Configuring routers correctly Print

Author: Danny Bradbury
Category: Security

Your client needs a router to connect them to the Internet – but unless it is configured correctly, it could represent a significant security loophole.

Setting up the network for a customer isn’t just about keeping them connected; you need to protect the network from tampering. Routers are rarely secure out of the box, especially those provided for basic DSL accounts by ISPs. The features in these systems, which will be used by many SMBs, are relatively basic, until you get into the more advanced routers, such as Juniper’s J-series, which are designed for branch offices. However, SMB routers will generally tend towards all-in-one devices, offering a mixture of router, wireless hub, firewall and in some case VPN capabilities. Even if the router is already installed and working, you’ll want to configure it as part of dealing with the customer’s network.

Configuring the LAN settings on your customers’ routers typically involves setting the parameters for the dynamic host configuration protocol (DHCP), which allocates IP addresses to incoming router connections. In a highly volatile office with a high proportion of mobile clients, you may want to set a relatively short lease time of, say, half an hour (not all routers will have a lease time setting, but it’s getting more common: 3Com’s all-in-one SMB routers do, for example). That enables addresses to be returned to the pool quickly when a mobile user leaves the office.

For full protection, you may consider restricting the MAC addresses allowed to connect to the network, allowing only those devices already approved and in the office to connect. This will present problems if visitors need to connect, however, and it increases setup time for new devices without adding significantly to security (see itexpert Volume 1, Edition 1). One way around this is to configure a virtual LAN within the router. It’s unusual for a very basic residential DSL router, or even most small business models, to include VLAN capabilities but 3Com has been gradually pushing more enterprise features down into its router equipment. You can configure VLANs in its router, so that certain groups of IP addresses don’t
see others.

You could configure a separate VLAN for visitors to the company, and block them from accessing specific internal resources. You could even do the same for groups of internal employees (maybe only some users should be able to access the SharePoint server, or the network share with finance data on).

Many routers today contain wireless capabilities, and these harbour the greatest potential security problems. An encryption key must be set for the network. The wired equivalency protocol (WEP) has been proven unsafe. Ignore it (and no modern router worth its salt should offer it as the only security, at this point). Instead, opt for one of the flavours of Wi-Fi Protected Access (WPA). This standard was properly ratified as WPA2 (and to be Wi-Fi certified, a router has to offer it).

For your SMB clients, you’ll probably want to stick with pre-shared key mode (commonly called WPA-PSK). This involves generating a password that is manually shared with all participating devices – and ideally, you’ll want to refresh this key at set intervals to avoid, say, visitors giving it out to unauthorised parties. How often you reset it depends on the volatility of network use at your client’s site.

There’s disagreement over the value of hiding the SSID – the name that the wireless router broadcasts to local mobile devices. This enables you to hide the router from potential hackers; your clients can then give the SSID out manually to those joining the network. However, notebooks taken out of the office will be broadcasting the name of the SSID they’re looking for and this can make them vulnerable to ‘evil twin’ attacks where they automatically connect to an SSID with the same name. A good encryption key is better protection and if you don’t think it’s worth setting the equivalent of a strong password as the seed for the encryption, bear in mind the Church of Wi-Fi, a grassroots hacker project, has used the top 1,000 default SSIDs, married with thousands of words from the dictionary, to create rainbow tables for wireless routers. WPA-PSK uses the password and the SSID together to compute a key. From this, you should draw two pieces of advice: firstly, whether you hide it or not, change the SSID to something unique. Second, use a passphrase rather than a simple password.

For larger clients, you’ll find it hard to distribute and refresh pre-shared keys. The alternative is a RADIUS server, which can be used with compatible routers to authenticate users based on individual username/password configurations. Many SMB firewalls support the 802.1x authentication mechanism needed to carry out this authentication, and you can configure the Internet Authentication Service in Windows Server 2003 to operate as a RADIUS server in conjunction with Active Directory. Alternatively, you can create a free RADIUS server, using the Linux-compatible open source server code maintained by

Of course you’ll also configure the firewall, which will be an integral part of any router, including port forwarding for any applications that your clients want to grant external access to. This can also be used to grant access to devices, such as webcams with built-in servers. This could be used to let the office manager monitor the client’s site for suspicious out-of-hours activity, for example, or for a shop owner to keep an eye on staff.

A more secure approach is to use the VPN and RADIUS server to allow authenticated users into the network, and then grant them access as if they were inside the network. This requires a router that supports PPTP and IPSEC for point-to-point connections between sites, like the 3Com Wireless 11n Cable/DSL Firewall Router. Don’t expect to see an SSL VPN (which grants access to clients using simple browser-based authentication rather than requiring an installed software client) in lower-end products.

When you’re setting up remote access for your smaller clients, they may have a dynamic rather than a static IP address, which makes it difficult for them to connect with their router from a remote location, because the ISP’s DHCP server will keep switching their IP addresses. Small-business routers such as 3Com’s Wireless 11n Cable/DSL Firewall Router and Cisco’s Linksys Business Series offer dynamic DNS configuration services. By registering with a service such as Dynamic DNS (, you can give your client’s network a permanent address they can use to access the router. The router then updates the service with the new IP address whenever it changes.

This can also be useful for your own practice. These routers almost always feature remote configuration capabilities, but that’s only useful if you’re able to reach them, so ensure that your client is either using a static IP address, or that the router supports DynDNS or an alternative. And while we’re on the subject, routers such as 3Com’s also include an email alert facility, so that you can be kept abreast of any suspicious activity that it spots. This moves you in the direction of managed security services, and could increase your margin.

All these features are useful, but there are some that will be in business routers but aren’t appropriate for an SMB network. If the remote router has the capability to support UPnP, you’d be advised to turn it off. The service allows devices to connect automatically to a network and obtain an IP address (a function already provided by DHCP), but it goes further. The devices can announce themselves and their services to the network. The worry is that a compromised device could use the protocol to compromise other machines on the network. Of course a compromised device could sabotage the network in other ways, but it is another avenue of attack. In any case, UPnP was designed primarily for home use, so customers are unlikely to need it.

You’ll also want to turn off ICMP (the basis for the ‘ping’ command). Leaving it on can potentially leave your clients subject to the ‘ping of death’, in which an attacker floods the router with ICMP packets. Some applications may require ICMP in rare circumstances, but you’ll generally find no problems from turning this off. And while you’re at it, block all ports on the router other those that you need (such as ports specifically forwarded to devices or applications, or generic ports for FTP, email, or Web access that the client needs open).

How do you know what the customer really needs open? Most of them aren’t going to understand UPnP, ICMP blocking, or MAC addresses. The trick is to ask a thorough set of lay questions (do you want to access your network from outside the office? Will you always be accessing it from home?). Then, you can configure the router to support only the functions that they want and need. Following these steps should help you to close up some of the loopholes which could otherwise leave your SMB customers wide open to attack. They might not thank you for it, but at least you’ll avoid the inevitable finger-pointing if their network gateway is compromised. In this game, a little work now can save a lot of pain later.