Is my router effectively secured?

I was wondering if the following what I have done is the best possible, if there is any possible way to improve the security:
I have a WRT320N
SSID: just let it broadcast. Removing this broadcast will not improve overal security. SSID will be shown even if you diable periodic broadcasts.
Change Router default name to something that does not suggest it's location or brandname/type
change the default password (the one to access the router from your browser)
Disable remote management: don't want anyone using Wi-Fi to try to hack my router
disable Upnp, automatic configuration of router has possible security leaks.
use WPA2 personal (just choose the highest encryption) and use the longest, uppercase, lowercase numbers and letter combination you can think off.
mac filtering can be set to on, but hackers can clone MAC addresses, the extra security is doubtfull.
AP isolation: Prevent wi-fi users on my router from accessing eachother, isolate all wi-fi users from eachother.
enable SPI firewall: blocks incoming network packets that originate from the internet. And were not started by me: internet at port 80, my firefox tries to open a webpage, these kind of incoming packets will be alowed by the router to pass from internet to my computer.
use webfilter and prevent any network packet with java, proxy, activex  to pass my router: at this moment I am blocking proxy. I am filtering webcasts.
Blocking any port except 20,21,25,53,80,110,443. (port range is from 0 to 65523)Blocking both UDP and TCP for all IP addresses 192.168.0 to 192.168.0.254 So only these mentioned ports are allowed to be used.
Thanks for helping out.
Solved!
Go to Solution.

Re SSID broadcast.
1. Correct. Even with SSID broadcast disabled the router will still broadcast a periodic beacon which means a wireless scanner will immediately pick up the existence of a wireless network.
2. The SSID is transferred in plain text during association with the router. Any network sniffer will learn the SSID at the moment a (legitimate) device connects to your network.
3. By sending some rogue packets to the AP it is easily possible to disassociate any connected wireless device forcing a re-association. This way you can learn the SSID immediately.
1-3 means that a SSID of a wireless access point with SSID broadcast disabled is unknown as long as no wireless device is connected to the router because there is no way to force an association request of a legitimate device. Some people therefore believe the disabled SSID broadcast is a important means for increased security, in particular when the wireless is not used very often. Of course, if you don't need the wireless for most of the time you should turn it off completely.
On the other hand, disabling the SSID broadcast technically breaks the 802.11 standard and is known to cause connectivity and stability problems with some wireless cards. Therefore, I usually recommend not to disable the SSID broadcast.
Re "router default name". If you mean the SSID, of course, changing it is important. Mostly to prevent your wireless devices to connect to your neighbor's router who still uses the default SSID.
Changing the "router name" on the main setup is not necessary. It's only necessary for the internet connection and only if required by your ISP.
Changing SSID or "router name" won't change the MAC address on the wireless. The first half of that MAC address will reveal the manufacturer (Linksys or Cisco)
Re remote management. Disabling remote management is good. Of course, verify that it really works. Some routers had a firmware bug which opened the web interface to the internet regardless of that setting.
Re UPnP. Correct. It should be disabled at all times.
Re WPA2 Personal with AES only encryption and a strong passphrase is the best wireless security you can have at this time. Passphrase can be up to 63 characters long.
Re wireless mac filter: MAC addresses are always transferred unencrypted (even with WPA2) and are easily cloned. Thus a simple network sniffer will be able to pick up MAC addresses of legitimate devices which you can use to connect.
Re AP isolation. Can be used if no wireless-wireless connections are required. Of course, if an intruder hacked into your wireless network he can try to hack into your router from there. The protection of the web interface on the LAN side is quite weak.
Re SPI firewall. Must be on. It protects the router from the internet.
What you write on that subject is the "protection" due to NAT, i.e. because you use private IP addresses. NAT technically does not block unsolicited incoming traffic. It simply drops unsolicited incoming traffic because it does not know what to do with it, i.e. it does not know where to deliver it to unless you configure port forwarding or similar. By design, NAT is not a security mechanism as its design goal is to allow connections and not to block them. Some (older) NAT implementations tried to deliver unsolicited incoming traffic by some heuristics. Some (older) NAT implementations had FTP helper functionality (to make FTP work properly through a NAT router) which made it possible to get any port opened on the router.
Re webfilter: depends. Will cause trouble with HTTPS web sites as HTTPS requires secure end-to-end security.
Re blocking all ports except 20,21,25,53,80,110,443. Well depends again. In your list for instance, you block port 995 (POP3S) and only accept 110 (POP3). Depending on your mail client and the pop server this may lead to an unencrypted connection between the client and the server because port 995 is not accessible. Similar with port 25 (SMTP). Some web servers run on port 8080 or other ports which won't work or work only partially (because some content is on a web server with different port number).
So technically, your block list will probably more affect you and your ability to use the most secure protocol which might be currently on your block list. In addition, as most people have ports 80 and 443 open for outgoing traffic most malware uses it to talk to the outside. Thus, your list although the idea sounds good probably won't help you.
Thus I would say that in most home networks such a blocking list based on a list of a few excempt ports won't really help your security and mostly will cause problems for you and nothing else. Such a list will work in a corporate setup where you can narrow down the legimite traffic very well. But for home use and general browsing habits it won't really work.
In addition, I think you cannot set up such a list on a Linksys router. You can only block ports but not all ports except a few.
Another, extremely important point missing from your list: Always change the router default password (admin) to a strong password. But I guess you already did that, too.
Overall, I would say you have got everything right...

Similar Messages

  • Effect security camera in premiere cs6

    how to effect security camera in premiere cs6? As this http://www.montagemphotoshop.com/efeitos/efeito-realista-camera-de-seguranca-no

    By a combination of making a suitable graphic for the text, adding a black and white filter and adding the video noise filter. At least that's what it looks like from the picture in your web link.

  • Router turns security on for no reason

    I have a BEFW11S4 V2 router, with latest firmware, and no security set up in a household of one wired wesktop and four laptops (including an additional WUSB11S4 v2 connected new HP desktop)
    For no reason I can see, it sometimes turns its security on, not allowing additional wireless access. If any of the original laptops are disconnected, they can't reconnect either.
    The router security turns off and goes back to normal when all PCs , Cable Modem and Router are turned turned off and on again.
    Thx Steve

    Why do you think that your router is suddenly getting "wireless security" turned on?
    Since you run an unsecured wireless network, perhaps your neighbor is playing tricks on you!   Teens love to do this.  They get on your network, guess your password (is it still admin? or something else that is easy to guess?), then log into your router, and boot everybody off!
    Alternatively, you could be loosing connection simply because your unsecured computers are getting confused, and trying to connect to a neighbor's unsecured network.  Let me guess - your SSID is still "linksys".  Am I right?
    Another possibility is that your neighbors' networks, or your own 2.4 GHz devices, are interfering with your wireless signal.  This would include wireless 2.4 GHz phones, Bluetooth, wireless baby monitors, wireless mice or keyboards, microwave ovens, etc. 
    At a minimum, you need to assign your network a unique SSID, and secure your router login with at least a 12 random character password.  Unless you live far (at least 1000 feet) from your neighbors, and far from public roads, you also need to set up wireless security.  If you can, change the channel that the router is using.  Channel 1, 6, or 11 usually work the best.  Also, unplug any wireless 2.4 GHz devices that you have (other than your network devices), and see if that corrects your problem.
    Actually, to set up wireless security correctly, you will need a new router.
    From the user guide, it looks like your current router can only do WEP.  WEP can be broken in less than 5 minutes, using software tools that are available over the internet.  You really need to be using WPA or preferably WPA2.
    If you don't get a new router, and if nothing above fixes your problem, then you should update your firmware to the latest version.
    Hope this helps.
    Message Edited by toomanydonuts on 02-18-200707:47 PM
    Message Edited by toomanydonuts on 02-18-200707:51 PM
    Message Edited by toomanydonuts on 02-18-200709:54 PM

  • Not able to connect my Iphone to my WRT54GS router with security enabled

    As the subject line states, I'm not able to connect my Iphone to my WRT54GS router when the security is enabled. When ever I attempt to connect to my network with my phone it always tells me the password is incorrect. I have double checked the password in the easylink advisor and it matches up. I have also tried both WPA and WEP with the same result, I know that the wireless is working on the router as I turned the security off and was able to connect to it. I updated the firmware this evening also with no changes. If anyone could help me with this issue it would be much appreciated.

    First of all, in the router, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also, in the router, set "SSID Broadcast" to "enabled". This will help your iPhone find and lock on to your router's signal.
    To connect using WEP, enter WEP "key 1"  (found in the router)  into the iPhone, not the WEP password or passphrase.
    To connect using WPA, make sure that there is not an encryption nomenclature problem.  For example, WPA is not the same as WPA with AES.  Please note the following:
    WPA    =   PSK    =   WPA with TKIP  =  WPA   personal
    WPA2  =   PSK2  =   WPA with AES   =  WPA2 personal
    I am not certain, but your iPhone probably does just ordinary WPA  (not WPA with AES).  Assuming that this is correct, then the router should be set to:
    "WPA personal"  with  "TKIP"
    Also, in the iPhone, be sure to delete the entry for your unsecured connection to your router, before you try to input info regarding the secured connection to the router.
    Hope this helps.
    Message Edited by toomanydonuts on 07-16-2008 03:12 AM

  • Router-to-Router VPN Security

    Hi there,
    Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
    We have two offices.
    Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
    Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
    Office B has private subnets that extend to 7 hops away. (running RIP)
    If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
    If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
    How do we defend our routers then?
    Thanks in advance!
    -Andrew

    Hi,
    when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
    The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
    Rgds, MiKa

  • Should I get a router for security?

    My iMac connects to the Internet using a DSL modem through SBC/Yahoo with a static IP address.
    I've never used a router...should I get one for security? (I wouldn't get a wireless probably.)
    If I get a router, what steps are necessary to install it. Different network preferences?
    I know nothing (never gave a router any thought in seven years of DSL service). Thx.

    Dianne, I see you have another post on the same matter. Aside from the advice given there why not unplug the router at either end? If it still works then, tell us the make as it is a remarkable device. This ignoramus has often used the unplug to stop a connection either from a router to the internet or computer to printer or whatever, rather than consider some complicated manipulation of the software. The only other use for the router I can see is direct connection between computers and you don't suggest that.
    Here in the UK the BT network which handles part of the internet route sometimes does not drop for some time after breaking the connection and the persistant links cause a "stale" connection and a failure to reconnect. The usual advice is to wait 30 mins before logging on again. That is the only snag with my cheap and nasty disconnection.

  • Equium M50 will only connect to WLan router when security is off

    MY Equium M50 will only connect to my wireless BELKIN G+ MIMO ROUTER when the security is turned off,
    What is the reason for this please?
    Blonde Bimbo!!

    Hello
    Did you mean the WLan encryption which secures the entry to the wireless LAN?
    I suppose you have set the encryption (WPA, WEP, etc...) on your WLan router but didnt configure the WLan card.
    Well, in my opinion you should check which WLan encryption does the card support and then choose it on the WLan router. The encryption key should be set on the router and on the notebook!

  • Airport express can't connect to Linsys wireless router with security wpa2

    Hi all, I have posted a question previously regarding trying to connect my airport express to my existing network, a Linsys wireless router....
    I have now found that if I disable the wireless security (wpa2 personal) on my router the A/E connects though as soon as I enable security again the A/E drops out. I have checked the network name and password and all are definately correct.
    Any ideas?
    Cheers

    Unfortunately I have tried absolutely everything and no go I have just discovered that I can still use it though by having it as a wired Lan connection to my Cisco router then the laptop wirelessly connects to the A/E through the router so not all bad just had to wire a lan point from one room to the other.
    After talking with Apple support they say it's pretty hit and miss with what different routers the A/E will and wont connect with...
    So save yourself a lot of heartache and just use as a wired connection
    Hope this helps

  • NAC feature included in 1841 router with security IOS

    I'm looking for some guidance, documentation regarding the capabilitys and configuration of NAC on an 1841 router. It looks like it's a software version of NAC that ties to a policy server, maybe an ACS server, or IAS server for example. Is that all it does, in other words, is the capability found mostly on the backend policy server and not the router itself? In that case, what is the router doing, I mean how does it work in relation to NAC? Is it only capable of blocking traffic at layer 3 rather than layer 2 as does 802.1x authentication on a switch of the Clean Access appliance offerred by Cisco?
    thank you very much,
    Bill

    For NAC, the role of a device depends on your network security policy. You can have security applied to any device(s) or you can have it on a policy server which can ensure the security policy. Following link may help you
    http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf

  • T1114 4g router with security camera setup?

    Has anyone been able to set up security cameras with the 4G LTE Broadband Router with Voice model T1114 ? I have been talking to Verizon, Foscam and Novotel and I am getting absolutely no where. I'd hate to have to keep my DSL service just because of my security cameras, but at this point it's looking like that may be a possibility. If anyone has a solution or guidance, I'd appreciate it.

    > is that a complicated work around or is it fairly simple?
    Its simple in design, but could be complicated to configure and maintain depending on your network comfort level.  Considering your goal is to access cameras and not a PC you will need the assistance of an additional VPN router.  Setup the Jetpack(or USB modem) to act like a modem and link him to a VPN router with a wireless bridging feature.  From there you configure the VPN router to automatically connect to your desired VPN server as long as the Jetpack is online and providing a connection.
    The setup would look something like this:
    - VZW ))) Jetpack ))) VPNRouter === Cam1
    - VZW ))) Jetpack ))) VPNRouter === Cam2
    - VZW ))) Jetpack ))) VPNRouter === Cam3
    - etc
    If the cameras happen to be wireless then the VPN router should be able to accommodate those connections too, but I wouldn't recommend relying on wireless any more than you need to considering how much is going on already.
    VPN connectivity is a feature on some more advanced home routers and can also be re-flashed on others with the use of custom firmware.  DD-WRT can enable this functionality for free if you happen to have a compatible router lying around that supports wireless bridging.  VZW does not offer any products for you that can do this so you will have to look elsewhere.
    Wireless bridging is the process of connecting one router to another over WiFi.  On devices that support this functionality there is generally a mode called "Bridge mode", "AP mode" or something along those lines that can enable the configurations for you.  From there you would need to decide if you want the device to perform only as a bridge and Ethernet cable connect the cameras or perform a "repeater" function and rebroadcast the Jetpacks signal to the cams.
    The goal being to get everything that requires remote access to automatically connect to the chosen VPN server.  That way whenever you want to remotely connect and view the cameras all you need is a way to connect to the VPN server where everything is resting.  All you should have to do from there is keep the Jetpack/USB modem online and everything else will take care of itself from there.

  • Cisco 3845 Router, SSH, Secure HTTP & CS-MARS

    Hello,
    I have a 3845 router (Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)) which I have configured SSH access through vty. Th e problem is that SSH access fails when I try to connect to it using Putty. It also fails to connect using ip http secure-server both from a browser & through CS-MARS (IOS IPS). All user names exist and are working fine with telnet.
    Does IOS 12.3 have issues with SSH * secure http?
    I get this error in MARS:
    "Error in INIT GET. Check the username/password"

    Hi -
    I searched all open/closed TAC cases for you with that error message - I found 1 similar case.
    Here's the results of their case:
    "we managed to fix the issue it was ip http authentication enable command (change to accept local usernames/passwords)."
    Can you review this and see if you need to tell SSH and HTTPs to use the local database?
    Please let us know.
    thxs
    peter

  • What is the difference between https: and http: at the beginning of the web address? Does this effect security when looking onto bank accounts?

    New to foxfire, and not very computer savvy. When enter search for bank account noticed the the web address came up with a http: rather than an https: as it normally does when I search from safari on MAC, or even at my PC at work. Not sure what the difference is but if it is a security thing than foxfire is no good for my use.

    In Firefox 4 and later you no longer have the Status bar that showed the padlock in previous Firefox versions.<br />
    The padlock only shows that there is a secure connection and doesn't guarantee that you are connected to the right server.<br />
    So you might still be connected to the wrong server if you make a typo in the URL and someone has claimed that mistyped URL.<br />
    The functionality of the padlock has been replaced by the [[Site Identity Button]] on the left end of the location bar.<br />
    See also:
    * http://www.dria.org/wordpress/archives/2008/05/06/635/
    * https://support.mozilla.com/kb/Site+Identity+Button
    * http://www.mozilla.com/en-US/firefox/security/identity/
    You can use this extension to get a padlock on the location bar.
    *Padlock: https://addons.mozilla.org/firefox/addon/padlock-icon/

  • Router's security

    is there a way to point which pc cellphone or any gadgets accessed a linksys router trhu wire or wifi even if its IPs are set to automatic?
    Posted by WebUser Betong Lim from Cisco Support Community App

    Hi,
    There are two (2) ways in checking the devices that are connected to your router.  If you have installed the Cisco Connect software, a notification under the Computers and devices section informs you of the number of devices that are connected to the router.
    However, if you prefer a more detailed list, you may access the DHCP Client Table on your router’s web-based setup page where you can find the IP address, MAC address and other necessary details of the devices connected to your router.
    Please also check the below link,
    http://kb.linksys.com/Linksys/ukp.aspx?pid=94&vw=1&articleid=17346

  • Cisco router and security SDM download

    I know it is end of life. But can any of you tell whether we can download it? any version would be fine. I searched cisco website without any results.
    thanks,
    Han

    2800ISR
    http://www.cisco.com/en/US/products/ps5854/index.html
    3560G-24PS (there isn't a 10/100 switch with the required forwarding rate and PoE support).
    http://www.cisco.com/en/US/products/hw/switches/ps5528/prod_models_comparison.html
    HTH,
    Edison.

  • Just got a new IPOD Touch and it wont connect to our Wifi home network with a Belken N Router. Our router uses WEP 64 bit security, but had a "blank" password field, which the IPOD did not like. Changing to a 6 char numeric PW didnt help either.

    OS is whatever OS ships with current IPOD Touch
    I cannot understand why the APPLE engineers have designed this product so that it has SO MANY WIFI problems.  This is supposed to be an easy-to-use product.  We've had no problems connecting our new laptop, our ROKU box, etc, but it seems impossible to get the IPOD touch to work.  NOTHING LIKE SPENDING XMAS MORNING DOING APPLE TECH SUPPORT TROUBLESHOOTING TO LEAVE YOU IN THE CHRISTMAS SPIRIT!!!  Argh!
    In fact, the only way we have been able to get this expensive brand new IPOD to work on our home network is to DISABLE SECURITY in the router settings.  THIS IS ANYTHING BUT A GOOD IDEA.
    DON"T KNOW WHY BUT MANY OTHER USERS ARE REPORTING THE SAME KIND OF PROBLEM SO APPLE ENGINEERING NEEDS TO GET BUSY AND FIX THIS PROBLEM SO THAT NEW USERS CAN CONNECT TO THE INTERNET WITHOUT HAVING TO BE TRAINED ROUTER ENGINEERS TO DO IT!!!!
    Ok, sorry for the rant, but surely those of you who are experiencing this share my frustration.  This is not why I bought an APPLE product.
    IS THERE ANY POSSIBILITY THAT APPLE WILL NOT ALLOW A WIFI PASSWORD with more than one identical alphanumeric character?  Any ideas?  We also tried eliminating the 40 MHZ setting under Bandwidth settings in the router settings for our router, but it made no difference.  The router has the latest firmware, too.  Running out of ideas, and am ready to box this unit up and send it back!

    Thanks, Bob!  You are correct.  And, we learned this as we spoke with APPLE TECH SUPPORT by phone on Christmas day (800-APL-CARE).  One of their reps spent the time to help us troubleshoot this, but the boiled down conclusion is your answer, and to repeat for the benefit of others, here is what worked:
    1. With our Belkin router set to "out-of-the-box" WEP 64 bit security, we could not get wireless access of any kind.  Only with the Security Mode set to DISABLED, could we gain access.
    2. Changing the router's security mode setting to "WPA/WPA-2...." and entering a new min. 8 char passphrase, and then entering that same passphrase into the IPOD Touch, and restarting the router, did the trick!
    Based on this, and some info found in another posting, I can only conclude that the IPODs and IPHONES do not support WEP security mode in many generic routers used by thousands of consumers.  Hopefully, those same consumers can figure out how to change their wireless router setttings to WPA/WPA-2 security mode and ALSO get all their other wireless devices (PCs, laptops, WII boxes, ROKU boxes) all reconfigured to WPA mode, too.
    I THINK THE BOTTOM LINE HERE IS THAT THERE IS AN ISSUE THAT APPLE NEEDS TO ADDRESS WITH WEP COMPATIBILITY and it may also be the case that MOST CONSUMERS ARE USING WEP 64 BIT security on their home wireless routers?
    In any case, it's working now, so anyone who is having problems should try changing to WPA mode and post back here if it worked for them!

Maybe you are looking for

  • Can't post pics on forum with firefox but can with Internet explorer

    I can't post pictures/images on a certain forum when using firefox but when using Internet explorer on the same forum it works. Any solutions please?

  • Unterschiede von Geschwindigkeiten beim Erzeugen von .PDF Dateien

    Hallo, bisher nutze ich Adobe Acrobat 7.0 um .PDF Dateien aus .Doc Dateien zu erzeugen. Allerdings dauert es bei einem 230 Seiten starken Dokument immerhin etwas über einer Stunde, bis das PDF erzeugt wurde. Betriebssystem ist Windows XP, CPU ein Int

  • Customer Data tab

    Hi All, We have added a customer data tab in PO header using enhancement MM06E005. We also added a push button in this tab. Our requirement is to call a zprogram once the user presses this push button. Is it possible? Regards, Sibin

  • Dual Exchange Rate Maintenance

    Dear All, I have one issue on exchange rate . our client do import and export. So custom department fix the exchange rate at the start of  every month which is applicable for the full month. But in case of receipt or payment  in bank we have to consi

  • Inner class access to outer class variables

    class X extends JTextField { int variable_a; public X() { setDocument( new PlainDocument() { //here i need access to variable_a i don't want to make variable_a a static member though, so does anyone know how to do it?