Securing your router: protecting your network

Yesterday’s article provided advice on configuring your (modem-)router to ensure that it is best protected from intruders and the new threat of malware. This article looks at other aspects of router configuration which should protect your network.

DNS and NAT

routerset11

When I set a small network up, I normally set each system on the network to look first to the router for Domain Name Service (DNS) lookup, then to OpenDNS. Many routers keep a cache of DNS information, and this ensures that the cache is used to make lookups as efficient as possible. The router then needs to know where to go for further information, which I always point at the excellent international OpenDNS service, rather than the DNS provided by my ISP. If you prefer to use your ISP’s DNS instead, put its IP addresses here.

Network Address Translation (NAT) is a standard requirement on the great majority of small networks.

IP addresses and DHCP

routerset12

I’m old-fashioned with my networks, and like to assign static IP addresses to all those systems which are likely to remain attached to the network, when running. This helps me diagnose problems, because I can always associate an IP address on the network with a specific system, with great ease. I assign my routers addresses at the top end of the range, here .253, and all static systems addresses at the bottom end, below .50.

I then have one – and only one – device which serves DHCP ‘dynamic’ addresses to other systems, here within the range .50 to .250. So if there’s a problem with a device with an IP address of .51, I know that its address has been assigned by this DHCP server.

There are lots of alternative ways of assigning IP addresses, and you should not consider this is the only safe option. Once set up, it is clear, simple, very reliable, and makes network diagnostics straightforward. ‘Consumer’ alternatives can sometimes get you into difficulties, and are often a pig to unravel when anything goes wrong, such as two systems getting the same IP address, or systems which cannot see the network at all.

The Firewall

routerset13

Before you configure your firewall, you must read your router’s documentation carefully. Most now block all incoming ports by default, and allow all outgoing traffic. If you want anything different, you will need to add rules to your firewall. Some (bad ones) do not block anything, and you have to add all your own rules. If that is the case, the first rule to add is to block all incoming ports.

Double-check your firewall setting, before a potential intruder checks it out for you. If you can, set a web server running inside your network, and try connecting to it from outside (e.g. a mobile device with WiFi turned off so that it connects to the internet via its mobile ISP). A knowledgable friend can also try getting through it.

Once you’re happy that your firewall is working effectively, you can disable software firewall services running on local systems.

Another option, not shown here but offered on many routers, is whether to respond to external ‘pings’. If you enable that, anyone on the internet can send ‘ping’ packets to your router, and it will acknowledge them. You may wish to enable that for brief periods of testing, but normally you should set it so that your router does not make any response to such pings – they would only help potential intruders.

Any other security protection offered, such as services to tackle port mapping and denial of service attacks, should be enabled unless there are strong reasons not to.

Browsing your network

routerset14

Many routers can provide a convenient list of all connected devices by IP address, as shown here. This is a useful check to demonstrate that your neighbour is not, at this time, freeloading off your WiFi, but does not monitor your network for intruders.

Monitoring connections

routerset15

Many routers offer simple performance monitoring, here showing the link speeds, noise margins, and the quantities transferred. I check these daily, as they can draw my attention to incipient problems which are otherwise hard to detect. The rate and noise figures can also be useful when raising issues with your ISP.

Saving settings

routerset16

Normal resets of your router should retain your settings, but in the worst case you may need to revert it back to their initial factory defaults. It is therefore useful to make a backup copy of your settings, once you’re happy with them. If you do need to perform a factory reset, then they are quickly restored from that backup.

Modern routers are extremely capable, and most are equipped with powerful tools to help you manage your network and its internet connection. Time spent setting your router up carefully in the first place will be well-invested: it will keep your network safe, efficient, and free of trouble. Leaving everything set to its defaults may make your router or network vulnerable, and can lead to all sorts of trouble.