Basic Router Security Volume 4 in John R. Hines’ Computer Security for Mere Mortals, short documents that show how to have the most computer security with the least effort

  Net+ Certified, Security+ Certified John R. Hines

  , Consulting Security Engineer, LLC

JohnRichardHines@ConsultingSecurityEngineer.com

  “Plagiarism is when the author steals from one source; scholarship is when the author steals from many sources.” -- Anonymous "Facts are stubborn things; and whatever may be our wishes, our inclinations, or the dictates of our passions, they cannot alter the state of facts and evidence." --John Adams

  Oholiab's First Law: The Suits' need for computing power expands until all the Geeks' servers are 100% utilized running database queries and printing reports during business hours. Corollary to Oholiab's First Law: Development can only access the servers purchased for development when nobody else wants them.

  Oholiab's first law of security (Murphy's first law of planning): The important things are simple. Oholiab's second law of security (Murphy's second law of planning): The simple things are very hard. these notes, you do not have permission to read these notes! Copyright © Consulting Security Engineer LLC. All rights reserved. 2016

  ISBN N/A Version 1.201707262300

  Suggested reading (when you have time) oul Anderson badly formatted but great ideas

Security

  Is security a new problem? What is security? What is computer security?

  What is a low-reward measure? What is a reasonable measure? What is an unreasonable measure?

  What will you find in these notes?

Routers

  What about routers? What is a router?

  What is a firewall (hardware firewall)? What is a wireless router? What is a wired router (hard-wired router)?

  What is router firmware? What is "flashing the ROM"?

  Where should my router be placed? What simple reasonable measures will improve your router security?

  Default problem #1: Router firmware (software in hardware) is typically out of date before you buy it.

  What is a zero-day attack (zero-day exploit)? What is an attacker? Mistake #1A: Buying a bargain router.

  Default problem #2: The default password is written on the side of the router.

  What's a dictionary password attack? What's a strong password? Mistake #2A: Not saving the changed password in a secure place. cable issues. Default problem #4: WIFI networks should always use WPA2 encryption.

  Mistake #4A: Using WEP encryption on your router. Mistake #4B: Having no encryption on your router. Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router.

  Mistake #5A: Not saving the changed WIFI password (passwords) in a secure place. Default problem #6: WIFI signals should not go (too far) beyond your office.

  Mistake #6A: Buying a large area router for a small office.

Appendices

  Appendix I: What about networks? What is a network (computer network)?

  What is a gateway? What is a LAN (Local Area Network) (Local network)? What is a network address (network number)? What is a network device? What is a network edge? What is a network node (computer network node) (network host) (node)? What is a network segment? What is a subnet (subnetwork) (network subnet)?

  What is an intranet (Intranet) (private network)? What is IP (Internet Protocol)? What is the internet (Internet) (public network)?

  What is an IP address (Logical address) (Network address)? What is TCP (Transmission Control Protocol)? What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking) (Unbounded What is wired (hard-wired)? What is wireless?

  Appendix II: How does a router link (connect) an intranet to the internet? Appendix III: How do I find my router's IP address? Appendix IV: What hardware do I need to use my router? Appendix V: How do I access my router? Appendix VI: How do I reset my router back to the built-in name and password?

  What documents are part of this series? Biography

  Security Is security a new problem?

  No! Security has always been a problem! Even strong men have always had security concerns: "When the strong man, fully armed, guards his own dwelling, his goods are safe. But when someone stronger attacks him and overcomes him, he takes from him his whole armor in which he trusted, and divides his spoils." (Luke 11:21-22)

  

  required for a complete "gang of misrule" (crime family). M gives these as " … For men, there are fourteen roles: (1) ruffler, (2) upright man, (3) hooker (angler), (4) rogue, (5) wild rogue, (6) priggers of prancers, (7) palliards, (8) frater, (9) jarkman (patricoe) (10) whip jacket, (11) drummerer (dommerer), (12) drunken tinker (13) swadder (pedlar), and (14) Abram man. For women (and children) there are nine roles: (1) demander for glimmer or fire, (2) bawdy basket, (3) morts, (4) autem mort, (5) walking morts (6) doxy, (7) dell, (8) kinching mort, and (9) kinching cove." (Buy my book if you want to know what all these specialties are.) Add hackers and

What is security? The dictionary definition of security is "being free from danger or threat"

  Experience proves no one is secure, at least in the dictionary sense. Solomon had a different take on security (or, maybe, on the lack of security): "The race is not to the swift or the battle to the strong, nor does food come to the wise or wealth to the brilliant or favor to the learned; but time and chance happen to them all" (Ec. 9:11). (Back in the day, bumper stickers on the back of pickups often summarized Solomon's quote in two words: "Excrement happens".) Damon Runyon, writer of "Guys and Dolls" offered an amendment to Solon's advice: " The race is not always to the swift, nor the battle to the strong, but that's the way to bet." The way to be secure is to be skilled and hope to be lucky. And, (if you've read any of Runyon's other works), the way not to be secure to be not skilled (unless you're very, very lucky).

  So, I suggest a different definition of security that emphasizes our part in keeping ourselves secure: "things done and things left undone that give as much control as possible over the future". Be skilled (the things done), be careful (the things not done), and hope to be lucky.

  One more quote: "Luck is what happens when preparation meets opportunity" (Seneca, First Century AD, possibly misattributed). Prepare for Murphy to knock on your door. A disaster for the unprepared is an opportunity for the prepared.

  What is computer security?

  The dictionary says, "measures taken to safeguard code, information, and systems". A more sensible definition of computer security is "(1) reasonable measures taken to safeguard code, information, and systems, (2) unreasonable measures not taken to safeguard code, information, and systems, and (3) measures not taken to avoid low-rewards." Unfortunately, reasonable, unreasonable, and low-reward are (like beauty) in the mind of the beholder.

  What is a low-reward measure?

  A security measure that that has a small payoff for the inconvenience, money and time associated with the measure. Many measures advocated by security professionals are low-reward measures for non-security professionals who do not have an in-house professional to help them.

What is a reasonable measure?

  A security measure that that has a significant payoff for the inconvenience, money and time associated with the measure.

  Reasonable measures that are not terribly inconvenient for a non- professional and require little money and time should ALWAYS be implemented. Reasonable measures that are terribly inconvenient for a non- professional but require only a small amount of time and money should be implemented when possible. (Maybe hire a professional for a half- day?) Reasonable measures that are not inconvenient for a non-professional but require a small amount of time and money should be implemented when possible. (I define a small amount of money as my monthly definition.) Reasonable measures that are terribly inconvenient for a non- professional and require a lot of money should only be implemented if you have suspect you are a potential target. Warning: If you are (1) involved in politics or social issues, (2) are visible in your community for some reason, or (3) have strange family members or neighbors then you should suspect you are a target.

  What is an unreasonable measure?

  A security measure that that has become popular wisdom but probably is of little value. (A few years ago, one argument for switching from a PC to a Mac was "Macs don't get viruses." If that was ever true, it isn't now but many Mac sales people and users still believe it and repeat it to non-Mac users.)

  What will you find in these notes?

  What I think are reasonable and unreasonable measures and what are low- reward measures. Send me an email at

   to let me know when

  I'm wrong. Thanks, John

  Routers What about routers?

What is a router?

  Hardware (with firmware and software) that forwards data packets between networks. Connected to at least two networks, located at gateways (places where two or more networks connect). Does not forward broadcasts or corrupted packets. Typically implements hardware firewall. Operates at OSI layer 3 (network layer). Full duplex prevents most collisions. In small networks, same device typically routes packets to and from both wire- connected and wireless-connected devices. Alternative: Traffic management devices that connect network segments. Note: Router logs may tell if intruder breached internal systems. Note: Home routers typically controlled by PC (PCs) connected by wires; i.e., no "out of band" port on most home routers.

  What is a firewall (hardware firewall)?

  Hardware and/or a set of related programs, located at a network gateway server (and usually on each network PC) which protects the resources of a private network (and networked PCs) from users from other networks (and other users on the private network) by examining traffic. (The term also implies the security policy used with the programs.)

What is SPI (Stateful Packet Inspection) (stateful Inspection)?

  Keeping track of the state of network connections (such as TCP streams, UDP communication). Useful tool for detecting and preventing (some kinds of) hacking.

  What is a wireless router?

  Provides network connectivity by WIFI, usually through a WAP built into the router. Note: Almost always have wired ethernet connections. Note: A wireless router with wired connections is always a better buy than a wired router. Eventuall you'll need wired connections.

  What is a wired router (hard-wired router)?

  Provides network connectivity for computers connected to it by ethernet cables. Typically supports ethernet 10 Mbps/100 Mbps/1 Gbps transfer speeds. Note: Buying a wired router without WIFI in seldom a good idea: you will eventually want WIFI for your cell phones and tablets (saves money when you're at home) if nothing else.

  What is router firmware? Software stored in ROM. Typically, contains only elementary basic functions of a device and may only provide services to higher-level software (such as the ROM BIOS of a personal computer).

  What is "flashing the ROM"? Changing (usually upgrading) firmware.

Where should my router be placed?

  Three things to consider:

  1. The farther the router is from the cable modem, the longer the ethernet cable connecting the two. Shorter is better. BTW: Ethernet cables are kinda-sorta robust but they should be protected from pinching and scraping.

  2. Routers don't have fans so you want air flowing around the router. If you put your router in a closet or on a high shelf, you might want to buy a small personal fan to blow on it.

  3. Routers should be someplace that is (1) hard to get at and (2) easy to see.

  What simple reasonable measures will improve your router security? Default problem #1: Router firmware (software in hardware) is typically out of date before you buy it.

  Often computer problems are identified by initial users or exploited by hackers in a zero-day attack. By the time your router arrives, it may have known problems that need to be fixed before the world sees your router on the internet.

  The low-cost Tenda AC1900 used to test these notes told me a firmware upgrade was available. If I had IT support nearby, I would ask for advice. However, I don't so I'm going to click on "OK" and hope for the best. I suggest you do the same.

  What is a zero-day attack (zero-day exploit)?

  New kind of attack using a vulnerability the day it is discovered (that hasn’t yet been fixed).

  What is an attacker? Unauthorized person who attempts to access your network or your computer.

  May also be an authorized person who attempts to misuse your network or computer. A cracker, hacker, rogue employee, rogue relative, script kiddie.

Mistake #1A: Buying a bargain router

  There was a spelling error on the Tenda Internet Status page so I wasn't too surprised when there were additional problems on the "Firmware Upgrade" page (Chinese instead of English) but I clicked on "Download and Upgrade" and flashing the ROM worked OK.

  \ Why bring this up? You will spend more time installing a bargain router, have more problems, find the tech support is hard to access, and hard to understand.

What brands of routers should you look at first?

  If cost is close for the same features, look at D-Link, Linksys, and Netgear first, then look at Asus if you want more features than the others. If you have more time than money, look at TP-Link and Tenda.

  Default problem #2: The default password is written on the side of the router.

  Unless your router is in a locked room and you have the only key, janitors, rogue employees, and rogue relatives can all access your router and change whatever they want to change if you do not change the default password. Change the password to a strong password that is different from the pasword on the side of router.

  What's a dictionary password attack?

  Attacker uses a dictionary of possible passwords, continuing the attack until he finds the correct password. Works because users like easy-to-remember words. Works well against routers because it's not practical to an account lockout option like computers do.

What is account lockout (Account lockout policy)?

  Disables user account after certain number of failed logon attempts within a specified period of time

  What's a strong password?

  At least eight characters long, does not contain your user name, real name, or company name, does not contain a complete word, is significantly different from previous passwords, and contains characters from the following categories: uppercase letters, lowercase letters, numbers, symbols found on the keyboard (all keyboard characters not defined as letters or numerals), and spaces (length, complexity, and unpredictability).

  

Mistake #2A: Not saving the changed password in a secure place.

  If you've read Basic Windows 10 Security, you already know my recommendation for saving passwords in a secure place. Here's another password to put in that secure place. Typically, one copy in your bank box and one in a "secure" container somewhere hard to get at. NEVER save the password near the router or near your computer. (My eleven-year old grandson knows how to "toss" a work area to find passwords: he learned how watching NCIS.)

Default problem #3: Most router hacks come from WIFI issues, not from cable issues

  Yes, cables can be hacked. But, it's hard, it's usually dirty work, and it usually has to be done inside your office. Phones and tablets have to use WIFI but computers don't unless you have a very strange office space. You can pay a professional cabler to run cables but often you can connect every computer in your office using prefabricated cables from Fry's or Micro Center.

  Note: You will still need WIFI for phones and tablets but just using cable instead of WIFI will keep the most important parts of your network safe (well, safer). Warning: Every computer attached to the router by cable has access to router. That's another reason to change the router password.

  Default problem #4: WIFI networks should always use WPA2 encryption.

  WPA2 is secure. WPA is pretty secure. WEP is NOT secure. Note: Document the encryption used so you can get a new router up quickly if the old one dies.

  Mistake #4A: Using WEP encryption on your router.

  Yes, it's a choice on almost all routers but it should never be used. Even PC Magazine knows how to crack WEP! Mistake #4B: Having no encryption on your router.

  Yes, it's a choice on almost all routers but it should never be used.

Default problem #5: WIFI name and passwords defaults are often chosen to simplify installation, not to secure the router

  WIFI names (sometimes called SSIDs) should be bland and vague, giving no information about the router. Tenda violates this by making default names from "Tenda" plus part of the router name (for example, my Tenda router defaults to "Tenda_19BCC0"). Anyone with a WIFI analyzer on their phone or tablet instantly knows they can hack the router if they can find a crack for a Tenda AC1900. When I change the name to "Hunting_Box", they get no information about the router's manufacturer or model: they have to try random cracks. Note: It is possible to hide a WIFI router name. Some advocate it. I don't: hiding the router name is waving a red flag at hackers that says, "Hey, I've got stuff that is so valuable that I am hiding." Hiding in plain sight is always better than hiding in secrecy. Warning: WIFI passwords should be strong passwords but NEVER the same as the router password: if a dictionary password attack cracks your WIFI password, the attacker should have to crack your cable password, too, get into your router.

  

Mistake #5A: Not saving the changed WIFI password (passwords)

in a secure place.

  See Mistake #2A.

Default problem #6: WIFI signals should not go (too far) beyond your office

  The farther WIFI signals go, the easier it is to hack the WIFI part of the router. A guy sitting in front of your office pounding on a laptop is much more obvious than a guy sitting at a table in the park across the street pounding on a laptop. The default for many routers is to broadcast the strongest signal (so it goes the farthest). You should set transmit power to the lowest level and test coverage. If the office isn't covered, increase power level and test coverage

  Warning: Document the acceptable transmit power so you can quickly replace a defective router.

  Mistake #6A: Buying a large area router for a small office.

  Read the information on the box.

  Appendices Appendix I: What about networks? What is a network (computer network)?

  Connected graph where nodes are computer network nodes and edges are computer-to-computer connections.

  What is a gateway? Network node that is an entrance to another network. Often a router. What is a LAN (Local Area Network) (Local network)?

  Hardware and software that turns terminals, workstations, servers, and hosts into a single network environment in a small geographic region like a building. Alternative (more modern): A network segment that may or may not be connected to another network. Larger networks are created by "gluing" two or more LANs together, typically with a router.

  What is a network address (network number)?

  Bit pattern or group of hexadecimal numbers that uniquely identifies a network node. In IPv4, eight hex characters, each pair (except the last) separated by dots. (Four bytes.) In IPv6, 32 hex characters, each quad (except the last) separated by colons. (16 bytes.)

  What is a network device?

  Component (hardware) that connects ("glues") computers or other electronic devices together to share files or resources. Usually a network node.

  What is a network edge?

  Single physical connection between two computers. Sometimes used a synonym for connection (network connection). Alternative: Cable with connectors at both ends that connects two nodes

  What is a network node (computer network node) (network host) (node)?

  An addressable device attached to a computer network.

  What is a network segment?

  VLAN, or switch segmentation.

  What is a subnet (subnetwork) (network subnet)?

  Logical, visible subdivision of an IP network. Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address. Note: The practice of dividing a network into two or more networks is called subnetting.

  What is an intranet (Intranet) (private network)?

  Private network combining existing LAN and WAN technologies and new Internet technologies. Has all the features of the Internet. Many intranets. Typically use 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x or 192.168.x.x. Typically connected to the (one and only) internet by a router but may be stand-alone. See Internet.

  What is IP (Internet Protocol)?

  Basic protocol of the Internet. It enables the unreliable delivery of individual packets from one host to another. It makes no guarantees about whether or not the packet will be delivered, how long it will take, or if multiple packets will arrive in the order they were sent. Protocols built on top of this add the notions of connection and reliability.

  What is the internet (Internet) (public network)?

  Large network with millions of hosts from many organizations and countries around the world. Amalgamation of many smaller networks. Data travels by a common set of protocols (starting with TCP/IP). All (well, almost all- ignore 10.x.x.x, 127.x.x.x, 172.16.x.x through 172.31.x.x and 192.168.x.x) internet addresses are unique.

  What is an IP address (Logical address) (Network address)?

  In IPv4, 32-bits or a quad of octets (bytes). In IPv6, 128-bits or a hex of octets (bytes) or 32 hex characters. A software address, not a hard-coded address.

  What is TCP (Transmission Control Protocol)?

  Network reliable communication protocol, typically sits on top of IP. See UDP.

  What is WIFI (Wi-Fi) (Wifi) (WiFi) (Wireless networking)

  (Unbounded media)?

  Local area wireless technology to exchange data or connect to the internet (usually using 2.4 GHz UHF and 5 GHz SHF).

  What is wired (hard-wired)? Connected to other devices by cables, usually ethernet cables. See Ethernet. What is wireless? Connected to other devices by WIFI (typically using a WAP).

Appendix II: How does a router link (connect) an intranet to the internet?

  You need an internet address (actually, you need an IP address but they are pretty much the same thing) to be on the internet. Your home network does not have one. So, how do you get one? You might try to buy one or more IP addresses. However, all (almost all) the usable internet addresses are already owned. It would be really expensive (much more than your lifetime beer and coffee expenditures combined). Worse, you would have to search hard really to find someone willing to sell you one. So, buying one or more is not a workable plan.

  Fortunately, both idealism and profit motivate (some) IP owners called ISPs (Independent Service Providers) to lease or let you temporarily use as many IP addresses as you can afford to pay for.

  The cost of leasing a single IP address (a dedicated line) is so expensive (maybe a decade of beer and coffee expenditures for a single year's lease) that you are more likely to temporarily use an ISP's IPs. The cost of temporarily using a single IP address is so expensive (maybe a year of beer and coffee expenditures to pay for a year's temporary use) that most people have access to only one IP and use tricks that allow all your computing devices to use that one. (Yes, it's more complex than that but why go there?) Warning: You typically use an IP from a pool of currently unused IPs at the ISP so you seldom get the same IP from your ISP. But, you don't need to know what IP the ISP is letting you use, the ISP handles all of that! Just don't assume you always have the same internet IP. Your ISP will give you access to a single temporary IP address with reasonable (reasonable, like beauty, is in the eye of the beholder) bandwidth by running a wire to your home (if one doesn't already exist) and installing a cable modem in your house. Warning: If a wire (either from a cable company or a telephone company) is not already in place near your home, you may have to resort to a cell phone-like connection from cell phone company.

  If you only have one device in your home (very unlikely), the ISP's the internet. If you have more than one device in your home (everybody does -- computers, internet TV, phones and tablets) then a router (one of the tricks I mentioned) is required. The router will sit between the cable modem and your devices. The router collects all the internet requests from all the devices, combines them in a clever way, and sends them out through the single borrowed IP address. When responses to the requests come back, the router returns them to the appropriate device.

  

Appendix III: How do I find my router's IP address?

  Depending on your version of Windows 10, open your admin cmd window or PowerShell window. At the prompt, type "ipconfig [CR]". Ipconfig will return information about your system and its private LAN, something like:

  Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : tendawifi.com Link-local IPv6 Address . . . . . : fe80::7002:9ba9:d9eb:f7bb%24

  IPv4 Address. . . . . . . . . . . : 192.168.0.185 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1

  Your private LAN is Class C (from the Subnet Mask), your system has been assigned the private IP 192.168.0.185 (from the IPv4 Address), your router has been assigned 192.168.0.1 (from the IPv4 Default Gateway). But, the only thing you need to know is the router is at the gateway.

Appendix IV: What hardware do I need to use my router?

  Four items: (1) a computer with a 1GHz port on the back; (2) ten-foot (or longer) Cat 6 ethernet cable with RJ45 connectors on both ends (will work in

  1GHz, 100 MHz and 10 MHz ethernet networks), (3) magnifying glass (best to get one with a light powered by AAA cells or similar) to read the built-in router name and router password on the back of the router, and (4) a pin, needle or metal paper clip (to reset the router).

Appendix V: How do I access my router?

  Once you know (1) the IP of the router (read "How do I find my router's IP address?") and (2) the password (look on the back of the router and WRITE DOWN the name and password - you may find both a wired and wireless password, if so write down both and identify which is which).

  Connect the ethernet connector on the back of your computer to one of the four (or eight) same color RJ45 connections on the back of the router; then Open your browser, enter the router's IP address 192.168.0.1 or http:\\192.168.0.1 in the browser address window then press "ENTER". Warning: You cannot manage the router over WIFI. There are fifty-foot- long CAT 6 cables at most big computer stores, so you should be able to connect with the router over cable.

  After some kind of login procedure, you should see the main router window which looks something like the image below.

Appendix VI: How do I reset my router back to the built-in name and password?

  Usually, on the back of the router there is a hole with a label like "RESET" or "RST". There is a small pushbutton inside the hole. Inset a pin or some other thin stiff item at least 1" long into the hole. Push the pin in the hole and hold down the button for about 10 seconds. The router erases all your changes and loads the defaults.

What documents are part of this series?

  Volume 1: 5-Minute security talk Volume 2: 15-Minute security talk Volume 3: Basic Windows 10 Security Volume 4: Basic Router Security Volume 5: Basic Network Security Volume 6: Basic Browser Security Volume 7: Advanced Windows 10 Security Volume 8: Advanced Router Security Volume 9: Advanced Network Security Volume 10: Advanced Browser Security Volume 11: Basic Windows 7 Security Volume 12: Basic Phone and Tablet Security

Biography

  

John R Hines has degrees from two party schools (the University of

Colorado and Arizona State University). He was a professional engineer in Texas. He has been a semiconductor engineer, a programmer, a writer and a teacher. Since he retired to Lucas,

Texas, he has been writing eBooks for Amazon and thinking about

computer security and taking CompTIA certification tests (he is A+, Net+, and Security+ certified).

In the 1980s, the US Patent and Trademark Office granted him six

patents and he began writing about using computers to solve problems. He wrote a book about circuit simulation and taught SPICE (Simulation Program with Integrated Circuit Emphasis) classes at Fortune 500 companies. In the 1990s, he had computer-related columns in popular trade magazines like Electronic Test and Design Automation and scholarly magazines like IEEE Spectrum and taught C, C++, Delphi and Java.

  

In the 2000s, he was a Java developer for America’s best telephone

company. In late 2016, he started prototyping a security start-up to test a business model for geek geezers who want to work less than 20 hours a week.

Google him under JR Hines, J. Richard Hines (Honeywell IT didn't

like John Hines publishing articles poking fun at it), John Hines and John R Hines. Or look at his computer books on Amazon.com.