Basic Router Security
Volume 4 in John R. Hines’ Computer Security for Mere
Mortals, short documents that show how to have the most
computer security with the least effort
John R. Hines Net+ Certified, Security+ Certified, Consulting
Security Engineer, LLC


“Plagiarism is when the author steals from one source; scholarship is when
the author steals from many sources.” -- Anonymous
"Facts are stubborn things; and whatever may be our wishes, our inclinations,
or the dictates of our passions, they cannot alter the state of facts and
evidence." --John Adams
Oholiab's First Law: The Suits' need for computing power expands until all
the Geeks' servers are 100% utilized running database queries and printing
reports during business hours.
Corollary to Oholiab's First Law: Development can only access the servers
purchased for development when nobody else wants them.
Oholiab's first law of security (Murphy's first law of planning): The
important things are simple.
Oholiab's second law of security (Murphy's second law of planning): The
simple things are very hard.
Warning: If you’re not smart enough to sort the cow pies from the pearls in


these notes, you do not have permission to read these notes!
Copyright © Consulting Security Engineer LLC. All rights reserved. 2016
ISBN N/A
Version 1.201707262300

Suggested reading (when you have time)
Kill Process by William Hertling
Security by Poul Anderson badly formatted but great ideas


Security
Is security a new problem?
What is security?
What is computer security?
What is a low-reward measure?
What is a reasonable measure?
What is an unreasonable measure?
What will you find in these notes?

Routers
What about routers?
What is a router?
What is a firewall (hardware firewall)?
What is a wireless router?
What is a wired router (hard-wired router)?
What is router firmware?
What is "flashing the ROM"?
Where should my router be placed?
What simple reasonable measures will improve your router security?
Default problem #1: Router firmware (software in hardware) is typically
out of date before you buy it.
What is a zero-day attack (zero-day exploit)?
What is an attacker?
Mistake #1A: Buying a bargain router.
Default problem #2: The default password is written on the side of the

router.
What's a dictionary password attack?
What's a strong password?
Mistake #2A: Not saving the changed password in a secure place.
Default problem #3: Most router hacks come from WIFI issues, not from


cable issues.
Default problem #4: WIFI networks should always use WPA2
encryption.
Mistake #4A: Using WEP encryption on your router.
Mistake #4B: Having no encryption on your router.
Default problem #5: WIFI name and passwords defaults are often chosen
to simplify installation, not to secure the router.
Mistake #5A: Not saving the changed WIFI password (passwords) in a
secure place.
Default problem #6: WIFI signals should not go (too far) beyond your
office.
Mistake #6A: Buying a large area router for a small office.

Appendices
Appendix I: What about networks?
What is a network (computer network)?
What is a gateway?
What is a LAN (Local Area Network) (Local network)?
What is a network address (network number)?
What is a network device?
What is a network edge?
What is a network node (computer network node) (network host)
(node)?

What is a network segment?
What is a subnet (subnetwork) (network subnet)?
What is an intranet (Intranet) (private network)?
What is IP (Internet Protocol)?
What is the internet (Internet) (public network)?
What is an IP address (Logical address) (Network address)?
What is TCP (Transmission Control Protocol)?
What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking) (Unbounded
media)?


What is wired (hard-wired)?
What is wireless?
Appendix II: How does a router link (connect) an intranet to the internet?
Appendix III: How do I find my router's IP address?
Appendix IV: What hardware do I need to use my router?
Appendix V: How do I access my router?
Appendix VI: How do I reset my router back to the built-in name and
password?

What documents are part of this series?
Biography


Security
Is security a new problem?
No! Security has always been a problem! Even strong men have always had
security concerns: "When the strong man, fully armed, guards his own
dwelling, his goods are safe. But when someone stronger attacks him and
overcomes him, he takes from him his whole armor in which he trusted, and

divides his spoils." (Luke 11:21-22)
Criminals form gangs to defeat strong men. Captain Grose' 1811 Dictionary
of the Vulgar Tongue (nineteenth century lexicographer) lists 23 occupations
required for a complete "gang of misrule" (crime family). My dictionary
gives these as " … For men, there are fourteen roles: (1) ruffler, (2) upright
man, (3) hooker (angler), (4) rogue, (5) wild rogue, (6) priggers of prancers,
(7) palliards, (8) frater, (9) jarkman (patricoe) (10) whip jacket, (11)
drummerer (dommerer), (12) drunken tinker (13) swadder (pedlar), and (14)
Abram man. For women (and children) there are nine roles: (1) demander for
glimmer or fire, (2) bawdy basket, (3) morts, (4) autem mort, (5) walking
morts (6) doxy, (7) dell, (8) kinching mort, and (9) kinching cove." (Buy my
book if you want to know what all these specialties are.) Add hackers and
testers and you have the kind of crime family HP describes in The Business
of Hacking, capable of stealing from the strong as well as the weak.

What is security?
The dictionary definition of security is "being free from danger or threat".
Experience proves no one is secure, at least in the dictionary sense. Solomon
had a different take on security (or, maybe, on the lack of security): "The
race is not to the swift or the battle to the strong, nor does food come to the
wise or wealth to the brilliant or favor to the learned; but time and chance
happen to them all" (Ec. 9:11). (Back in the day, bumper stickers on the back
of pickups often summarized Solomon's quote in two words: "Excrement
happens".)
Damon Runyon, writer of "Guys and Dolls" offered an amendment to Solon's
advice: " The race is not always to the swift, nor the battle to the strong, but
that's the way to bet." The way to be secure is to be skilled and hope to be
lucky. And, (if you've read any of Runyon's other works), the way not to be
secure to be not skilled (unless you're very, very lucky).



So, I suggest a different definition of security that emphasizes our part in
keeping ourselves secure: "things done and things left undone that give as
much control as possible over the future". Be skilled (the things done), be
careful (the things not done), and hope to be lucky.
One more quote: "Luck is what happens when preparation meets
opportunity" (Seneca, First Century AD, possibly misattributed). Prepare for
Murphy to knock on your door. A disaster for the unprepared is an
opportunity for the prepared.

What is computer security?
The dictionary says, "measures taken to safeguard code, information, and
systems". A more sensible definition of computer security is "(1) reasonable
measures taken to safeguard code, information, and systems, (2)
unreasonable measures not taken to safeguard code, information, and
systems, and (3) measures not taken to avoid low-rewards." Unfortunately,
reasonable, unreasonable, and low-reward are (like beauty) in the mind of the
beholder.

What is a low-reward measure?
A security measure that that has a small payoff for the inconvenience, money
and time associated with the measure. Many measures advocated by security
professionals are low-reward measures for non-security professionals who do
not have an in-house professional to help them.

What is a reasonable measure?
A security measure that that has a significant payoff for the inconvenience,
money and time associated with the measure.
Reasonable measures that are not terribly inconvenient for a nonprofessional and require little money and time should ALWAYS be
implemented.

Reasonable measures that are terribly inconvenient for a nonprofessional but require only a small amount of time and money should
be implemented when possible. (Maybe hire a professional for a halfday?)
Reasonable measures that are not inconvenient for a non-professional
but require a small amount of time and money should be implemented
when possible. (I define a small amount of money as my monthly
business cell phone and internet bill. You may have a different


definition.)
Reasonable measures that are terribly inconvenient for a nonprofessional and require a lot of money should only be implemented if
you have suspect you are a potential target. Warning: If you are (1)
involved in politics or social issues, (2) are visible in your community
for some reason, or (3) have strange family members or neighbors then
you should suspect you are a target.

What is an unreasonable measure?
A security measure that that has become popular wisdom but probably is of
little value. (A few years ago, one argument for switching from a PC to a
Mac was "Macs don't get viruses." If that was ever true, it isn't now but
many Mac sales people and users still believe it and repeat it to non-Mac
users.)

What will you find in these notes?
What I think are reasonable and unreasonable measures and what are lowreward measures. Send me an email at
to let me know when
I'm wrong. Thanks, John


Routers
What about routers?

What is a router?
Hardware (with firmware and software) that forwards data packets between
networks. Connected to at least two networks, located at gateways (places
where two or more networks connect). Does not forward broadcasts or
corrupted packets. Typically implements hardware firewall. Operates at OSI
layer 3 (network layer). Full duplex prevents most collisions. In small
networks, same device typically routes packets to and from both wireconnected and wireless-connected devices. Alternative: Traffic management
devices that connect network segments. Note: Router logs may tell if
intruder breached internal systems. Note: Home routers typically controlled
by PC (PCs) connected by wires; i.e., no "out of band" port on most home
routers.

What is a firewall (hardware firewall)?
Hardware and/or a set of related programs, located at a network gateway
server (and usually on each network PC) which protects the resources of a
private network (and networked PCs) from users from other networks (and
other users on the private network) by examining traffic. (The term also
implies the security policy used with the programs.)

What is SPI (Stateful Packet Inspection) (stateful Inspection)?
Keeping track of the state of network connections (such as TCP streams,
UDP communication). Useful tool for detecting and preventing (some kinds
of) hacking.

What is a wireless router?
Provides network connectivity by WIFI, usually through a WAP built into the
router. Note: Almost always have wired ethernet connections. Note: A
wireless router with wired connections is always a better buy than a wired
router. Eventuall you'll need wired connections.


What is a wired router (hard-wired router)?
Provides network connectivity for computers connected to it by ethernet
cables. Typically supports ethernet 10 Mbps/100 Mbps/1 Gbps transfer


speeds. Note: Buying a wired router without WIFI in seldom a good idea:
you will eventually want WIFI for your cell phones and tablets (saves money
when you're at home) if nothing else.

What is router firmware?
Software stored in ROM. Typically, contains only elementary
basic functions of a device and may only provide services to
higher-level software (such as the ROM BIOS of a personal
computer).
What is "flashing the ROM"?
Changing (usually upgrading) firmware.
Where should my router be placed?
Three things to consider:
1. The farther the router is from the cable modem, the longer the ethernet
cable connecting the two. Shorter is better. BTW: Ethernet cables are
kinda-sorta robust but they should be protected from pinching and
scraping.
2. Routers don't have fans so you want air flowing around the router. If
you put your router in a closet or on a high shelf, you might want to
buy a small personal fan to blow on it.
3. Routers should be someplace that is (1) hard to get at and (2) easy to
see.


What simple reasonable measures will improve your

router security?
Default problem #1: Router firmware (software in hardware) is
typically out of date before you buy it.
Often computer problems are identified by initial users or exploited by
hackers in a zero-day attack. By the time your router arrives, it may have
known problems that need to be fixed before the world sees your router on
the internet.
The low-cost Tenda AC1900 used to test these notes told me a firmware
upgrade was available. If I had IT support nearby, I would ask for advice.
However, I don't so I'm going to click on "OK" and hope for the best. I
suggest you do the same.

What is a zero-day attack (zero-day exploit)?
New kind of attack using a vulnerability the day it is discovered (that hasn’t
yet been fixed).

What is an attacker?
Unauthorized person who attempts to access your network or your computer.
May also be an authorized person who attempts to misuse your network or
computer. A cracker, hacker, rogue employee, rogue relative, script kiddie.

Mistake #1A: Buying a bargain router.
There was a spelling error on the Tenda Internet Status page so I wasn't too
surprised when there were additional problems on the "Firmware Upgrade"
page (Chinese instead of English) but I clicked on "Download and Upgrade"
and flashing the ROM worked OK.


\
Why bring this up? You will spend more time installing a bargain router,

have more problems, find the tech support is hard to access, and hard to
understand.

What brands of routers should you look at first?
If cost is close for the same features, look at D-Link, Linksys, and Netgear
first, then look at Asus if you want more features than the others. If you have
more time than money, look at TP-Link and Tenda.

Default problem #2: The default password is written on the side
of the router.
Unless your router is in a locked room and you have the only key, janitors,
rogue employees, and rogue relatives can all access your router and change
whatever they want to change if you do not change the default password.
Change the password to a strong password that is different from the pasword
on the side of router.

What's a dictionary password attack?
Attacker uses a dictionary of possible passwords, continuing the attack until
he finds the correct password. Works because users like easy-to-remember
words. Works well against routers because it's not practical to an account
lockout option like computers do.

What is account lockout (Account lockout policy)?
Disables user account after certain number of failed logon attempts within a
specified period of time

What's a strong password?


At least eight characters long, does not contain your user name, real name, or

company name, does not contain a complete word, is significantly different
from previous passwords, and contains characters from the following
categories: uppercase letters, lowercase letters, numbers, symbols found on
the keyboard (all keyboard characters not defined as letters or numerals), and
spaces (length, complexity, and unpredictability).

Mistake #2A: Not saving the changed password in a secure place.
If you've read Basic Windows 10 Security, you already know my
recommendation for saving passwords in a secure place. Here's another
password to put in that secure place. Typically, one copy in your bank box
and one in a "secure" container somewhere hard to get at. NEVER save the
password near the router or near your computer. (My eleven-year old
grandson knows how to "toss" a work area to find passwords: he learned
how watching NCIS.)

Default problem #3: Most router hacks come from WIFI issues,
not from cable issues.
Yes, cables can be hacked. But, it's hard, it's usually dirty work, and it
usually has to be done inside your office. Phones and tablets have to use
WIFI but computers don't unless you have a very strange office space. You
can pay a professional cabler to run cables but often you can connect every
computer in your office using prefabricated cables from Fry's or Micro
Center.
Note: You will still need WIFI for phones and tablets but just using cable
instead of WIFI will keep the most important parts of your network safe
(well, safer).
Warning: Every computer attached to the router by cable has access to
router. That's another reason to change the router password.

Default problem #4: WIFI networks should always use WPA2

encryption.
WPA2 is secure. WPA is pretty secure. WEP is NOT secure.
Note: Document the encryption used so you can get a new router up quickly
if the old one dies.

Mistake #4A: Using WEP encryption on your router.


Yes, it's a choice on almost all routers but it should never be used. Even PC
Magazine knows how to crack WEP!

Mistake #4B: Having no encryption on your router.
Yes, it's a choice on almost all routers but it should never be used.

Default problem #5: WIFI name and passwords defaults are
often chosen to simplify installation, not to secure the router.
WIFI names (sometimes called SSIDs) should be bland and vague, giving no
information about the router. Tenda violates this by making default names
from "Tenda" plus part of the router name (for example, my Tenda router
defaults to "Tenda_19BCC0"). Anyone with a WIFI analyzer on their phone
or tablet instantly knows they can hack the router if they can find a crack for
a Tenda AC1900. When I change the name to "Hunting_Box", they get no
information about the router's manufacturer or model: they have to try
random cracks. Note: It is possible to hide a WIFI router name. Some
advocate it. I don't: hiding the router name is waving a red flag at hackers
that says, "Hey, I've got stuff that is so valuable that I am hiding." Hiding in
plain sight is always better than hiding in secrecy.
Warning: WIFI passwords should be strong passwords but NEVER the same
as the router password: if a dictionary password attack cracks your WIFI
password, the attacker should have to crack your cable password, too, get into

your router.

Mistake #5A: Not saving the changed WIFI password (passwords)
in a secure place.
See Mistake #2A.

Default problem #6: WIFI signals should not go (too far) beyond
your office.
The farther WIFI signals go, the easier it is to hack the WIFI part of the
router. A guy sitting in front of your office pounding on a laptop is much
more obvious than a guy sitting at a table in the park across the street
pounding on a laptop.
The default for many routers is to broadcast the strongest signal (so it goes
the farthest). You should set transmit power to the lowest level and test
coverage. If the office isn't covered, increase power level and test coverage
again. Repeat until you have coverage.


Warning: Document the acceptable transmit power so you can quickly
replace a defective router.

Mistake #6A: Buying a large area router for a small office.
Read the information on the box.


Appendices
Appendix I: What about networks?
What is a network (computer network)?
Connected graph where nodes are computer network nodes and edges are
computer-to-computer connections.


What is a gateway?
Network node that is an entrance to another network. Often a router.

What is a LAN (Local Area Network) (Local network)?
Hardware and software that turns terminals, workstations, servers, and hosts
into a single network environment in a small geographic region like a
building. Alternative (more modern): A network segment that may or may
not be connected to another network. Larger networks are created by
"gluing" two or more LANs together, typically with a router.

What is a network address (network number)?
Bit pattern or group of hexadecimal numbers that uniquely identifies a
network node. In IPv4, eight hex characters, each pair (except the last)
separated by dots. (Four bytes.) In IPv6, 32 hex characters, each quad
(except the last) separated by colons. (16 bytes.)

What is a network device?
Component (hardware) that connects ("glues") computers or other electronic
devices together to share files or resources. Usually a network node.

What is a network edge?
Single physical connection between two computers. Sometimes used a
synonym for connection (network connection). Alternative: Cable with
connectors at both ends that connects two nodes

What is a network node (computer network node) (network host)
(node)?
An addressable device attached to a computer network.


What is a network segment?
Logical group of computers that share a network resource like a router,


VLAN, or switch segmentation.

What is a subnet (subnetwork) (network subnet)?
Logical, visible subdivision of an IP network. Computers that belong to a
subnet are addressed with a common, identical, most-significant bit-group in
their IP address. Note: The practice of dividing a network into two or more
networks is called subnetting.

What is an intranet (Intranet) (private network)?
Private network combining existing LAN and WAN technologies and new
Internet technologies. Has all the features of the Internet. Many intranets.
Typically use 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x or
192.168.x.x. Typically connected to the (one and only) internet by a router
but may be stand-alone. See Internet.

What is IP (Internet Protocol)?
Basic protocol of the Internet. It enables the unreliable delivery of individual
packets from one host to another. It makes no guarantees about whether or
not the packet will be delivered, how long it will take, or if multiple packets
will arrive in the order they were sent. Protocols built on top of this add the
notions of connection and reliability.

What is the internet (Internet) (public network)?
Large network with millions of hosts from many organizations and countries
around the world. Amalgamation of many smaller networks. Data travels by
a common set of protocols (starting with TCP/IP). All (well, almost allignore 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x and 192.168.x.x)

internet addresses are unique.

What is an IP address (Logical address) (Network address)?
In IPv4, 32-bits or a quad of octets (bytes). In IPv6, 128-bits or a hex of
octets (bytes) or 32 hex characters. A software address, not a hard-coded
address.

What is TCP (Transmission Control Protocol)?
Network reliable communication protocol, typically sits on top of IP. See
UDP.

What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking)


(Unbounded media)?
Local area wireless technology to exchange data or connect to the internet
(usually using 2.4 GHz UHF and 5 GHz SHF).

What is wired (hard-wired)?
Connected to other devices by cables, usually ethernet cables. See Ethernet.

What is wireless?
Connected to other devices by WIFI (typically using a WAP).


Appendix II: How does a router link (connect) an
intranet to the internet?
You need an internet address (actually, you need an IP address but they are
pretty much the same thing) to be on the internet. Your home network does
not have one. So, how do you get one?

You might try to buy one or more IP addresses. However, all (almost all) the
usable internet addresses are already owned. It would be really expensive
(much more than your lifetime beer and coffee expenditures combined).
Worse, you would have to search hard really to find someone willing to sell
you one. So, buying one or more is not a workable plan.
Fortunately, both idealism and profit motivate (some) IP owners called ISPs
(Independent Service Providers) to lease or let you temporarily use as many
IP addresses as you can afford to pay for.
The cost of leasing a single IP address (a dedicated line) is so
expensive (maybe a decade of beer and coffee expenditures for a single
year's lease) that you are more likely to temporarily use an ISP's IPs.
The cost of temporarily using a single IP address is so expensive
(maybe a year of beer and coffee expenditures to pay for a year's
temporary use) that most people have access to only one IP and use
tricks that allow all your computing devices to use that one.
(Yes, it's more complex than that but why go there?) Warning: You
typically use an IP from a pool of currently unused IPs at the ISP so you
seldom get the same IP from your ISP. But, you don't need to know what IP
the ISP is letting you use, the ISP handles all of that! Just don't assume you
always have the same internet IP.
Your ISP will give you access to a single temporary IP address with
reasonable (reasonable, like beauty, is in the eye of the beholder) bandwidth
by running a wire to your home (if one doesn't already exist) and installing a
cable modem in your house. Warning: If a wire (either from a cable
company or a telephone company) is not already in place near your home,
you may have to resort to a cell phone-like connection from cell phone
company.
If you only have one device in your home (very unlikely), the ISP's
technician can connect it directly to the cable modem and you are on



the internet.
If you have more than one device in your home (everybody does -computers, internet TV, phones and tablets) then a router (one of the
tricks I mentioned) is required. The router will sit between the cable
modem and your devices. The router collects all the internet requests
from all the devices, combines them in a clever way, and sends them
out through the single borrowed IP address. When responses to the
requests come back, the router returns them to the appropriate device.


Appendix III: How do I find my router's IP address?
Depending on your version of Windows 10, open your admin cmd window or
PowerShell window. At the prompt, type "ipconfig [CR]". Ipconfig will
return information about your system and its private LAN, something like:
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : tendawifi.com
Link-local IPv6 Address . . . . . : fe80::7002:9ba9:d9eb:f7bb%24
IPv4 Address. . . . . . . . . . . : 192.168.0.185
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Your private LAN is Class C (from the Subnet Mask), your system has been
assigned the private IP 192.168.0.185 (from the IPv4 Address), your router
has been assigned 192.168.0.1 (from the IPv4 Default Gateway). But, the
only thing you need to know is the router is at the gateway.


Appendix IV: What hardware do I need to use my
router?

Four items: (1) a computer with a 1GHz port on the back; (2) ten-foot (or
longer) Cat 6 ethernet cable with RJ45 connectors on both ends (will work in
1GHz, 100 MHz and 10 MHz ethernet networks), (3) magnifying glass (best
to get one with a light powered by AAA cells or similar) to read the built-in
router name and router password on the back of the router, and (4) a pin,
needle or metal paper clip (to reset the router).


Appendix V: How do I access my router?
Once you know (1) the IP of the router (read "How do I find my router's IP
address?") and (2) the password (look on the back of the router and WRITE
DOWN the name and password - you may find both a wired and wireless
password, if so write down both and identify which is which).
Connect the ethernet connector on the back of your computer to one of
the four (or eight) same color RJ45 connections on the back of the
router; then
Open your browser, enter the router's IP address 192.168.0.1 or
http:\\192.168.0.1 in the browser address window then press
"ENTER".
Warning: You cannot manage the router over WIFI. There are fifty-footlong CAT 6 cables at most big computer stores, so you should be able to
connect with the router over cable.

After some kind of login procedure, you should see the main router window
which looks something like the image below.