Basic Router Security Volume in John R Hines’ Computer Security for Mere Mortals, short documents that show how to have the most computer security with the least effort John R Hines Net+ Certified, Security+ Certified, Consulting Security Engineer, LLC JohnRichardHines@ConsultingSecurityEngineer.com “Plagiarism is when the author steals from one source; scholarship is when the author steals from many sources.” Anonymous "Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and evidence." John Adams Oholiab's First Law: The Suits' need for computing power expands until all the Geeks' servers are 100% utilized running database queries and printing reports during business hours Corollary to Oholiab's First Law: Development can only access the servers purchased for development when nobody else wants them Oholiab's first law of security (Murphy's first law of planning): The important things are simple Oholiab's second law of security (Murphy's second law of planning): The simple things are very hard Warning: If you’re not smart enough to sort the cow pies from the pearls in these notes, you not have permission to read these notes! Copyright © Consulting Security Engineer LLC All rights reserved 2016 ISBN N/A Version 1.201707262300 Suggested reading (when you have time) Kill Process by William Hertling Security by Poul Anderson badly formatted but great ideas Security Is security a new problem? What is security? What is computer security? What is a low-reward measure? What is a reasonable measure? What is an unreasonable measure? What will you find in these notes? Routers What about routers? What is a router? What is a firewall (hardware firewall)? What is a wireless router? What is a wired router (hard-wired router)? What is router firmware? What is "flashing the ROM"? Where should my router be placed? What simple reasonable measures will improve your router security? Default problem #1: Router firmware (software in hardware) is typically out of date before you buy it What is a zero-day attack (zero-day exploit)? What is an attacker? Mistake #1A: Buying a bargain router Default problem #2: The default password is written on the side of the router What's a dictionary password attack? What's a strong password? Mistake #2A: Not saving the changed password in a secure place Default problem #3: Most router hacks come from WIFI issues, not from cable issues Default problem #4: WIFI networks should always use WPA2 encryption Mistake #4A: Using WEP encryption on your router Mistake #4B: Having no encryption on your router Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router Mistake #5A: Not saving the changed WIFI password (passwords) in a secure place Default problem #6: WIFI signals should not go (too far) beyond your office Mistake #6A: Buying a large area router for a small office Appendices Appendix I: What about networks? What is a network (computer network)? What is a gateway? What is a LAN (Local Area Network) (Local network)? What is a network address (network number)? What is a network device? What is a network edge? What is a network node (computer network node) (network host) (node)? What is a network segment? What is a subnet (subnetwork) (network subnet)? What is an intranet (Intranet) (private network)? What is IP (Internet Protocol)? What is the internet (Internet) (public network)? What is an IP address (Logical address) (Network address)? What is TCP (Transmission Control Protocol)? What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking) (Unbounded media)? What is wired (hard-wired)? What is wireless? Appendix II: How does a router link (connect) an intranet to the internet? Appendix III: How I find my router's IP address? Appendix IV: What hardware I need to use my router? Appendix V: How I access my router? Appendix VI: How I reset my router back to the built-in name and password? What documents are part of this series? Biography Security Is security a new problem? No! Security has always been a problem! Even strong men have always had security concerns: "When the strong man, fully armed, guards his own dwelling, his goods are safe But when someone stronger attacks him and overcomes him, he takes from him his whole armor in which he trusted, and divides his spoils." (Luke 11:21-22) Criminals form gangs to defeat strong men Captain Grose' 1811 Dictionary of the Vulgar Tongue (nineteenth century lexicographer) lists 23 occupations required for a complete "gang of misrule" (crime family) My dictionary gives these as " … For men, there are fourteen roles: (1) ruffler, (2) upright man, (3) hooker (angler), (4) rogue, (5) wild rogue, (6) priggers of prancers, (7) palliards, (8) frater, (9) jarkman (patricoe) (10) whip jacket, (11) drummerer (dommerer), (12) drunken tinker (13) swadder (pedlar), and (14) Abram man For women (and children) there are nine roles: (1) demander for glimmer or fire, (2) bawdy basket, (3) morts, (4) autem mort, (5) walking morts (6) doxy, (7) dell, (8) kinching mort, and (9) kinching cove." (Buy my book if you want to know what all these specialties are.) Add hackers and testers and you have the kind of crime family HP describes in The Business of Hacking, capable of stealing from the strong as well as the weak What is security? The dictionary definition of security is "being free from danger or threat" Experience proves no one is secure, at least in the dictionary sense Solomon had a different take on security (or, maybe, on the lack of security): "The race is not to the swift or the battle to the strong, nor does food come to the wise or wealth to the brilliant or favor to the learned; but time and chance happen to them all" (Ec 9:11) (Back in the day, bumper stickers on the back of pickups often summarized Solomon's quote in two words: "Excrement happens".) Damon Runyon, writer of "Guys and Dolls" offered an amendment to Solon's advice: " The race is not always to the swift, nor the battle to the strong, but that's the way to bet." The way to be secure is to be skilled and hope to be lucky And, (if you've read any of Runyon's other works), the way not to be secure to be not skilled (unless you're very, very lucky) So, I suggest a different definition of security that emphasizes our part in keeping ourselves secure: "things done and things left undone that give as much control as possible over the future" Be skilled (the things done), be careful (the things not done), and hope to be lucky One more quote: "Luck is what happens when preparation meets opportunity" (Seneca, First Century AD, possibly misattributed) Prepare for Murphy to knock on your door A disaster for the unprepared is an opportunity for the prepared What is computer security? The dictionary says, "measures taken to safeguard code, information, and systems" A more sensible definition of computer security is "(1) reasonable measures taken to safeguard code, information, and systems, (2) unreasonable measures not taken to safeguard code, information, and systems, and (3) measures not taken to avoid low-rewards." Unfortunately, reasonable, unreasonable, and low-reward are (like beauty) in the mind of the beholder What is a low-reward measure? A security measure that that has a small payoff for the inconvenience, money and time associated with the measure Many measures advocated by security professionals are low-reward measures for non-security professionals who not have an in-house professional to help them What is a reasonable measure? A security measure that that has a significant payoff for the inconvenience, money and time associated with the measure Reasonable measures that are not terribly inconvenient for a nonprofessional and require little money and time should ALWAYS be implemented Reasonable measures that are terribly inconvenient for a nonprofessional but require only a small amount of time and money should be implemented when possible (Maybe hire a professional for a halfday?) Reasonable measures that are not inconvenient for a non-professional but require a small amount of time and money should be implemented when possible (I define a small amount of money as my monthly business cell phone and internet bill You may have a different definition.) Reasonable measures that are terribly inconvenient for a nonprofessional and require a lot of money should only be implemented if you have suspect you are a potential target Warning: If you are (1) involved in politics or social issues, (2) are visible in your community for some reason, or (3) have strange family members or neighbors then you should suspect you are a target What is an unreasonable measure? A security measure that that has become popular wisdom but probably is of little value (A few years ago, one argument for switching from a PC to a Mac was "Macs don't get viruses." If that was ever true, it isn't now but many Mac sales people and users still believe it and repeat it to non-Mac users.) What will you find in these notes? What I think are reasonable and unreasonable measures and what are lowreward measures Send me an email at JohnRichardHines@ConsultingSecurityEngineer.com to let me know when I'm wrong Thanks, John Routers What about routers? What is a router? Hardware (with firmware and software) that forwards data packets between networks Connected to at least two networks, located at gateways (places where two or more networks connect) Does not forward broadcasts or corrupted packets Typically implements hardware firewall Operates at OSI layer (network layer) Full duplex prevents most collisions In small networks, same device typically routes packets to and from both wireconnected and wireless-connected devices Alternative: Traffic management devices that connect network segments Note: Router logs may tell if intruder breached internal systems Note: Home routers typically controlled by PC (PCs) connected by wires; i.e., no "out of band" port on most home routers What is a firewall (hardware firewall)? Hardware and/or a set of related programs, located at a network gateway server (and usually on each network PC) which protects the resources of a private network (and networked PCs) from users from other networks (and other users on the private network) by examining traffic (The term also implies the security policy used with the programs.) What is SPI (Stateful Packet Inspection) (stateful Inspection)? Keeping track of the state of network connections (such as TCP streams, UDP communication) Useful tool for detecting and preventing (some kinds of) hacking What is a wireless router? Provides network connectivity by WIFI, usually through a WAP built into the router Note: Almost always have wired ethernet connections Note: A wireless router with wired connections is always a better buy than a wired router Eventuall you'll need wired connections What is a wired router (hard-wired router)? Provides network connectivity for computers connected to it by ethernet cables Typically supports ethernet 10 Mbps/100 Mbps/1 Gbps transfer At least eight characters long, does not contain your user name, real name, or company name, does not contain a complete word, is significantly different from previous passwords, and contains characters from the following categories: uppercase letters, lowercase letters, numbers, symbols found on the keyboard (all keyboard characters not defined as letters or numerals), and spaces (length, complexity, and unpredictability) Mistake #2A: Not saving the changed password in a secure place If you've read Basic Windows 10 Security, you already know my recommendation for saving passwords in a secure place Here's another password to put in that secure place Typically, one copy in your bank box and one in a "secure" container somewhere hard to get at NEVER save the password near the router or near your computer (My eleven-year old grandson knows how to "toss" a work area to find passwords: he learned how watching NCIS.) Default problem #3: Most router hacks come from WIFI issues, not from cable issues Yes, cables can be hacked But, it's hard, it's usually dirty work, and it usually has to be done inside your office Phones and tablets have to use WIFI but computers don't unless you have a very strange office space You can pay a professional cabler to run cables but often you can connect every computer in your office using prefabricated cables from Fry's or Micro Center Note: You will still need WIFI for phones and tablets but just using cable instead of WIFI will keep the most important parts of your network safe (well, safer) Warning: Every computer attached to the router by cable has access to router That's another reason to change the router password Default problem #4: WIFI networks should always use WPA2 encryption WPA2 is secure WPA is pretty secure WEP is NOT secure Note: Document the encryption used so you can get a new router up quickly if the old one dies Mistake #4A: Using WEP encryption on your router Yes, it's a choice on almost all routers but it should never be used Even PC Magazine knows how to crack WEP! Mistake #4B: Having no encryption on your router Yes, it's a choice on almost all routers but it should never be used Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router WIFI names (sometimes called SSIDs) should be bland and vague, giving no information about the router Tenda violates this by making default names from "Tenda" plus part of the router name (for example, my Tenda router defaults to "Tenda_19BCC0") Anyone with a WIFI analyzer on their phone or tablet instantly knows they can hack the router if they can find a crack for a Tenda AC1900 When I change the name to "Hunting_Box", they get no information about the router's manufacturer or model: they have to try random cracks Note: It is possible to hide a WIFI router name Some advocate it I don't: hiding the router name is waving a red flag at hackers that says, "Hey, I've got stuff that is so valuable that I am hiding." Hiding in plain sight is always better than hiding in secrecy Warning: WIFI passwords should be strong passwords but NEVER the same as the router password: if a dictionary password attack cracks your WIFI password, the attacker should have to crack your cable password, too, get into your router Mistake #5A: Not saving the changed WIFI password (passwords) in a secure place See Mistake #2A Default problem #6: WIFI signals should not go (too far) beyond your office The farther WIFI signals go, the easier it is to hack the WIFI part of the router A guy sitting in front of your office pounding on a laptop is much more obvious than a guy sitting at a table in the park across the street pounding on a laptop The default for many routers is to broadcast the strongest signal (so it goes the farthest) You should set transmit power to the lowest level and test coverage If the office isn't covered, increase power level and test coverage again Repeat until you have coverage Warning: Document the acceptable transmit power so you can quickly replace a defective router Mistake #6A: Buying a large area router for a small office Read the information on the box Appendices Appendix I: What about networks? What is a network (computer network)? Connected graph where nodes are computer network nodes and edges are computer-to-computer connections What is a gateway? Network node that is an entrance to another network Often a router What is a LAN (Local Area Network) (Local network)? Hardware and software that turns terminals, workstations, servers, and hosts into a single network environment in a small geographic region like a building Alternative (more modern): A network segment that may or may not be connected to another network Larger networks are created by "gluing" two or more LANs together, typically with a router What is a network address (network number)? Bit pattern or group of hexadecimal numbers that uniquely identifies a network node In IPv4, eight hex characters, each pair (except the last) separated by dots (Four bytes.) In IPv6, 32 hex characters, each quad (except the last) separated by colons (16 bytes.) What is a network device? Component (hardware) that connects ("glues") computers or other electronic devices together to share files or resources Usually a network node What is a network edge? Single physical connection between two computers Sometimes used a synonym for connection (network connection) Alternative: Cable with connectors at both ends that connects two nodes What is a network node (computer network node) (network host) (node)? An addressable device attached to a computer network What is a network segment? Logical group of computers that share a network resource like a router, VLAN, or switch segmentation What is a subnet (subnetwork) (network subnet)? Logical, visible subdivision of an IP network Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address Note: The practice of dividing a network into two or more networks is called subnetting What is an intranet (Intranet) (private network)? Private network combining existing LAN and WAN technologies and new Internet technologies Has all the features of the Internet Many intranets Typically use 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x or 192.168.x.x Typically connected to the (one and only) internet by a router but may be stand-alone See Internet What is IP (Internet Protocol)? Basic protocol of the Internet It enables the unreliable delivery of individual packets from one host to another It makes no guarantees about whether or not the packet will be delivered, how long it will take, or if multiple packets will arrive in the order they were sent Protocols built on top of this add the notions of connection and reliability What is the internet (Internet) (public network)? Large network with millions of hosts from many organizations and countries around the world Amalgamation of many smaller networks Data travels by a common set of protocols (starting with TCP/IP) All (well, almost allignore 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x and 192.168.x.x) internet addresses are unique What is an IP address (Logical address) (Network address)? In IPv4, 32-bits or a quad of octets (bytes) In IPv6, 128-bits or a hex of octets (bytes) or 32 hex characters A software address, not a hard-coded address What is TCP (Transmission Control Protocol)? Network reliable communication protocol, typically sits on top of IP See UDP What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking) (Unbounded media)? Local area wireless technology to exchange data or connect to the internet (usually using 2.4 GHz UHF and GHz SHF) What is wired (hard-wired)? Connected to other devices by cables, usually ethernet cables See Ethernet What is wireless? Connected to other devices by WIFI (typically using a WAP) Appendix II: How does a router link (connect) an intranet to the internet? You need an internet address (actually, you need an IP address but they are pretty much the same thing) to be on the internet Your home network does not have one So, how you get one? You might try to buy one or more IP addresses However, all (almost all) the usable internet addresses are already owned It would be really expensive (much more than your lifetime beer and coffee expenditures combined) Worse, you would have to search hard really to find someone willing to sell you one So, buying one or more is not a workable plan Fortunately, both idealism and profit motivate (some) IP owners called ISPs (Independent Service Providers) to lease or let you temporarily use as many IP addresses as you can afford to pay for The cost of leasing a single IP address (a dedicated line) is so expensive (maybe a decade of beer and coffee expenditures for a single year's lease) that you are more likely to temporarily use an ISP's IPs The cost of temporarily using a single IP address is so expensive (maybe a year of beer and coffee expenditures to pay for a year's temporary use) that most people have access to only one IP and use tricks that allow all your computing devices to use that one (Yes, it's more complex than that but why go there?) Warning: You typically use an IP from a pool of currently unused IPs at the ISP so you seldom get the same IP from your ISP But, you don't need to know what IP the ISP is letting you use, the ISP handles all of that! Just don't assume you always have the same internet IP Your ISP will give you access to a single temporary IP address with reasonable (reasonable, like beauty, is in the eye of the beholder) bandwidth by running a wire to your home (if one doesn't already exist) and installing a cable modem in your house Warning: If a wire (either from a cable company or a telephone company) is not already in place near your home, you may have to resort to a cell phone-like connection from cell phone company If you only have one device in your home (very unlikely), the ISP's technician can connect it directly to the cable modem and you are on the internet If you have more than one device in your home (everybody does -computers, internet TV, phones and tablets) then a router (one of the tricks I mentioned) is required The router will sit between the cable modem and your devices The router collects all the internet requests from all the devices, combines them in a clever way, and sends them out through the single borrowed IP address When responses to the requests come back, the router returns them to the appropriate device Appendix III: How I find my router's IP address? Depending on your version of Windows 10, open your admin cmd window or PowerShell window At the prompt, type "ipconfig [CR]" Ipconfig will return information about your system and its private LAN, something like: Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix : tendawifi.com Link-local IPv6 Address : fe80::7002:9ba9:d9eb:f7bb%24 IPv4 Address : 192.168.0.185 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.0.1 Your private LAN is Class C (from the Subnet Mask), your system has been assigned the private IP 192.168.0.185 (from the IPv4 Address), your router has been assigned 192.168.0.1 (from the IPv4 Default Gateway) But, the only thing you need to know is the router is at the gateway Appendix IV: What hardware I need to use my router? Four items: (1) a computer with a 1GHz port on the back; (2) ten-foot (or longer) Cat ethernet cable with RJ45 connectors on both ends (will work in 1GHz, 100 MHz and 10 MHz ethernet networks), (3) magnifying glass (best to get one with a light powered by AAA cells or similar) to read the built-in router name and router password on the back of the router, and (4) a pin, needle or metal paper clip (to reset the router) Appendix V: How I access my router? Once you know (1) the IP of the router (read "How I find my router's IP address?") and (2) the password (look on the back of the router and WRITE DOWN the name and password - you may find both a wired and wireless password, if so write down both and identify which is which) Connect the ethernet connector on the back of your computer to one of the four (or eight) same color RJ45 connections on the back of the router; then Open your browser, enter the router's IP address 192.168.0.1 or http:\\192.168.0.1 in the browser address window then press "ENTER" Warning: You cannot manage the router over WIFI There are fifty-footlong CAT cables at most big computer stores, so you should be able to connect with the router over cable After some kind of login procedure, you should see the main router window which looks something like the image below Appendix VI: How I reset my router back to the built-in name and password? Usually, on the back of the router there is a hole with a label like "RESET" or "RST" There is a small pushbutton inside the hole Inset a pin or some other thin stiff item at least 1" long into the hole Push the pin in the hole and hold down the button for about 10 seconds The router erases all your changes and loads the defaults What documents are part of this series? Volume 1: 5-Minute security talk Volume 2: 15-Minute security talk Volume 3: Basic Windows 10 Security Volume 4: Basic Router Security Volume 5: Basic Network Security Volume 6: Basic Browser Security Volume 7: Advanced Windows 10 Security Volume 8: Advanced Router Security Volume 9: Advanced Network Security Volume 10: Advanced Browser Security Volume 11: Basic Windows Security Volume 12: Basic Phone and Tablet Security Biography John R Hines has degrees from two party schools (the University of Colorado and Arizona State University) He was a professional engineer in Texas He has been a semiconductor engineer, a programmer, a writer and a teacher Since he retired to Lucas, Texas, he has been writing eBooks for Amazon and thinking about computer security and taking CompTIA certification tests (he is A+, Net+, and Security+ certified) In the 1980s, the US Patent and Trademark Office granted him six patents and he began writing about using computers to solve problems He wrote a book about circuit simulation and taught SPICE (Simulation Program with Integrated Circuit Emphasis) classes at Fortune 500 companies In the 1990s, he had computer-related columns in popular trade magazines like Electronic Test and Design Automation and scholarly magazines like IEEE Spectrum and taught C, C++, Delphi and Java In the 2000s, he was a Java developer for America’s best telephone company In late 2016, he started prototyping a security start-up to test a business model for geek geezers who want to work less than 20 hours a week Google him under JR Hines, J Richard Hines (Honeywell IT didn't like John Hines publishing articles poking fun at it), John Hines and John R Hines Or look at his computer books on Amazon.com .. .Basic Router Security Volume in John R Hines’ Computer Security for Mere Mortals, short documents that show how to have the most computer security with the least effort John R Hines Net+ Certified,... Windows 10 Security Volume 4: Basic Router Security Volume 5: Basic Network Security Volume 6: Basic Browser Security Volume 7: Advanced Windows 10 Security Volume 8: Advanced Router Security Volume. .. the router; then Open your browser, enter the router' s IP address 192.168.0.1 or http:\192.168.0.1 in the browser address window then press "ENTER" Warning: You cannot manage the router over WIFI