Covered Topics

Please see the list of the topics I've covered. It's located near the bottom of the page. Thanks for stopping in!!

Sunday, October 31, 2010

Configuring Routers in SOHO Environments

Last week, I set up a LAN (local area network) at my house so I could share my Internet connection with other family members. Since my broadband modem only had provision for one device, I would need either a different broadband modem, or a router, to accommodate more than one work station. I checked with my ISP and was not terribly surprised when even THEY could not give me any information as to how best to set this up. They indicated they would allow up to four PCs to share the connection without incurring any additional charges. They were quite intent on "upgrading" me to their own wireless modem - for an additional $100 to purchase. I wasn't sure I even needed or wanted wireless, and in any event could buy newer equipment cheaper elsewhere. Instead I went out and purchased my own router, which can accommodate up to several computers or other network enabled devices.

In Brief - Why I have Written This Piece
A computer is NOT like a washing machine that you simply connect to utilities, use when you want it, and then forget it. But many folks unwittingly treat their PC that way - and that's how they get into trouble with lost data, 'catch' computer viruses, become victims of online ID theft, etc. Most folks I've met who have broadband modems or routers do not even have the internal firewall turned on, let alone properly set up. Many home and small business wireless networks are NOT secured properly; they're functioning as wireless public "hotspots" that anyone can connect to for whatever purpose - legal or otherwise. There are criminals who drive through neighborhoods with Wi-fi enabled laptop computers LOOKING for such unguarded networks through which to commit all manner of cyber crimes. I hope that anyone reading this who isn't already familiar with how to secure their home/small office networks can use this information to help improve their online security.

What a Router Does:
A router is used to connect two or more computer networks. When a router receives a data packet, it looks at the header information on that packet to see where it came from, and to what computer it is addressed to. The router checks to see if the packet is addressed to another computer on the same network where it originated, or if it needs to be transferred to another network. After determining where data packets it receives are coming from and addressed to, the router sends them where they need to go. In Small Office/Home Office (SOHO) environments, routers are often used so that several computers or even network enabled appliances such as TVs and game consoles can all share one internet connection. Some cable and DSL modems already have built-in routers and multiple Ethernet ports, while others (like mine) only have one connection.

Routers may either be "wired" or, "wireless" to provide 802.11 b,g or n Wi-fi access. Most "wireless" routers I've seen and dealt with also have provision for up to four RJ-45 Ethernet ports for connecting to wired computers.

Here are some GENERAL guidelines for choosing and setting up a router for SOHO use, based on my own research and on-the-job experience. This is NOT intended to be an exhaustive work; it is strictly intended to show some basic considerations for SOHO router setup. "Your mileage may vary" depending on your ISP, equipment, and particular needs:

1) Do you need Wi-fi (wireless) capability for laptops or other portable devices? If not, you might want to stay with a strictly WIRED Ethernet router. While many folks have adopted Wi-fi and love it, it is generally considered LESS safe or secure than wired. There is always the chance that criminals can hack into your router via your Wi-fi signal to access your Internet connection or networked PCs for nefarious purposes. If you MUST have Wi-fi, make sure your router/access point supports the newer and somewhat more secure WAP/WAP2 encryption protocols.

2) Firewall A built-in "hardware" firewall is mandatory. Whether buying a wired or wi-fi router, get one with a built-in firewall. Hardware firewalls placed between the Internet and your network perform a vital function by preventing certain types of cyber attacks from ever reaching your network in the first place. By contrast, "software" firewalls such as Zone Alarm, Windows Firewall, or the ones that come with the LINUX operating system, are installed on individual work stations and are a last line of resistance for them AFTER the network itself has been breached.

3) Configuration All routers, whether wired or wireless, that I have used have a 'configuration' web page that one logs into in order to set the thing up. Some have Windows software, a sort of "configuration wizard" on a CD, supplied with the device. I generally avoid using these, preferring to use the configuration web page instead. Once your PC is connected to the router, you can access the configuration web page by opening your web browser and pointing it to whatever local IP address your router's manual tells you. Generally it will be, or sometimes You will be prompted for a username and password. The word "admin" or "administrator" is often the DEFAULT for BOTH the username and password. Again, check your manual for the exact login procedure.

Plug the router in, connect it to your PC - preferably with an Ethernet cable, and turn it on. Do NOT connect it to your DSL/broadband modem YET. Log in as described above, in keeping with the directions that came with your unit.

Once logged in, IMMEDIATELY do the following:

a) Change the default administrator username and passwords to something that others cannot easily guess. Especially for passwords, stay away from names of family members or pets, anniversary or birth dates, ... Also stay away from words that would appear in ANY language dictionary. A random string of letters and numbers is best; for something easier for you to remember you could also think of a sentence and pick the first or last letters of each word, then mix in some numbers. THAT is quite likely a good, strong password.
FAILURE to take this simple step may result in criminals easily getting in and reconfiguring your router, using your Internet connection for criminal activities - especially on wi-fi enabled routers, and/or attacking/hacking computers on your local network!!

b) AVOID taking the lazy way out by having Windows, or your web browser (in Windows or LINUX), remember the password! If your PC is ever compromised, that information may end up in the hands of bad people. Also, if you don't use the password you will forget it. Then it will be lost when your PC needs the inevitable reformat and re-install of its operating system. All you can do then is do a "hard reset" on the router to factory settings and reconfigure it from scratch. See your manual for how to do this.

c) Routers - often have a "network name" or, in the case of Wi-fi, a SSID (Service Set Identifier). Whichever default is there, whether it be "Belkin" or "Linksys", or whatever, should immediately be changed to something unrelated. Why make it any easier for the bad guys by TELLING THEM what brand of equipment you have? That just gives them an edge when probing your network for vulnerabilities. Also, avoid using your personal, family name, or business name for your network name or SSID as well - that identifies it as yours if someone wants to specifically mess with you. [This is NOT the 1950s any more, and growing numbers of people are having these sorts of problems nowadays.] For Wi-fi, the SSID should NEVER be broadcast unless you are setting up a public "hotspot". So make sure to select "Do not broadcast the SSID" in your wireless configuration menu. Anybody who is not authorized to connect to your network most surely does NOT need to know the SSID!

d) DHCP v.s. Static IP addresses - There are exceptions to this, but most home Internet connections use DHCP (Dynamic Host Configuration Protocol) for assigning you an IP address "on the fly". Most routers are by default set up to use DHCP to connect to the broadband modem. On your LAN (local area network), if you need to share files and/or printers, you will need LOCAL static IP addresses - usually in the 192.168.x.x range - for each of your PCs or networked printers. There are lots of good tutorials online for doing this. On the other hand, if you simply want a couple PCs to both have Internet access but NOT share files or printers, you could simply set them to use DHCP as well IF your router provides its own internal DHCP server for the LAN. Check your router's instruction manual/specs for more details.

e) Encrypted v.s. non-encrypted configuration access - If your router offers it, set the configuration page for "encrypted access"; it's MUCH safer! So, instead of pointing your browser to, say, to access the configuration page, you would now use as the IP for logging in. The https shows it's encrypted; the padlock symbol should display on your browser window when logged in this way.

f) Configuration login from outside - if you don't envision needing to log in to the router's configuration page from outside your local network, such as from a computer away from home, leave this DISABLED. This is yet another step in securing your network from unauthorized external access or changes.

g) Wi-fi access to configuration page - if your wi-fi router has provisions for this and one of your PCs is connected by wired Ethernet, DISABLE wireless access to the configuration page. This prevents someone from sitting in their car down the street and wirelessly hacking away at your router configuration page.

h) Wi-fi encryption - use the stronger WAP or "WAP2 Personal", rather than the weaker WEP encryption standard, on your wi-fi networked devices. "WAP/WAP2 Enterprise" is a whole different animal that requires an authentication server and is much more difficult to set up. Most SOHO networks don't currently use it.

i) MAC address filtering - every networked device, whether wired or wireless, has a unique hardware identifier called a MAC (Media Access Control) address. If your router offers MAC address filtering, use it. This further helps out by discriminating AGAINST any computer NOT listed in the router's MAC address lookup table. This also allows you to selectively shut off your kid's Internet access if he/she is misbehaving online. As an aside, you can find your computer's MAC address by opening a command prompt and typing "ipconfig" on a Windows box or "ifconfig" on a LINUX system. On my LINUX box, it is displayed by the ifconfig command in this format: "HWaddr 89:8A:2F:ED:5A:2G" . On any system, it will be a string of 6 pairs of hexadecimal numbers separated by colons - as in the above mentioned example. See your router's manual for how to set up MAC address filtering on your particular equipment.

j) On the firewall configuration, make sure the firewall is set to drop PING requests. Block any unused/unneeded ports if your router's firewall settings menu allows it. Port 80 needs to be open for basic Internet access, but often computers have other ports open by default that don't necessarily need to be. If you're strictly using web based email such as a "yahoo" account or Google's "gmail" through your browser, for example, as opposed to a POP3 server with MS Outlook, you can block the common ports used for POP3 email services. SMPT ports 25 and 110, for example. Many hardware firewalls allow blocking of access to certain sites or domains - good to know if you don't want your kids using Facebook, for example.

k) Wireless "peer to peer" or file sharing - DISABLE this if you don't really need it. Again, if you simply need a couple systems to access the Internet, but NOT share files or printers, this setting is safer. Obviously, if you DO need to share files and/or printers, then leave this ENABLED.

l) WAP Passphrase - make up a passphrase just as you did in step "a" above, though USE A DIFFERENT ONE. The WAP passphrase provides the basis for the encryption algorithm to work - and must be the same on BOTH the Wi-fi router and ANY client PC for them to work together. Again, use something that is not readily guessable or subject to a "dictionary attack".

Now, Test It Out
After you have done all this, go ahead and connect the router to the DSL/broadband modem. First test out any WIRED PC connections and make sure they can connect to the Internet. Correct any problems with the wired connections BEFORE dealing with the Wi-fi (if you have that). By doing things in this order, you have verified that your broadband/DSL connectivity and router are working BEFORE introducing any complications caused by Wi-fi issues.
Now, go back and configure any Wi-fi enabled PCs or laptops per any supplied instructions, using the same SSID settings, WAP encryption passphrases, ... as you did on the router. On many Windows PCs, you will need to reboot for the settings to take effect. Hopefully, if everything was configured properly, you will have Internet access on all your networked machines. If you ARE sharing files or printers, you will also need to configure those functions in the customary way for your equipment/operating system(s).

One caveat - bear in mind that many older wireless devices do NOT support WAP/WAP2 protocol. If you have an older PC or laptop with an older Wi-fi interface that cannot use WAP, you might want to consider buying a USB Wi-fi "dongle" that DOES support the newer protocol.

That's about all for now. While this is by far NOT a comprehensive tutorial on network security, it hopefully will help interested parties to avoid the most common mistakes.

No comments:

Post a Comment

Constructive comments are welcome! Spam, or any abusive or profane comments will be deleted.