{{Header}} {{#seo: |description=Router and Local Area Network Security, Router Settings and Hardware Configurations |image=Router.png }} [[File:Router.png|thumb]] {{intro| Router and Local Area Network Security, Router Settings and Hardware Configurations }} = Introduction = {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = If {{project_name_gateway_long}} is ever compromised, it can theoretically access any computer in the [https://en.wikipedia.org/wiki/Local_area_network local area network (LAN)]. }} Based on the threat posed by a {{project_name_gateway_short}} compromise, those who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible. = The State of Router Insecurity = Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if appropriate steps are not taken. https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf Many experienced users who are concerned about computing security overlook these problems. Instead, they focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers (including state-level adversaries). Compromised routers can easily spy on activities, conduct [[Warning#Man-in-the-middle_Attacks|man-in-the-middle attacks]], alter unencrypted data, or redirect connections to websites that masquerade as webmail or on-line banking portals. https://www.tomsguide.com/us/home-router-security,news-19245.html = Suitable Hardware and Router Configurations = Experts routinely advise that low-grade routers should be avoided, since cheap models often come with these limitations: * Notification failures regarding firmware updates that patch security vulnerabilities. * Restrictions on password length for administrator access. * The less-secure, combined modem/router devices are common. As a sensible investment in security, give consideration to purchasing a commercial-grade router that is normally intended for small businesses. It is also safer to have a personally owned routing device that connects to an ISP-provided modem/router because this maximizes administrative control over routing and wireless features of the home network. Before the final purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use. https://www.usar.army.mil/Portals/98/Documents/Slicksheet_BestPracticesForKeepingYourHomeNetworkSecure.pdf = Accessing Router Settings = To access and change router settings, the router's IP address must be typed into the web browser address bar. Next, enter the administrative login and password when prompted. If the default login credentials are unknown, check the [https://www.routerpasswords.com/ following list] and search by manufacturer and model. Routers usually have a common address like: 192.168.1.1, but there are many variations depending on the make and model. Check the router manual to determine the correct address or alternatively research the manufacturer's website to discover it. https://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html If it is still not possible to identify the relevant router address for access, terminal commands can be used to trace the IP route or various networking tools can be accessed to discover it. == Linux == On Linux operating systems, run the following command in a terminal. In [[Qubes|{{q_project_name_long}}]], this command is run in the NetVM terminal. {{CodeSelect|code= ip route }} The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings. Another alternative is to utilize the network icon, which is available on most Linux desktops: Right-click the network iconSelect "Connection Information" or similar. The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. https://www.howtogeek.com/233952/how-to-find-your-routers-ip-address-on-any-computer-smartphone-or-tablet/ = Recommended Router Settings = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Many router models do not allow changes to the specific settings discussed in this section. }} == General Router Settings == The following settings are recommended to lock down the router. '''Table:''' ''Router Access, Configuration, Management and Service Recommendations'' https://routersecurity.org/checklist.php {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Recommendations''' |- ! scope="row"| Browser Access | Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history. Avoid: * Administrating the router with a smartphone application. * Mesh router systems that deny local administrative access. |- ! scope="row"| Firewall | * Reconfigure the router firewall rules to drop all relevant incoming packets. * Firewall ports should be set to "stealth" rather than "closed". This way no response is given to unsolicited external communications from attackers probing the network. |- ! scope="row"| Firmware | Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available. |- ! scope="row"| Logging | Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on. |- ! scope="row"| Port Forwarding | If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet. |- ! scope="row"| Remote Access | * Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers). * Disable all other remote-access protocols like [https://en.wikipedia.org/wiki/Ping_%28networking_utility%29 PING], [https://en.wikipedia.org/wiki/Telnet Telnet] and [https://en.wikipedia.org/wiki/Secure_Shell SSH]. * If offered, disable cloud-based router management because trust is shifted to another person between the user and the router. |- ! scope="row"| Router Test | Use Gibson Research Corp.'s [https://www.grc.com/shieldsup Shields Up port-scanning service] to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator. |- ! scope="row"| Service Disabling | * Turn off [https://security.stackexchange.com/questions/38631/what-are-the-security-implications-of-enabling-upnp-in-my-home-router Universal Plug and Play (UPnP)], which can allow applications to open ports to external computers. * Disable [https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol NAT-PMP], since it has similar functionality to UPnP. * Disable the [https://routersecurity.org/hnap.php Home Network Administrative Protocol] since it allows remote management of network devices. * Do not bind services to the external interface. |- ! scope="row"| SSID Service Set ID | Change the [https://en.wikipedia.org/wiki/Service_set_(802.11_network)#SSID Service Set ID (SSID)] which often leaks router information. Do not use personally identifying information like the apartment number you live in. |- ! scope="row"| Username and Password | Change the default router username and password to something suitably long and random using a [[Passwords#Generating_Unbreakable_Passwords|Diceware passphrase]]. It may be sensible to tape this on the router so it is not lost in the future. |- ! scope="row"| Web Interface | Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example: https://192.168.1.1:82 instead of http://192.168.1.1 |- |} == Wireless Network Router Settings == === Wi-Fi Warning === Contemporary research has discovered a number of faults with the WPA2 and WPA3 security protocols. For instance: * This [https://kryptera.se/assets/uploads/2017/10/usenix2016-wifi.pdf 2016 paper] found faults with WPA2 encryption due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This meant unicast wifi traffic could be decrypted.
We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.
* The [https://www.krackattacks.com/ KRACK attack] family of vulnerabilities demonstrated a fatal flaw in the way WPA2 handshakes were negotiated allowing an attacker to decrypt (but not modify) data on the Wi-Fi LAN. The efficacy of the fixes are platform dependent and were mitigated provided that the devices received updates after it was announced. Suggestions have been made to the Wi-Fi Alliance standard body to guard against it in the future. * In 2019, [https://papers.mathyvanhoef.com/dragonblood.pdf five vulnerabilities were announced in the Wi-Fi WPA3 standard] as well by the same researchers behind the KRACK attacks; two downgrade attacks, two-side channel information leaks and one denial of service attack. Consequently, adversaries in range of the user's network can discover the Wi-Fi passphrase for infiltration purposes. These attacks also work against the Extensible Authentication Protocol that is supported in the previous WPA / WPA2 Wi-Fi authentication standard. https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/
Both the two downgrade attacks and two side-channel leaks exploit design flaws in the WPA3 standard's Dragonfly key exchange --the mechanism through which clients authenticate on a WPA3 router or access point. * In 2021 a devastating flaw was discovered in the WiFi standard impacting all devices on the market that implement WEP through WPA3. FragAttacks (fragmentation and aggregation attacks):
...encompasses plaintext injection vulnerabilities, the frame aggregation feature of WiFi potentially leading to an aggregation attack, the frame fragmentation feature of WiFi leading to a possible mixed key attack, and the WiFi frame fragmentation feature being exploited for a possible fragment cache attack. A dozen CVEs in total were issued for this FragAttacks research.
https://www.phoronix.com/news/FragAttacks https://www.fragattacks.com/
In a downgrade attack, WiFi WPA3-capable networks can be tricked in using older and more insecure password negotiation schemes, allowing attackers to retrieve the network passwords using older flaws. In a side-channel information leak attack, WiFi WPA3-capable networks can trick devices into using weaker algorithms that leak small amounts of information about the network password. With repeated attacks, the full password can eventually be recovered.
Fortunately it is difficult for attackers to abuse these faults because it requires either user interaction or the use of uncommon network settings. Although various countermeasures are reported and software is available which corrects these problems, they also require firmware updates from Wi-Fi product vendors. These may be rare or impossible depending on the product in question. The researchers still view WPA3 as an improvement over WPA2, but criticize the opaqueness of the standardizing bodies in making flawed decisions that have been considered beforehand. === Recommendations === '''Table:''' ''Wi-Fi Configuration, Services and Protocol Recommendations'' {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Recommendations''' |- ! scope="row"| DHCP Leases | Limit the number of [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol Dynamic Host Configuration Protocol (DHCP)] leases (connects) to the Wi-Fi network to match the number of personal devices owned. |- ! scope="row"| Guest Access | If the Wi-Fi network will be accessed by visitors, set up a guest network that turns itself off after a set period. |- ! scope="row"| MAC Filtering | Enable MAC Filtering so only specific devices may connect to the network. |- ! scope="row"| Network Availability | If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning. |- ! scope="row"| Protocols | * Disable [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup Wi-Fi Protected Setup (WPS)] because it allows any device to connect to the network with the relevant eight-digit PIN.
* Do not rely on the [https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy WEP] and [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access WPA] standards which are cryptographically weak and have known security weaknesses. Use the [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA2 WPA2] or [https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3 WPA3 standard] so only authorized users can use the network. Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.
* Use routers that exclusively use WPA2/3, preferably with the AES standard (CCMP) and not TKIP which is less secure. |- ! scope="row"| Services/Daemons | It is safest to assume data transferred between devices on a Wi-Fi LAN is available to attackers. Most FLOSS services have a robust encryption option implemented in their settings which needs to be toggled/used to ensure data security. |- ! scope="row"| SSID Broadcasting | Do not bother disabling SSID broadcasting since it is trivial to guess. |- ! scope="row"| WAN Requests | Enable the "Block WAN Requests" option to conceal the network from other Internet users. |- ! scope="row"| Wi-Fi Band | If possible, use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band -- the 5 GHz band does not travel as far. |} == Router Firmware == Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as [https://openwrt.org/ OpenWrt] and [https://dd-wrt.com/ DD-WRT] provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems. The strengths of this approach are openness, regularly updated firmware images, greater functionality (fully-featured options), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware. = References = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]