‫ Small Office/Home Office Router Security – Part 1

IRCAR201404208

Date: 2014-04-08

Introduction

Home routers have become an integral part of our modern society as our use of the internet has grown to include business from home, schoolwork, social networking, entertainment and personal financial management. Wired and now wireless routers have moved into our homes to facilitate this additional connectivity. The internet service provider (ISP) sells these devices pre­ configured and ready to use. Users typically connect immediately to the internet without performing any additional configuration.

Unfortunately, the default configuration of most home routers offer little security and leave home networks vulnerable to attack. Small businesses and organizations that lack the funding for an information technology (IT) infrastructure and support staff often use these same home routers to connect to the internet. These organizations frequently also set up the routers without implementing security precautions.

 

Security Concerns

The default configurations of most home routers offer little security. Home routers are directly accessible from the internet, are easily discoverable, are usually powered-on at all times, and in many cases are vulnerable due to misconfiguration. These characteristics offer an intruder the perfect attack vector. The wireless features incorporated into many of these devices adds another vulnerable attack vector.

 

Mitigation

The mitigation steps listed below are designed to increase the security of home routers and reduce the vulnerability of the internal network against attacks from external sources.

 

       Change the default login username and password: Manufacturers set default usernames and passwords for these devices at the factory to provide users access to configure the device. These default usernames and passwords are readily available in different publications and are well known to attackers; therefore, they should be immediately changed during the initial router installation. A strong password that uses a combination of letters and numbers with 14 characters or more is recommended. Furthermore, change passwords every 30 to 90 days.

 

       Change the default SSID: A service set identifier (SSID) is a unique name that identifies a particular wireless LAN (WLAN). All wireless devices on a WLAN must use the same SSID in order to communicate with each other. Manufacturers set a default SSID at the factory that typically identifies the manufacturer or the actual device. An attacker can use the default name to identify the device and any vulnerability associated with it. Users sometimes set the SSID to a name that identifies their organization, their location, their own name, etc. This makes it easier for the attacker to identify their specific business or home network based upon an SSID easily identified with their name. For example, an SSID that broadcasts a company name is a more attractive target then a router broadcasting “ABC123”. When choosing an SSID, follow the best practices policy for password complexity as described below:

o    The minimum length of an SSID should be greater than eight characters long.

o    Use alphanumeric and symbols in the SSID.

o    Change the SSID on a reoccurring basis and discourage the use of previous passwords.

 

       Configure WPA2-AES for data confidentiality: Wireless Equivalent Privacy (WEP) is a security algorithm intended to provide data confidentiality (authentication and encryption) but has serious weaknesses. WEP was superseded by the 802.11 standard implemented as Wi-Fi Protected Access (WPA), which has a newer version, WPA2. WPA and WPA2 provide stronger authentication and encryption using dynamically changing keys. WPA and WPA2 come in personal and enterprise versions. WPA- Personal, also referred to WPA-PSK (Pre-Shared Key), was designed for homes and small offices using pre-shared keys without requiring an authentication server. If using WPA-PSK, set a long pre-shared key and change it periodically. WPA-Enterprise requires a RADIUS authentication server, uses Extensible Authentication Protocol (EAP), and provides added security, but it entails a larger budget and more complicated implementation. WPA2 incorporates AES 128-bit encryption accepted by government agencies. WPA2 with AES represents the most secure option, and all wireless devices must be WPA2 compliant. If WPA2 is not feasible, WPA is an alternative. WEP represents the least secure option. If used, WEP should be configured with the 128-bit key option with the longest pre-shared key the router administrator can manage.

 

       Limit WLAN coverage: LANs are inherently more secure than WLANs because they are protected by the physical structure in which they reside. WLAN coverage frequently extends beyond the perimeters of your home or organization. This allows eavesdropping by intruders outside your network perimeter. Therefore, antenna placement, antenna type, and transmission power levels are important aspects to consider. Limit the broadcast coverage area when securing your WLAN. A centrally located omni-directional antenna is the most common type used. If possible, use a directional antenna to direct WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will also limit the coverage to only the areas needed.

 

       Turn the network off when not in use: The ultimate in wireless security measures, shutting down the network, will most certainly prevent outside attackers from breaking in. While it may be impractical to turn the devices off and on frequently, consider this approach during travel or extended periods offline.

In part 2, we’ll look at the other mitigation steps to increase the security of home routers.


Resource:

www.US-cert.gov

 

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0