That wireless router in your living room is essentially the hub for your entire home network. Nearly all of your devices are going to route through it and into you modem in order to connect to the Internet. If you don’t secure the router properly, then all the things that connect wirelessly to it are potentially vulnerable to attack.
There is a small and fairly simple handful of measures you can take to secure a router. Doing so doesn’t guarantee safety online – you still have to worry about malware and any number of other Web-based threats, but failing to do is like leaving the door to the henhouse open in an area where you just don’t know if there are foxes or not. It’s always better to err on the side of caution.
Each router make an model offers different features and presents a different interface, so it’s difficult to give precise instruction on how to set one up. However, nearly all of them contain a core set of security settings accessible through the router’s administrative interface.
Before we dive into the back end though, you need to password protect your router. Setting a strong, unique password for access to your wireless network is the very first thing you should do when after you plug your router into your modem. Most – if not all – new (not used) routers sill come with a CD or some other set-up wizard. If you bought a used router, which I don’t recommend, the manufacturer probably has a downloadable version of the setup wizard somewhere on their website. As you go through the wizard, it will likely ask you if you’d like to password protect your router, which you do, and it will let you do it right then and there, without having to access the back end.
The wizard may also ask you if you’d like to set up a guest network. I recommend doing this as well, Set it up and protect it with a solid password. This way, if one of your careless friends comes over with a terrifyingly leprous otherwise diseased machine, it will be quarantined to the guest network and won’t interact with the network you use at all.
If you’re router doesn’t come with a setup CD, it probably does have a little blue button on the back. It will most likely have both. In some cases there is no blue button and you have enter a PIN number. Either way, your router likely has a WiFi Protected Setup (WPS) feature. You should definitely use this unless you know a bit about setting up wireless networks (in which case you probably wouldn’t be reading this). The setup CD will likely set up WPS by default. WPS is “an optional certification program developed by the Wi-Fi Alliance designed to ease set up of security-enabled Wi-Fi networks in the home and small office environment.” In other words, it does all the tricky security configuration work for you. It’s a great starting point, but you should still get into the router’s administrative interface and make sure everything is locked down.
To get into the admin interface, you need to figure out the make and model of the router you are using. Once you know that, you can just Google the make and model number plus “IP address.” If you enter that IP address into the address bar, you will be presented with a login field. Run another Google search asking what your router’s default user name and password is. One you have the username-password combo, which is probably something incredibly simple, you can use those to log into the back end. Some router setup wizards will automatically change the admin password to the password you are using to access your wireless network. So, if the default password doesn’t work, try your wireless access password.
Here is my warning: you can seriously hinder your ability to get online if you start messing around in the admin interface, but you won’t do any damage if you just don’t change anything. So, accessing the router backend is perfectly safe, just be careful not to mess with anything in there if you don’t know what it is. If you do break something, the best course of action may be to reset to factory defaults, and start the set up process from scratch.
If your router admin access password is the same as your wireless network password then you are on the right track. If the back end is accessible with the default password – or if you want extra security – you need to change the router password, but we’ll get to that in a moment.
First things first: MAKE SURE ENCRYPTION IS ENABLED. Not just any encryption, strong encryption. WPA or the newer WPA2 or some mixture of both is ideal. WEP is older and weaker and should be avoided if possible. Chances are, if you used WPS to get set up, WPA or WPA2 will be enabled, and all the data passing between your devices and the router will be protected with strong encryption. This is also a good time to ensure that the firewall is enabled for Ipv4 and Ipv6 traffic. Again, if you used the WPS, then these should be enabled. VPN pass through should be enabled too, and probably is by default.
In the admin interface of most routers, you will see “Wireless” tab. Within that tab there is probably a “Wireless Security” subsection. If you click on that, you should see you wireless passphrase – maybe even in plain text. If ever you need to change your wireless access password for any reason, this is where you can do that. There is also another tab titled “Administration.” Within that tab, assuming it exists, you’ll see a field that says something similar to “Router Password.” This is where you can change the password you just used to enter the administrative interface of your router. Do so if it is set to a default password.
This section should also have a number of other security options. For one, it probably has a button that lets you turn on HTTPS. Enabling this will encrypt your login data and protect you against man-in-the-middle and other similar attacks as you interact with the backend. However, I recommend not turning the feature on, or doing so cautiously, because the back-end interface on my router wonked out big time the first time I enabled HTTPS. If you have time and patience, it is definitely best practice to turn HTTPS on, but you may occasionally run into usability and certificate issues. More importantly, make sure that remote management is disabled. In this way, if someone wants to even try to access the router’s backend, he or she will have to be connected to the network. If you want to be extra secure, you can disable wireless access as well, meaning that in order to access the backend, a user must physically connect to the router with an ethernet cable.
The administration tab may also include a sub-tab that allows you to upgrade your firmware. Bugs occasionally emerge in routers, so the manufacturers will upgrade the firmware that controls the router. Unlike operating systems and other software, router manufacturers don’t send these updates to their users. You have to download them yourself. To do that, just Google your router’s make and model plus “firmware upgrade.” You then need to find out which version of the firmware you are using. There should be some indication of the firmware version visible in the backend interface. On the manufacturers site, there will be a link to your version of the firmware, and that link will let you know if you need to upgrade. To upgrade simply download and save the update file, then go into the firmware update section of your backend interface, and follow the instructions there. It’s usually as simple as clicking a browse or “Choose File” button and searching through the files in your computer and selecting the firmware update file you just downloaded.
If you follow all these tips, you won’t be invulnerable, but you will be more secure than all the other people that aren’t paying attention to their routers, which is a good start. If you know of any other router security tricks that we left out, please drop them in the comments section below.