Header Shadow Image


Linux / Windows Networking: Configuring and securing a router for Wireless and Wired Networks.

Here I would like to take you through the steps to configuring and securing a router (In this case we will use the WRT54G as an example) for your home or small office setup. 

Securing a router can be very important especially when the wireless function is enabled.  Likely the most important reason is to prevent would be hackers / criminals from attacking other larger networks or institutions by hijacking your network or PC to do so with.  This could have unpleasant consequences for you even though you would be just a pawn in such a mess.

The second reason for security on your network is simply to prevent others from your neighboorhood or guests you have from seeing your personal, financial or family files. 

It would be much more difficult for an attacker to connect to a wired network but for wireless networks, the above two points become a real consideration. 

Though you may have another router, the principals and individual components (ie SSID, PSK, key etc) should be the same.  The only difference is that for your router you'll need to find the corresponding page that handles those settings.  A manual can help in this case.

 

WIRELESS

STEP ACTIONS
1

Open a browser and login to the router.  For many routers this is similar to 192.168.10.1 or 192.168.0.1 but the owner should check the router's
manual how to get to the configuration page through the browser.  In my case, I've setup the link on the router to be https://192.168.0.1 for
security reasons.

https://192.168.0.1/Wireless_Basic.asp

WRT54G - Wireless - Basic Wireless Settings

A couple of things to note on the page above that need to be setup for enhanced security:

Wireless Network Mode: Mixed This means both wireless and wired functionality is available.  Computers could therefore connect through an ethernet cable or through wireless cards.
Wireless Network Name (SSID): MySecretNetwork This will be the identifier or as it states, the name of the network.  Depending on the selection below, this can either be hidden or visible to everyone in an area.
Wireless Channel: 3 -  2.2422GHZ

The channel on which the wireless network will operate.  The best frequency is one that overlaps the least with the neighbours frequency. The windows TL-WN321G Wireless Utility will display properties of any available networks in your neighborhood.  In Linux, the following command can be used:

# iwlist scanning

at the command prompt to get a list of available networks in the neighboorhood.

Wireless SSID Broadcast: Disable When this is Disabled, the SSID you picked above simply doesn't show up in the list of available networks to connect to.  So in essence, the connecting host would have to guess the SSID of your network before they can connect to it.  This makes your network slightly more secure.

 

2

Next item of interest and easily the most important page for security, is the Wireless Security page:

https://192.168.0.1/WL_WPATable.asp

WRT54G - Wireless - Wireless Security

WPA2 is currently the strongest Wi-Fi Protected Access protocol available and therefore is the one you should choose.  TKIP has been proven to have some flaws so AES is the stronger encryption algorithms of the two:

Security Mode: WPA2 Personal Choose WPA2 as it is one of the highest for home networks.
WPA Algorithms: AES TKIP+AES is also available but TKIP has been proven to have flaws so AES is recommended for use.
WPA Shared Key: MySecretNetworkKey This is where you select a secure key, or password if you will, that only you know.  This is the password or key that you will need to type into computers that will connect to this router.  This can be any thing you choose.  As with passwords, the longer and more complex the better. 

 

3

This is the third level of security you can setup on the router.  We can filter the hosts we want to allow by the hosts MAC Address.  Every network card whether wireless or not, has a unique MAC address that is not shared by any other physical card.  The page on this router looks like this:

https://192.168.0.1/Wireless_MAC.asp

WRT54G - Wireless - Wireless MAC Filter

First enable the Wirelesss MAC Filter.  In this case I already know the MAC addresses, or can easily find them, from the computers I plan to connect to my network.  So I will use the Permit only: and edit the MAC Filter List where I will specify the MAC addresses I permit to connect to this network:

https://192.168.0.1/WL_FilterTable.asp

WRT54G - Wireless - Edit MAC Filter List

How do I get the MAC addresses to specify?

On Linux you can use the following command:

# ifconfig -a

The output will contain Network Interface names along with a paragraph describing each one.  Within the paragraph will be a string called HWaddr which is another name for MAC address.  Here's an example:

HWaddr 7E:2A:48:86:9A:CB

On Windows, the same information can be retrieved from the command prompt:

  • Start -> Run -> Type cmd.exe -> Press Enter.
  • At the prompt type ipconfig /all
  • Look for entries labeled Physical Address.  This is yet another name for a MAC address and the value for it will be printed to the right.
4

If you are looking for yet another, albeit very minor way, to improve security, you could try to disable DHCP on the router as well:

https://192.168.0.1/index.asp

WRT54G - Wireless - Basic Setup

 

However this means that everytime a new computer is added to the network, it would need to be given an IP address manually, which for some could be too much of an inconvenience.  This improves security only slightly because any would be attacker that connect to the system would still have to find the correct IP address before they can access any files on your system.  The system would not assign an IP address to the new PC automatically.

Again this is a minor improvement to security but can be a relatively large inconvenience.  More on this is further below.

5 Be sure to save the settings after editing each page above and below!  Most routers will not save changes if you navigate away from the page.

 

 

 

WIRELESS / WIRED COMMON

STEP ACTIONS
1

One of the other important items to do is to secure the router from compromise itself.  Most routers come with a default password you use to get into it.  The default password and user name is also written in the routers manual.  As a result it is known widely and is available to anyone.  Essentially, anyone who knows the name of your router can easily search for the default password for it.  So it's a good idea to change it.  Here is the panel where you can do this:

https://192.168.0.1/Management.asp

WRT54G - Wireless - Administration

Let's go over the most important options:

OPTION DESCRIPTION
Router Password: MySecretWRT54GPassword Choose a password other then the default password for your router.
Access Server: HTTPS Choose HTTPS over HTTPHTTPS ensures a very secure connection to your router meaning no one can listen in on the traffic when you type in your password, possibly revealing it to a third party. 
Remote Management: Disable Though listed as Enabled for me, if you do not plan to change settings on your router from outside your home network, select Disable.
Management Port: 8276

If you plan to administer your router from outside, you can specify a unique port through which you can do so.  For example, when accessing your router and your outside IP is 123.123.123.123 you would use:

https://123.123.123.123:8276/

whereas if you were accessing your router from inside your network, you would only specify:

https://192.168.0.1/

instead, without the port.  Both ways would use HTTPS.

 

2

The next step is to enable some security for your network in general by enabling the firewall:

https://192.168.0.1/Firewall.asp

WRT54G - Wireless / Wired Common -

The basic option here is to select Firewall Protection: Enabled.  By checking the remainder of the options, you can harden the firewall configuration further by blocking those additional options.  I'll leave the discussion of these listed options for a later date.

3

Another panel available is the Applications and Gaming panel where you can specify which ports should be open and to which machines should traffic be sent that was originally directed to those ports.  The page is:

https://192.168.0.1/Forward.asp

However, this option is more to do with access rather then security.  Leaving no ports open is obviously the most safe approach however depending on what you plan to run off your computers, you can just leave the page blank.

4 Done!  Hope you didn't forget to save your settings.  :)

 

WIRED

STEP ACTIONS
1

There is only one panel to do with the wired network connections on your computer.  This is the Basic Setup panel:

https://192.168.0.1/index.asp

WRT54G - Wired - Basic Setup Panel

 

Going over the options, we see the following of most interest:

 

OPTION DESCRIPTION
MTU: Manual In my case, some applications couldn't work with default MTU of 1500.  For this reason a lower MTU was needed which could only be set manually.
Size: 1492 I choose an MTU for most compatibility with various applications and my internet connection for some legacy appliacations.  If your MTU is 1500, try the default value before adjusting lower.  Generally, the higher this number is, the more efficient network transfer over your network becomes however, at a cost to compatability.
Local IP Address: 192.168.x.y / 172.0.x.y Choose another IP for your router to access it locally from your network.  If you are happy with the default option, you can leave it as such.  Internationally, 192.168. and 172. IP ranges, amongst others, are defined ranges for small private / internal networks such as home networks and for small institutions.
DHCP Server: Disable

This option has just a bit of a security impact but may have more of an inconvenience impast.  When you disable DHCP, computers on your network will not get an IP address unless you specifically assign one.  This means that you'd have to assign an IP to each workstation.  From a security standpoint, if someone did manage to connect with your network, they would still have to figure out what IP to obtain and the DHCP would not assign one automatically to the uninvited guest.  It would become another road block for the intruder before they can obtain an IP and prevents DHCP broadcasts from being transmitted, reducing further chances for someone to sniff those packets.

If you are not sure how to assign IP addresses for your computers on the network or simply do not want that hassle, then you can simply leave this as Enable.

This feature is left up to the user to decide if the pros outweight the cons for their configuration.

 

2 Don't forget to save the settings.  Good Luck!

 

Leave a Reply

 


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License