I last spoke about the benefits of using a NAT Router for your home and office when connecting to the Internet. As discussed this provides added security because it hides or masks the computers on the LAN or internal private side of the router from unwanted inbound traffic originating from Internet scanning, worms and hackers.
For your router to provide its full security benefits it has to be configured correctly. By leaving the manufacturer’s default passwords and allowing the administrative interface to be accessible from the Internet has left many a device vulnerable. How big a problem is this?
A report by Wired showed that 21,000 devices were open to remote attack because they failed to change the manufacturer’s default password and their administrative interface was viewable from anywhere on the Internet. Wired also reports that the researchers, extrapolating from the numbers they gathered were able to estimate that 6 million devices connected to the Internet are likely vulnerable.
So don’t become a victim. One of the first things you need to do is change the manufacturer’s default password on your router. You should also disable remote administrative access on the Internet facing interface . You can administer the router from the private wired LAN side of the router. There should be no need to administer the router from the Internet. If this is something that you must do and if your router supports it, then configure your router to accept VPN client connections. This way you will be able to connect to your router from the Internet through a secure IPSEC tunnel. Once connected you can administer your router just as if you were home or in the office connected to the private LAN side. This method is secure and doesn’t expose you to brute-force password-cracking attacks which you may be vulnerable to if you have remote administration enabled.
Some additional router configuration options to think about. Universal Plug and Play should be disabled. This feature allows Windows to configure your router on the fly opening a potential whole through your router. Almost all NAT routers also double as an SPI (Stateful Packet Inspection) firewall. Make sure you have this feature enabled. Also unless you or your business need to provide some kind of service for Internet users such as web, ftp, or mail services, you should have port forwarding disabled as well as the DMZ option disabled. These options allow you to give access from the Internet to your computers on the private LAN side of the router. Giving access to your internal network and computers can expose you to all the dangers the Internet has to offer.
Next time I will discuss how you can provide services to Internet users on your home or office network securely.