Saturday, July 26, 2014

Securing a home network with the RT-AC87 wireless router

Let's say you want a wireless network in your home or small office. Maybe it's a new home, or maybe you're upgrading to something faster / more reliable / with better range. So you run down to the nearest big box retailer or online electronics shop, purchase something that looks good, unbox it, plug it in, and you are good to go, right?

Not quite. As nice as it would be if setting up a secure wireless network were just a matter of unboxing and plugging in a new router, it takes a few more steps to properly set things up. The good news is basic home network security is not terribly complicated - and the better news is newer wireless routers make it easier than ever to set things up safely. In this post I use the new ASUS RT-AC87U (aka RT-AC87R) to demonstrate basic secure installation.

TL;DR: see the brief checklist at the end for simple steps to secure a home wireless network.

This report is one in a series I have written on ASUS wireless router features and vulnerabilities. Others of interest:

The AC87 wireless router has a setup wizard that makes this process very easy. The first and most critical step is to change the password (and preferably the user name as well) for the router administrator account. Out of the box, most devices come with an easily-found password (often username "admin" / password "admin"). If you don't change the default password, it's a veritable invitation for someone else to take control of your router. Since the router is the gateway between your home network and the "big bad Internet," it's arguably the most important piece of equipment on your network. So change the password. If you need help coming up with and remembering a good strong password, consider using a password manager - then you only have to remember one password.

The RT-AC87U is a relatively high-end SOHO (small office / home office) router, with some features not found in the bare-bones routers. Thus the next step is to choose the mode you would like it to run in. This model can act as a wireless router (the most common mode); an access point (where it serves as an extension to another wireless router, perhaps to provide better coverage of a large home or office); or as a media bridge (in which case it connects wirelessly to another router, but only its physical Ethernet ports are usable. This could make sense if you have a couple of non-wireless devices in a media center and would like to network them). For the purpose of this demonstration, I am configuring this as a normal wireless router.

Some Internet providers have unique requirements for connecting your home network. If this is true of your provider, you will need to supply the appropriate settings for the “WAN” connection (the connection to the outside world). In most cases though, DHCP (or “Automatic IP” as ASUS describes it) is sufficient. With DHCP, the provider automatically supplies all your network configuration. This includes the basic addressing, as well as a DNS (or Domain Name Server, which translates Internet addresses into human-friendly names). This will become important in a few minutes.

This router allows you to specify the name and “MAC Address” for your router. Name is self-explanatory, but MAC Address bears some description. Each networked device comes from the factory with a Media Access Control address, or MAC Address. In theory, this is a unique identifier not duplicated anywhere in the world (and in fact, one commonly-recommended step in securing a wireless network is to list out the MAC addresses of permitted devices, and block the rest). Not only does this router have the ability to change its MAC – but the setup wizard gives you the option without even having to look for it.

Now we get to something a little more specific to your home or office. Out of the box this router labels its wireless networks as ASUS and ASUS_5G. As does every other ASUS wireless router. In the world. Maybe you don’t want to label your wireless network “123 hometown street” but it is a good idea to name it something a little less common than the default. Otherwise, any device you connect to your home wireless network will look for that network name everywhere it goes, and may well try to connect with a hacker’s cleverly-named “ASUS_5G” network outside Starbucks.

The RT-AC87U router by default uses the strongest encryption currently available – WPA2 with AEL encryption (labeled here as WPA2-Personal). This is a good thing – some common routers will by default use either no encryption, or weaker WEP encryption. By all means use the strongest encryption that your devices will support (of course if you have 10-year-old printers, you may have to make a choice between weaker security with a wireless connection to the printer, or stronger security with the printer relegated to a physical network connection).

With this done, your wireless router is ready to use – but there are a few more steps I recommend you consider. First, by default the RT-AC87U is managed at http://192.168.0.1. You may recognize that the http means it is not secure. Specifically, it means that the connection is not encrypted, and that anyone else on your network may be able to eavesdrop on your management connection. That is easily changeable though. When logged into the administrative console, click the Administration button and the System tab and you can change "Authentication Method" to HTTPS. Pay attention to the "HTTPS LAN Port" number. With HTTPS turned on, you log into the router using the URL "https://192.168.0.1:1234" (change the 1234 to the HTTPS LAN port shown above).

Second, consider using a DNS service such as OpenDNS. DNS, or Domain Name Resolution, is how your computer knows that www.google.com is actually “74.125.224.242.” It happens silently in the background and is usually ignored unless it stops working. Most routers can either accept the default DNS server provided by your Internet provider, or take a specific DNS server you provide. OpenDNS FamilyShield is a free service that simply doesn’t resolve website addresses that go to known “adult” or malicious content (more accurately, it resolves such websites to a benign address that says “you can’t go there.”) It’s not perfect, but it’s one layer in the chain, and it is completely transparent. In my opinion this is one of the strongest additions you can make to the security of your home network - I have not seen a single malware infection on my home PCs since I began using this a couple of years ago despite having a home with 5 teen / preteen children all with electronic devices and varying levels of maturity when it comes to recognizing risky computing behavior. To use OpenDNS (or any alternate DNS provider), click the "LAN" button and the "DHCP Server" tab on the administrator console, and enter the address for the OpenDNS server (in my case it is 208.67.222.123, but it is best if you go to OpenDNS FamilyShield and follow the instructions). As a side note, The RT-AC87U has a built in "AiProtection" feature that is supposed to provide similar blocking for malicious URLs. It may well do so, and is slightly simpler than modifying the DNS server, but I have not yet fully evaluated how effective it is.

At first glance this may seem a bit intimidating, but in reality it boils down to 5 simple steps:

  1. Change the default username and password
  2. Use a non-default name for your wireless network
  3. Use the strongest wireless encryption your devices support
  4. Change management from HTTP to HTTPS
  5. Use a DNS such as OpenDNS that will filter out malicious URLs