive.

  36. Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into the router with http://something.easy rather than http://1.2.3.4. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses setup.ampedwireless.com, Linksys uses myrouter.local and linksyssmartwifi.com. According to RouterCheck.com (the page is both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to a router.

  37. SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.

  38. Smartphone apps: (added June 12, 2016)
  39. Security when administering a router via a web browser is easily understood, but smartphone apps are different.
    • Does the app talk directly to the router or does it talk to the hardware vendor?
    • Does the app communicate with Bluetooth or WiFi?
    • If app uses WiFi, is it HTTP or HTTPS? See also, the section above on securing local admin access
    • If app uses Bluetooth, how secure is it? I am not familiar with Bluetooth security. Eero and Luma both use Bluetooth.

  40. OOBE: (added June 12, 2016) Can the router, out of the box, be configured off-line? If not, then the hardware company is interposing itself in a way that is too conducive to spying. This is a fairly new issue, I first ran across it with the new mesh router systems targeting consumers. Eero fails this test. In fact, Eero wants your phone number before the router can be configured. And, even ignoring privacy issues, this probably means that if the hardware vendor goes out of business the router is useless. The Ubiquiti AmpliFi and the Netgear Orbi mesh router systems do not require a vendor account. Luma, not only requires an account, but you can't even setup the router if location services are disabled on the device running its mobile app.

  41. NEW DEVICE NOTIFICATION: (updated Aug 9, 2017)
  42. As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. Or, maybe even a device that has been seen before.
    • Eero claims their routers will do this, but I have not seen a review that mentioned it.
    • The User Guide for the Norton Core router says it can do this for the Guest Network but its not clear if it can also do it for the main network.
    • The Aztech AIR-706P router is managed by the Aztech Smart Network mobile app. According to this Aug 9, 2017 article, it has a Wi-Fi Connect feature that can push a notification to a mobile device when something connects to the router.
    • Luma says that their router "automatically recognizes any new devices in your home, and lets you grant or deny them access with a quick swipe." Again, I have not seen a review that mentioned this feature. A Nov. 2016 article on SmallNetBuilder said "If an unknown device is found on the network, Luma can send a notification through the app, alerting the owner of the unidentified device." The article, however, was a paid ad.
    • The Users Guide for the Amped Wireless ALLY routers says "ALLY notifies you of important events on your network ... for example when a new device joins your network." It is not clear if this includes a previously seen devices logging on again to the network.
    • A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company.


  43. RECENT DEVICES (added August 9, 2017)
    It would be nice if a router displayed a list of devices that had recently been on the network. This makes it easier to audit for devices that should not be there. Eero and the Norton Core router do this. Peplink sort of does this. Its display of currently attached devices, includes devices that are not currently attached but were recently attached. I think devices are included in the display until the lease on their IP address expires. Peplink can also log to its Event Log every time its DHCP server gives out an IP address.

  44. Internal security: (Added Nov. 17, 2016) Many new routers are sold as a set of devices, commonly referred to as a mesh. A better term would be a router system and examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi and Luma. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected?

  45. Trend Micro: (Added May 4, 2017) Considering the EULA that Trend Micro requires router owners to agree to, it may be best to avoid routers that include Trend Micro software. The EULA notes that web page URLs and email message may be sent to Trend Micro. For more, see Review: ASUSWRT router firmware by Daniel Aleksandersen (May 2017) and The Asus RT-AC68U router - it's fast but it also secure? by John Dunn (July 2015).

Rare security features

It can be argued that VLAN support belongs in the list above and I may add it at some point. It's certainly a security feature and not all that rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not in the list above because many people get close enough to the VLAN experience with Guest networks. One difference, however, is that a VLAN is a separate subnet, a feature that Guest networks are not likely to include. I use a VLAN isolated wireless network at home for assorted devices that only need Internet access and do not need to see a network printer or a NAS box, let alone the computers on the LAN. The Pepwave Surf SOHO can even prevent this network from directly accessing the router. VLANs are not just for Wi-Fi, some routers, such as the Pepwave Surf SOHO and the Ubiquiti Edge Routers, can put each Ethernet LAN port into its own VLAN.

VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own.

The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks. Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials." Sounds interesting, I hope to fully understand it someday.

This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.

Germany

October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers.

Some non-security features to look for

Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.

Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.

Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface.

Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged directly into the modem, no router at all. But, a router running its own tests should be good enough.

I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.

Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.

Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. The Amped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.

Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.

Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.

Website blocking is arguably a security feature, but an optional one. I have only tested it on two routers but in both cases it was lame. Each router would block HTTP access to the site, but failed to block HTTPS access. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

No comments:

Post a Comment