Routers¶
I hope you packed a dinner and brought your sleeping bag for this! This is one of the most important sections on this website for many reasons. The router you pick is the first line of defense against threats and it’s also a highly exploited piece of hardware. What you choose here matters much more than you might think.
Building out your threat model is an important step because it will help you decide what router you should buy or build. Read the OPSEC section for more information on threat modeling. If you pick a prebuilt router, which is a good choice for many people, it starts with picking a good brand. There are a lot of options, with some ranging from mediocre to garbage.
I’ll repeat myself as I have many times now; do your due diligence! If you're looking at a particular router, research that model as well as the brand. Some of the router providers have left CVEs unpatched for a long time. One of the tactics some of these companies use is to release a slightly newer model of a router and take the old one out of support, even though it might be in perfectly good shape. Then the CVEs start to stack up and get exploited.
Also, make sure you look at the background of the brand you want to buy. If you live in a Western bloc nation, you should avoid using software from an Eastern bloc nation. Hardware is a much harder area to avoid due to where most factories are, but routers are one thing that needs to be considered here. If a router manufacturer has close ties to a government that’s hostile to your home country, it’s not something I recommend using.
My recommendation here isn’t going to work for a lot of people and that’s okay. Again, work off of your threat model to get an idea of what applies. The consumer grade routers in general tend to be crappy, though they do work for many people. If you’re this far into reading on my website, it’s safe to say you have a greater interest in securing your devices. A better choice is to go with one of the following options: use an enterprise grade solution or build your own and run either pfSense or OPNsense.
The enterprise grade option could be easier and you can find some good options on eBay if you know what to look for and what to be wary of. There’s plenty of good brands to choose from, some of which are Cisco, Fortinet, PaloAlto, SonicWall, Ubiquiti, etc. New is a better option for multiple reasons, though you'll definitely pay for it. Enterprise networking equipment isn’t known for cheap prices. Again, just be careful of what you buy and who you buy from on eBay if you go that path. Also, if you buy a used router, make sure it's still receiving security updates. CVEs can come up at any time. You don’t want a router that’s filled with them.
If you want to try something else, you can go down the rabbit hole of making your own router. This is where things can get complicated. The best options on the market for the software side of things are OPNsense and pfSense. These two are about as close to enterprise grade as you can get. They are both excellent options, so just do some research on each one for whatever you might want to use. As with all things, they have their own pros, cons, and quirks. Either option would work great for a home power user.
The hardware selection is wide with either one. You can buy a premade router with pfSense. The manufacturer is called Netgate. It’s the company that bought pfSense and turned it into a paid model. Their consumer router software is still free and open source. OPNsense sells hardware, but the starting price point is quite a bit higher. The great thing about this software is you are free to make your own router by building a computer to use as a router, or you can even just make some modifications to a premade office PC that you could get used for a cheap price.
Let's cover some general settings you need to pay attention to when setting up a router. These are pretty much universal, no matter what router you choose. In no order of importance, these are things like login security, port forwarding, UPnP, activity monitoring, DNS, IPS, wifi configuration, WPS, and some other miscellaneous items. I’ll cover what each of these are and why they are important.
First, I’ll start with the first and most obvious step. Make sure you lock your admin login behind a strong password. The standard recommendation is at least 12 characters with upper and lower case letters, symbols, and numbers. The longer and more complex it is, the more secure it'll be. Since my focus is on security, I would not recommend allowing anyone other than you being able to access the router you have. Someone that either doesn’t know what they are doing or has bad intentions could cause a lot of havoc if they start changing settings.
You also have to be cognizant of who has physical access to the router. It becomes trivially easy to bypass your security measures if someone can go straight to the source. This guide is for home users and for most home users, you’re generally okay with having your router in a typical home user area. The part to be cautious of here would be if you have people living with you where the trust factor is dubious. There are people who might have several roommates who they barely know. If you're concerned about the router, you could have it in a locked room only you have access to and have video monitoring to keep watch. This is relative to your threat model.
Next, let's discuss port forwarding and universal plug and play (UPnP.) There are times when people open ports up, such as if a program or video game needs it to work properly with the internet. This is such a huge security risk that the average home user shouldn’t even be attempting this. If you do decide to open ports for whatever reason, just be aware of the risk that comes with it. This was more common in days of old, like back in the 90’s when people would want to play a multiplayer game together like Diablo 1. Now, the “need” to open a port is rare.
This is a somewhat rough analogy for opening a port but think of it this way. You have a typical house with windows and doors. For each port you open, it would be the equivalent of taking a sawzall and removing a door or window and just leaving it be. All sorts of nasty garbage can come right into your house through the hole without issue and can bypass all the other areas that are closed off. This is basically what port forwarding is. Again, the use cases for this are extremely niche for a home user and if you need to do this, you probably know how and why. If not, don’t worry about it. The vast majority of routers don’t have open ports and it works just fine leaving it that way.
Now let’s discuss universal plug and play (UPnP). This is a setting you can find on the router and in applications that may need to use it, though sometimes there won’t be a UPnP option. Some multiplayer games are an example of this where they use UPnP to connect players together. Turning this feature off in your router is much safer, though there may be occasional problems. I've not had issues with it disabled, but your milage may vary.
Here’s why UPnP is an issue. Because it's the “plug and play” of port forwarding, it takes care of all that behind the scenes, and “opens” ports up and closes them on the fly. The problem is malware can use this feature too and UPnP has been exploited before. Think of those automatic sliding doors when you go into a store. They open for anyone as long as they want to go in or out. UPnP is the same concept. There’s no safety check in place to make sure malware doesn’t get access.
Let’s briefly discuss Wi-Fi and start with selecting network names. You should set a custom network name for your Wi-Fi. Routers will sometimes come with some sort of a default name. The issue with that is routers use the network name as part of the process for encrypting the password by hashing it. While the following is simplified, an attacker could use rainbow tables and hashcat to hack into your Wi-Fi if your network name is generic. Also, don’t use anything that could identify you, such as a nickname.
Staying on the network name (SSID), DO NOT use a hidden network name. It may sound counterintuitive, but doing so just creates more of a security risk. Let’s say your phone is connected to the Wi-Fi and you forget to shut off your Wi-Fi on your phone before you go out and about. When you're driving by stores and homes, your phone is essentially yelling out to all the surrounding routers, “Hey hidden network, are you there?!” A hidden SSID is easy to find for a hacker and if a hacker sees a network name is hidden, they'll be more likely to target it since they may think there’s valuable on the network.
Now onto the Wi-Fi encryption type. Just avoid WEP as it's out of date and insecure (if your router even lists it). Most routers are now coming with WPA2 and WPA3 as options, and some have a hybrid option which will use WPA3 if your device supports it or otherwise use WPA2. WPA3 is obviously the better choice, but some devices don’t support it. Again for the password; choose something strong.
If your router has WPS, make sure it’s turned off. The slightly increased amount of convenience using WPS is absolutely not worth the massive risk of someone being able to bypass all your security.
Lastly, make sure you check for updates once in a while. There are times when critical vulnerabilities get patched. You don’t want to risk your entire home network and your identity because hardware wasn’t staying updated or because you were using something no longer supported.