‫ Small Office/Home Office Router Security – Part 2

Date: 2014-05-03
·         Disable UPnP: Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. Though the UPnP feature eases initial network configuration, it is also a security hazard. For example, malware within your network could use UPnP to open a hole in your router firewall to let intruders in. Therefore, disable UPnP when not needed.
·         Upgrade firmware: Just like software on your computers, the router firmware (the software that operates it) must have current updates and patches. Many of the updates address security vulnerabilities that could affect the network.
·         Use static IP addresses or limit DHCP reserved addresses: Most home routers are configured as Dynamic Host Configuration Protocol (DHCP) servers. DHCP makes configuration of client devices easy by automatically configuring their network settings (IP address, gateway address, DNS info, etc.). However, this also allows unauthorized users to obtain an IP address on your network. Disabling DHCP and configuring clients manually is the most secure option, but it may be impractical depending on the size of your network and support staff. If using DHCP, limit the number of IP addresses in the DHCP pool. It may limit the number of users, potentially including unauthorized users, that can connect to your network.
·         Disable remote management: Disable this to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface.
·         Disable remote upgrade: This feature, if available, allows the router to listen on the WAN interface for TFTP traffic that could potentially compromise the router firmware. Therefore, it should be disabled.
·         Disable DMZ: The router's demilitarized zone (DMZ) creates a segregated network exposed to the internet, used for hosts that require internet access (web servers, etc.). Disable this feature if not needed. Users or administrators sometimes enable it for troubleshooting reasons and then forget to deactivate it, exposing any system inadvertently placed there. A firewall is recommended if this feature is used.
·         Disable unnecessary services: As with any computer system, disable all unnecessary services in order to reduce the router’s exposure.
·         Disable ping response: The ping response setting is usually disabled by default. With this feature enabled, reconnaissance on the router becomes easier then when it is disabled. It allows your router to respond to ping commands issued from the internet, and it potentially exposes your network to intruders. Although disabling this feature will not shield you from discovery, it will at least increase the difficulty of discovery. Verify that the service is disabled.
·         Enable router firewall: Most home routers include an internal firewall feature. Ensure this feature is activated and carefully configured to allow only authorized users and services access to the network. Activate stateful packet inspection (SPI) on your firewall if it is an available function. SPI extends firewall capability by inspecting packets to distinguish legitimate traffic from unsolicited traffic. Another feature offered by many home routers is the creation of whitelists or blacklists to allow or disallow a list of websites, services, ports, etc. Take advantage of this feature if it is available. Note that the firewall built in to the router does not prevent wireless users within range of your wireless network from connecting to it.
·         Logging: Enable router logging and periodically review the logs for important information regarding intrusions, probes, attacks, etc.
·         Monitor the wireless traffic: Monitor the wireless traffic to identify any unauthorized use of your network by performing routine log reviews of the devices that have accessed the router. If an unknown device is identified, then a firewall or MAC filtering rule can be applied on the router. For further information regarding how to apply these rules, see the literature provided by the manufacturer or the manufacturer’s site.
·         Administrator workstations: Verify that any administrator workstation used to manage the router is on a trusted segment of the network to mitigate outsiders sniffing the management data and collecting information about your network.
·         Don’t use the default IP ranges: Predictable addresses make CSRF attacks easier. Rather than, consider something else which is not commonly used. This is a simple but effective technique for decreasing the likelihood of a successful CSRF attack.
·         Disable bridging and use network address translation (NAT): Home routers separate the internal network from the internet using network address translation (NAT). NAT provides private IP addresses for all the devices on your network. It is not directly accessible from the internet, nor can discovery of the network’s internal addresses be accomplished easily. The IP address of the external interface of the router conceals the devices on your network that are behind it. This adds an additional layer of security.
·         Don’t forget to log out after configuring the router: Several of the routers will not automatically log out when not in use. This can result in a situation where the web browser used to configure the router remains authenticated, opening the door for CSRF attacks. Although some CSRF attacks can be successful without authentication, this simple step will thwart traditional CSRF attacks which rely upon that authenticated browser session.
·         Some routers include a feature that allows them to act as a bridge between two networks. This feature can be used to connect segments or devices on the same intranet to the internet using a routers routable IP address. Disable this feature if not required, to further limit the attack surface of the router.
Keep in mind, this is only a list of suggested steps that can potentially help secure your small office or home router. Employing some of these suggested steps may not be feasible in your network or your environment.
Related Link:
Small Office/Home Office Router Security – Part 1
www. US-CERT.gov/


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0