Wednesday, October 17, 2007

Securing your (wireless) router

If you have managed to configure your router successfully and know how to use the web interface of your router there are a few things you should always do to secure your router against intruders and others. Again: please do those changes only from a computer wired to the router and not through the wireless!

Change the default password of the router configuration
This password protects the web interface of the router. Anyone who knows this password and can get access to your router can make changes on the router configuration. Most routers use a fixed default password like "admin" or "password. Therefore it is usually a good idea to change this default password to a strong hard-to-guess password. You should also do this on a wired router even if you think no one will be able to (physically) access your router. One day you may run into some malware which is clever enough to configure some port forwarding on your router to be accessible from the internet. For this, the password is required. Thus, please change it!

The rest of this entry only applies to wireless routers (or access points in this respect).

Change the SSID (wireless network name) to something unique
Like the default password many wireless routers use a default wireless network name (SSID, e.g. "linksys" or "NETGEAR") and have no wireless security set up. You should change this to something unique, i.e. not used by any other wireless network in your proximity. Some routers use a part of their MAC address as SSID (e.g. "0DA53B4C". This would be O.K. as it is unique although certainly harder to remember and somewhat cryptic. The reason why it is important to have a unique SSID is to make sure that your computer will always connect to your wireless router and not to your neighbor's. This is always important even if you have wireless security enabled. Running the same SSID as somebody else may result in delays or disconnects on your wireless links because your laptop sometimes confuses the wireless router to which it is talking and gets disconnected until it finds back to your own router. Therefore: change the SSID to something unique. It is a good idea to scan your neighborhood with your laptop to see what SSIDs they use. Use a nickname or something like that for your SSID.

Enable wireless security.
Without wireless security all wireless transmissions are in plaintext. Anyone in your proximity can eavesdrop on you and find out which hosts you access, web sites you read and possibly even read your e-mails if you don't use an encrypted connection to your e-mail server. Without wireless security only connections using SSL (e.g. https websites, pop3s, or imaps mail servers) are secured. Nothing else. DNS host name resolution happens unencrypted thus anyone is able to see which hostnames you access and the IP addresses. Without wireless security it is extremely simple to setup a rogue wireless router with the same SSID as yours and with a little bit boosted transmitter your computers will connect to the rogue router giving full access to everything transferred. Your computer will simply connect to the best signal of an access point with your SSID.

Therefore: you have to enable wireless security. Anything else is not secure. In most new routers you have 4 basic choices: WPA2, WPA, WEP 104/128 bit, and WEP 40/64bit. WEP is considered insecure as it can be cracked within minutes and an attacker is able to find out your WEP keys quickly. WPA and the new (fully standardized) WPA2 are both considered secure at this time. Therefore, it is highly recommend to use WPA or WPA2 wireless security to protect your network. With WPA and WPA2 all your transmissions are strongly encrypted and also the access to your wireless network is well protected.

For each of those four choices you usually find at least two variants: one targeted for private and small networks and one targeted for enterprises. The latter require additional servers like RADIUS servers which you usually don't have in your home network. Enterprise variants allow user-based access control to the wireless network. Thus you usually have to stick with the easier variant for home networks which use predefined/fixed/pre-shared keys or passphrases. If you are unsure how the variants are labeled on your router simply try them and see what information you have to enter for each variant. If you have to enter some (RADIUS) server address it is probably a enterprise variant.

If it is WPA or WPA2 what you want to use you should look for the "Personal" or "PSK" variant. For WPA there is sometimes only the choice of the encryption algorithm used: TKIP or AES. TKIP is the encryption algorithm for WPA. AES is the (little bit stronger) encryption algorithm for WPA2. Thus WPA with AES is basically WPA2 and WPA with TKIP is normal WPA. WPA2 is backward compatible and can be configured to accept older WPA clients and newer WPA2 clients, i.e. clients that use either TKIP or AES. If you have some wireless clients which only know WPA with TKIP you should configure WPA2 with AES+TKIP. This will automatically select the strongest AES encryption with wireless clients which support it and will select the (not less secure) TKIP encryption for those which don't. As both encryption algorithms are considered very secure it does not affect your security of the wireless network.

The last thing to enter for WPA or WPA2 with pre-shared key/passphrase is the passphrase. The passphrase must be between 8-63 characters long. The overall security of your wireless network depends on the quality of your passphrase. Potential attacks against your network basically have to try different passphrases hoping to find the correct one in reasonable time. Thus if your passphrase is just a simple word like "password" it is more vulnerable to brute-force dictionary attacks. Thus a wireless network should be protected with a longer, strong, hard-to-guess passphrase. In general, you only have to enter the passphrase once on your wireless devices and then the device will remember it for future connections. This makes it easier to employ 63 character long random generated passphrases in a wireless network. You can either simply copy the key from the router interface while the computer is still wired to the router or you use a USB stick to copy the key to the laptop.

Again: you should not use WEP anymore. It is considered insecure and quickly cracked. If you use WEP, make sure that you do not use the passphrase/password on the computers to connect to your wireless router. The passphrase is only used to generate the real encryption keys (usually four of them). The algorithm how to derive the keys from the passphrase it not standardized (unlike WPA/WPA2 where it is standardized) thus different manufacturers do it differently. You better copy the WEP key to your computer. Use the first key in the list of four and make sure that the first key is selected as transmit key on the router if it allows this setting. The easiest way to copy the key is to use the hexadecimal representation. Hexdigits consists of numbers 0-9 and letters A-F. A WEP key in hexdigits is either 10 or 26 characters long. WEP 40/64bit keys have 10 hexdigits. WEP 104/128bit keys have 26 hexdigits. Hexdigits are the easiest way to enter the key correctly.

Manual initial configuration of a router (Part 3)

Connecting the modem with the router
You have made it so far. The router is prepped. If necessary you have changed the LAN IP address of the router to avoid conflicts. You know the default IP address of the router and you know how to connect to the web interface. Great. Power down the modem and the router. Now wire the internet/WAN port of your router to the ethernet port on your modem. Please make sure that no other computer is connected to the modem, in particular if your modem also has an USB port. In most modems you cannot use the USB port and the ethernet port at the same time. Connect the modem to your phone/cable line. Power up the modem first. Wait until it is fully up and running. Next power up the router. Wait until the router is up.

On the computer wired to the router, open the web interface of the router again. You now have to configure or check the internet connection settings. Depending on your router you may find those settings on a separate category like "WAN settings". With Linksys it is on the first setup tab the first few settings.

First thing you have to do is to choose the correct type of connection. You have found out before what your ISP uses, i.e. DHCP, PPPoE, PPPoA, or similar. Find this setting in your router and change it for your ISP. Most routers will probably have DHCP by default. If you need DHCP only for your internet connection you probably won't have to change this.

DHCP: there should be nothing else to configure on your router if you need only DHCP (unless your ISP specifically told you otherwise).

PPPoE/PPPoA: choose the right type and the web site should change and show you fields where you can enter the username and password for your ISP internet connection.

Static IP: choose Static (or manual) IP address on the router and enter all the IP addresses and values you have found in step 1 into the respective fields. You have to enter IP address, subnet mask, default gateway and DNS server(s).

That's all. If you chose the correct type and entered the correct values or passwords your router is prepared for your internet connection. Save the changes on the page and wait until the router has rebooted.

Check the internet connection on the router
Most routers have a status page where you can see the current connection status of the router. Now is a good time to have a look at this page. If the status page is O.K. then you should see at least the WAN/internet IP address of the router with all the other numbers which you have found in part 1 on your computer when it was directly connected to the internet. The IP address does not have to be identical but it will probably be similar. If the status page looks good you should have a working internet connection now. Open a URL in the internet, e.g. http://www.google.com/ and see if it works.

If the status shows that it is not connected (e.g. you have an IP address 0.0.0.0) you have to check a few things. First thing is to use any renew/connect button or similar if your status page has this. If the status page shows an error message or you'll see an error message if you press the button please note the exact error message. If it is something like "The PPP server refused your username or password" check for the correct username and password in the PPPoE configuration.

The MAC address clone "problem"
If you only need DHCP on your internet connection but your router gets no IP address and only shows 0.0.0.0 or an error message that the DHCP server did not respond or assign an IP address (you probably have a cable TV ISP) you probably run into a common problem: ISPs which use DHCP usually try to limit the number of public IP addresses you can use at a time. This limit is usually 1. Thus, you cannot connect multiple computers directly to the modem at the same time. Only one will get the IP address and have internet.

ISPs usually do this by remembering the MAC address of the device which connects through their modem and line and block any other traffic with a different MAC address. The MAC address it the hardware address of any ethernet card/adapter. It should be unique worldwide,in particular your router and your computer have different ones. As you have connected your computer directly to the modem before and had internet this may mean that your ISP has now reserved the line for your computer. (You could call your ISP to check if they really do this and how to reset this).

Usually, to reset this "lock" it is enough to either reset the modem, power down the modem for a few minutes, a few hours, a night maybe. Either they notice the turned off modem or they have a simple timer when the lock expires. What your ISP uses exactly you have to ask your ISP for that. If you are patient, sleep a night over it and next day power everything up again. Remember that you have the router connected to the modem when you power up the modem! Some ISPs actually don't expire the lock ever unless you call them.

If you are not so patient you can try the MAC address clone function of your router. Most routers have this. Basically, you can change the MAC address of your router to anything you like. This allows you to set the MAC address of your router to the MAC address of the ethernet card of your computer which you used before directly on the modem. Again, you have to search the web interface or the documentation of your router to find the place where they have hidden this function. With many routers it is quite easy to clone/use the MAC address of the computer in question if you connect to the web interface on the computer from which you want to clone the MAC address. In that case the router is able to detect the MAC address automatically. Linksys and Netgear routers have a button like "Clone this PCs MAC address" and it fills the fields automatically. (The MAC address is also as "Physical Address" in the "ipconfig /all" output on your Local Area Connection). Remember to save the change of the MAC address.

Afterwards check the status page again to see if there is any difference now.

Still not working?
This gets more difficult. I'll expand this section with the time with common problems and their solutions. Until then you should contact support or ask for help in one of the support forums. By now, you should have learned the basics of your setup and you should know where to find the relevant information (mostly on the status page of the router and with "ipconfig /all"). Post a precise problem description. If you get any error messages at any time, post the exact text of the error message. If you have made some non-standard changes (e.g. changed the LAN IP address) post the details why you did this. It helps to understand your current situation faster. Posting the status page and the full output of "ipconfig /all" usually helps a lot to get a detailed view of your configuration.

Manual initial configuration of a router (Part 2)

Connecting the router
O.K. Now that we have collected all information which may be helpful it is time to connect to the router. Please always do the initial configuration of a router with a wired connection. Although it is possible in theory to configure the router completely from a wireless computer it is highly advisable not to do so simply because otherwise you'll never know if it is really your wireless router which you configure or your neighbor's.

Thus, use a ethernet cable for the initial configuration! O.K. Set up the router. Plug in the power cord and connect it to power. Do not connect anything else yet to the router. Wait until the router booted up and the lights stop flashing/blinking or whatever they do during booting. Now wire a computer to one of the LAN ports on the router. If possible, use the computer which you have used before to connect to the internet directly through the modem. Again do not connect the router yet to the modem. All you want at this moment is a wired connection from the router to the computer.

Now run "ipconfig /all" again. This now shows the settings on your computer when connected to the router. This time all information should be in the local area connection. The default gateway IP address and the dhcp server ip address should be identical. It is the IP address of your router. Please write it down. You'll need it in a second. For Linksys routers this is usually 192.168.1.1. For Netgear it is usually 192.168.0.1. Take a note of the subnet mask, too. You should also find this default IP address of the router in the documentation which came with the router.

Avoiding address conflicts
This only applies if you had two different IP addresses in the modem check before: you have to make sure that your router which you configure now does not create an ip address/subnet conflict with the modem or whatever router there is on your path to the internet. This requires some math. But most of the time the situation is very simple. Anyway, what you have to make sure is that the IP subnet used when the computer was not connected to your new router does not overlap with the IP subnet used in the LAN of your new router. If it overlaps the router cannot work properly.

In most cases the subnet mask is 255.255.255.0 which makes this much easier to find out: if you found with "ipconfig /all" above that your router has IP address 192.168.1.1 and subnet mask 255.255.255.0 then all IP addresses 192.168.1.* belong to the LAN IP subnet. With subnet mask 255.255.255.0 the first three numbers are fixed and only the fourth number can vary.

Now, you will have a problem if your new router uses the same IP subnet as the modem/router to which you will connect it. Again, if you found the subnet mask 255.255.255.0 before in the modem check in part 1 it is simple. You have a conflict if the IP address found in the modem check in part 1 uses the same first three numbers as you just found connected to your new router. For instance if you found that your computer had an IP address of 192.168.1.123 with subnet mask 255.255.255.0 when it was directly connected to the modem and now you find that your computer has an IP address of 192.168.1.100 with subnet mask 255.255.255.0 when connected to the router this means you will have an IP address/subnet conflict if you connected the modem and the router without any further changes.

To fix this problem the easiest way is to change the default IP address of your new router. If you move the IP address of your new router outside the IP subnet used by your modem then you have resolved the conflict. Again, with subnet mask 255.255.255.0 this is fairly simple by changing the third number of the ip address. For instance, change the IP address of your new router from 192.168.1.1 to 192.168.2.1. Please remain inside 192.168.*.* as those addresses are for private use. We'll change the LAN IP address in a moment...

Accessing the router web configuration interface
Now it is time to make changes to the router settings. For this you have to connect to the web interface of the router. You open a browser and enter the IP address of your router which you have written down before. For instance, for a Linksys router you should have found 192.168.1.1 above and thus you enter 192.168.1.1 or http://192.168.1.1/ if you like into your browser.

I would recommend to have a look in the manual to find out how exactly you connect to the web interface of your router and in particular what the default username and password is to connect to it. With some routers like Netgear's you don't have to enter the IP address but you can also enter the URL http://www.routerlogin.net or similar instead. That makes it sometimes easier.

Moreover, you'll need the default username and password for your router. For Linksys you usually don't have to enter any username. The default password is "admin". For Netgear the default is usually username "admin" and password "password". But please check the documentation of your router (which either came in the box, is maybe on the CD or available for download from the web site of the router manufacturer).

Anyway, enter the URL or the IP address of your router into your browser, enter the default username and default password and you should see the first setup page of your router. Some router's make heavy use of JavaScript. If the first setup page does not load correctly but only partially make sure that JavaScript is enabled in your browser and that your software firewall is not filtering JavaScript (e.g. for pop-up blocking).

For the initial setup you'll have to find where you do the basic settings for the WAN and LAN. On Linksys routers you usually find all this on the very first setup page you'll see when you connect to the web interface. Other routers show a status page instead and you have to select some category like basic settings, WAN settings, LAN settings or similar. Again, the documentation may help you to find your way around.

Change the LAN IP address of the router
Now that you have managed to get into the web interface of your router you can start with the initial configuration. The router is still not connected to the modem! If you have found before that you have an IP address/subnet conflict and you have to change the LAN IP address of your router this should be the first thing to do. If you did not found a conflict or the modem check showed a direct connection to the internet you can skip this step.

Find the LAN settings of your router. Find where the IP address of the router is set at the moment. You know the IP address which you have found above thus you know what you are looking for. For Linksys it is usually somewhere in the middle of the first setup page. The address you have found was probably 192.168.1.1 and that is the address you should see there at the moment. Change the address to something else, e.g. 192.168.2.1. Save the changes on this page. The router will now reboot and you'll loose the connection. That's O.K.

After the router resumes normal operation try to connect to the new IP address of your router, e.g. http://192.168.2.1/ If it does not work, unplug the ethernet cable for 30 seconds, then plug it back in, or reboot the computer. Your computer needs a new IP address from the router inside the new IP subnet 192.168.2.*. Once the computer got the new IP address from the router you should be able to connect to the web interface on the new IP address. Please write down the new IP address for reference. If you router does not use a nice URL like Netgear with www.routerlogin.net you'll need the new IP address in the future and in particular for all following steps.

O.K. With this change the router is prepped to be connected to the modem now. That was a lot of preparation but the remaining steps should be much easier now...

Manual initial configuration of a router (Part 1)

Many routers in the consumer and SOHO price range come with little documentation and a CD which you are supposed to use for the installation of the router: you simply insert the CD and the software on the CD will automatically guide you through the whole installation process.

Sometimes this does not work, though. For instance, you only have a Mac and the software on the CD is usually only for Windows. Sometimes the software is just not intelligent enough to figure out why it is not working and never succeeds.

However, there is no need to use this CD or the software on the CD to configure a standard router. Most routers (I think even all except Apple Airport Express/Extreme) have a web based configuration interface through which you can make all necessary adjustments to get the router running on your internet connection. You can access this interface with a normal browser like Firefox or Internet Explorer which has JavaScript enabled. (Please note that some software firewalls tend to block the JavaScript making the interface inoperable.)

The initial configuration of a router is fairly simple, in fact, with some pitfalls on the way (into which the CD software likes too fall, too, I think) which you can get around quickly if you properly guided. As quite often people need at some point access to the web interface anyway to make more advanced setting there is no reason why you should not start with that right from the beginning and configure your router yourself. That way, you know what you did, learn more about your router and its workings and thus may get full "control" of your router instead of relying on some software on some CD which does all those initial settings hidden from you in the background.

Thus, let's start now to do the basic configuration of your router. You'll check first what kind of modem you have and a few settings on your computer and how it establishes its internet connection at the moment. Then you'll set up the internet connection on the router and check if it is working. If not, you can make a few tests and changes to find out why it is not working and how to fix it. Next, some basic security configurations of the router which are highly advisable during the initial setup in particular if you have a wireless router.

The modem connection
O.K. You have your router in the box. Before you hook it up, let's do some checks on your current internet connection and your modem. Connect your computer to the modem and make sure you have a working internet connection. Please note that you have to connect the computer with an ethernet cable and use the ethernet port on the modem. You cannot and should not test this with an USB connection if your modem has a USB port as well. Moreover, if your modem only has a USB port then this procedure will most likely not work for you. Most routers only connect with ethernet to the modem. You won't get your router running together with a USB modem. At least not the way it is supposed to be used and how the following procedure requires.

The ISP internet connection
To configure the internet connection correctly you should know the following things which you usually find in the documentation from your ISP. You may also call them to ask what of this applies to your internet connection. Later we'll double check most of these things thus it is not absolute necessary that you have this information at hand. However, it would help a lot if you did.
  • Internet connection type: Usually DHCP or PPPoE. Some providers use PPPoA instead of PPPoE. If it is PPPoA please make sure that your router does really support PPPoA. Many routers do not support PPPoA. An other rare option is a static IP address. If you have a static IP address please check with your ISP if this is really a simple static IP address to be used or if it is PPPoE with static IP address. Both are different. For the latter you still have to configure PPPoE as connection type. Be warned: some routers (most Linksys routers for instance) do not support PPPoE with a static IP address supplied on your side. You can only configure normal PPPoE and the ISP should assign your connection the static IP address automatically. But you cannot configure the static IP address with PPPoE connection on your router then. (The "Static IP" option as internet connection type is something different as it does not use PPPoE.)
  • If it is DHCP there is usually no further information needed to connect.
  • If it is PPPoE you usually need a user name and password. This may be the standard user name and password you use to access other resources at your ISP. Some ISPs require a special form for the username to be used on the internet connection. Check the documentation or ask your ISP.
  • PPPoA is similar to PPPoE.
  • Static IP (i.e. the option static IP without PPPoE) requires an IP address, subnet mask, default gateway IP address and one or more DNS server IP addresses.
  • PPPoE with static IP requires the same information as the previous static IP plus a user name and password.
Modem check
Now make the modem check. The first thing to take note of is whether those two IP addresses mentioned in the check are in fact identical or not. There is another router with network address translation (NAT) somewhere in the path between your computer and the internet. Most often, this is the modem itself which also has a router component built-in. If you live in an apartment building and use the internet connection supplied in the building it is probably somewhere in the building. If you use some other shared internet connection with others they probably already have a router somewhere.

If both addresses are not identical please take a note of the IP address and subnet mask. You must later know that to avoid IP address conflicts in case your router uses the same IP addresses you found on your computer now. If they are not equal you usually see IP addresses like 192.168.0.*, or 192.168.1.*, etc. with a subnet mask of 255.255.255.0. If it is your modem which has those router functions as well you should consider putting the modem into "bridge" mode, i.e. turning off those router functions. That way your router will have a direct internet connection which is usually easier to use. But this is not covered in this blog entry. In the following configuration we leave the modem/router device you have just like it is.

If both are addresses are identical then your computer is directly connected to the internet. There are a few rare instances (I think some satellite modems) where this is not true but it should not matter here.

Some more information from ipconfig /all
If you have a printer you may consider to print out the full output of the "ipconfig /all" from the modem check before. There are a few things you can check to verify that the information collected above for your internet connection are in fact correct. First, take a look which ethernet adapter is the one which has the IP address on the computer. If it is the PPP adapter you use PPPoE or PPPoA on your internet connection (many DSL providers use PPPoE or PPPoA). You have entered the username and password when you have created the connection in Windows.

If it is the Local Area Connection or similar then you have a normal connection, i.e. without PPPoE or PPPoA. ipconfig shows whether you have DHCP enabled or not. If it is enabled then you have a normal DHCP internet connection (e.g. many cable TV ISPs use this). If DHCP is disabled you seem to have a static IP address on your computer.

Also take a note of the default gateway and DHCP server IP address. If you found two different IP addresses in the previous modem check then the default gateway IP address is the IP address of the next router on your path to the internet. In that case you will see identical IP addresses for the DHCP server and default gateway which means that the next router is also running a DHCP server.

Disconnect the internet connection
If you use PPPoE or PPPoA on the internet connection please disconnect the connection now. You can usually click on the network connection in the network connections control panel and click disconnect or choose disconnect from the right-click context menu. Disconnect the the network connection and once it shows that the disconnected state unplug the cable from the modem. Please also make sure that your computer does not automatically reconnect. Check in the internet options control panel. On the Connections tab you should have the choice whether or not to "dial" a connection. Please make sure you have "Never dial a connection" selected here.

For DHCP connections you may use the ipconfig command in a command prompt window like before. Enter "ipconfig /release *" to release all DHCP IP addresses. You have to be administrator on the computer to do this.

For static IP address connections (without PPPoE) you have to reconfigure the network adapter for DHCP as you need DHCP behind the router. You have to change that in the properties of the local area connection in the network connections control panel in the properties for the IP protocol element. Set IP address and DNS servers to be received automatically.

Now you have cleaned up your the internet connection.