One of the most common questions we are asked is, “How do I know my home PC is secure?” There is no simple answer, rather a checkpoint list of things to tick off. One of the biggest advances in convenience to the home user is also the biggest threat, wireless NAT routers. A properly configured wireless NAT router is an effective means of protecting yourself from unwanted visitors. Most wireless routers include a built in firewall, encryption algorithms, password protection etc etc. The thing is, the out of box default settings are ineffective, and to be honest if you leave the router set as such you are inviting trouble.

So what are the biggest threats?

No encryption, or easily cracked encryption Firstly, and probably most common is people “sniffing” the data sent from your wireless devices and decoding it. If you are entering login details of your on-line banking and someone gets hold of this information this could be very lucrative for them, and very embarrassing for you, and hard to prove to your bank manager. In comes encryption. Most modern routers offer many different ciphers (encryption algorithms) but by far the most effective is Rijndael encryption (pronounced “Rhine dahl”), also known as AES. The Advanced Encryption Standard is adopted as an encryption standard by the US government. Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) AES uses a 128 bit cipher with a 256 bit key. In English, the key is used to encrypt the data that you send from your wireless device. Only wireless devices that know the key can decrypt the data stream. What we need to know is if someone did “sniff” out this data, how long would it take them to crack the key and gain access? Well the answer is varied, but the more complicated (or “strong”) the password you use, the harder it is to crack. Strong passwords include numbers, symbols and none standard characters Eg mypassword (could be cracked quicker than) mypa55w*rd This is because you are not just using a-z (26 characters) but incorporating numbers (0-9) and symbols thereby increasing the number of permutations and combinations the hacker would have to try to find the right key. Also, and this should go without saying, the length of the password has a direct relation to password “strength” also.

Putting this in perspective :

• For a 128 bit key there are 3.4 x 10³⁸ possible 128-bit keys;
• For a 256 bit key there are 1.1 x 10⁷⁷ possible 256-bit keys.

If a machine was capable of processing 255 keys per second It would take 149 trillion years to crack a 128 bit key, let alone a 256 bit key. The universe is 20 trillion years old. Your Router should have WPA2 encryption, and this has mandatory AES encryption. WPA only has optional AES encryption.

Universal Plug and play

Most modern Routers also have Universal Plug and Play (UPnP) built in. Quoting from wiki pedia “UPnP is a set of computer network protocols promulgated by the UPnP Forum. The goals of UPnP are to allow devices to connect seamlessly and to simplify the implementation of networks in the home (data sharing, communications, and entertainment) and corporate environments. UPnP achieves this by defining and publishing UPnP device control protocols built upon open, Internet-based communication standards.” Would it surprise you to know that this also makes it easy for unscrupulous souls to exploit your NAT router? Probably not, but how do they do this?

DNS Poisoning

The internet is a lot of pc’s all connected together, obviously. Each machine has an Internet Protocol address, or IP Address, a bit like the machine’s telephone number. This IP Address is what the machines use to talk to each other, but IP addresses are difficult to remember. It is far easier for a human to remember a domain name eg www.yahoo.co.uk This domain name is mapped to an IP address by special machines on the internet called domain name servers, or DNS Servers for short. For example, at the time of writing the IP Address for yahoo.co.uk is 217.12.3.11 Try pasting it into your browser, you will get the yahoo site. Your router will have the DNS server addresses of your ISP in its settings, so every time you type a web address into your browser, the browser asks the router which in turn asks the DNS Server for the ip address. Once the IP Address has been returned to the browser it can then connect to the web site you were trying to get to. Fig1 Now, if someone could gain access to your Router, and give it a bogus DNS Server address, then they could redirect all of your surfing via their own DNS Servers for their own devious ends. Imagine typing in https://www.myonlinebanking.com, and unbeknownst to you the site you were on looked and felt like your online banking web site, but in fact a bogus DNS Server had sent you somewhere else. This is out there in the wild. Fortunately if you disable Universal Plug and Play you significantly reduce the risk of this happening to you.

Trojan Horses

Now in all fairness a Trojan Horse is a type of virus, so should have no place in an article about wireless routers right? Wrong. A Trojan Horse is a malicious program that infects your PC, gathers information about you and then “beams” it back to a central server or servers for the perpertrator to collect for their own devious ends. A NAT Router typically has a firewall built into it. Remember the internet being referred to a the “Information Super Highway”, well your internet connection is a lot like a motorway, with lots of different lanes carrying lots of different traffic, in BOTH directions. The better firewalls block traffic in both directions, and you have to specify which lanes are open, rather than which lanes are shut. The term lane here actually refers to PORT. A good port scanner will tell you if your firewall is effective at keeping people out. A good example of which is the Shields Up port scanner at www.grc.com Visit the site, and perform a full scan of the common ports. Your machine should return as being in “true stealth” mode. If any of the common ports are open, or your machine responded to a “ping request” then it will fail. Correct these problems until you are in “True Stealth” But what about traffic going out from your PC? On the same site is also the “Leak Test” program. Download and run this program and prove your NAT Routers firewall is stopping information from being leaked to the internet from your PC.

Change the default SSID

Routers all use a network name called a SSID. Manufacturers ship their routers with a default SSID. For example, the SSID for Linksys devices is normally "linksys" Knowing your SSID does not grant someone instant access, but it is a good start. Change the SSID and disable SSID broadcasting. Routers broadcast the SSID over the airwaves at regular intervals so that new machines coming into range can familiarise themselves with the network. Seeing as your network is at home, there is no need for this so turn it off.

Turn off DHCP

You should assign private IP Addresses to each of your devices using a private IP Address range such as 10.10.x.x Private IP Addresses are not accessible from the internet. If you use DHCP (Dynamic Host Control Protocol) to automatically assign IP Addresses to your equipment then it makes it easier for someone outside to gain a valid IP Address for your home network.

Change the default password

Your router probably has a default password eg “password”. Change this to a strong password.