The term "home router" is almost an oxymoron these days. Organizations of all sizes rely on consumer-grade wireless networking equipment; it's just much easier (and, at least initially, cheaper) to run to the big-box retailer across the street than to order enterprise-class equipment. We're not saying it is smarter-it's just another case of consumer-grade technology carving out a niche in business.
And as with all consumer gear, there are inherent security risks that come with manufacturers' desire to make installation and use as "easy" as possible. In the case of routers, this materializes in allowing owners to rely on obvious default passwords and network names. However, with a little close management, "home routers" can be shored up to meet the needs of most small businesses or offices.
In its report, "Home Router Security Guide," the US-CERT agency spells out 18 features and settings you need to address before you can use consumer Wi-Fi with confidence. The four-page report is available free to IT Business Edge members here in the IT Downloads library.
US-CERT begins with the most obvious advice: Change the router's username and password and the service set identifier (SSID) to a value that doesn't impart a lot of information to potential attackers - there's no good reason to name a wireless router "accountingteamarea," for example. Use numbers and symbols in your SSIDs, as you would with passwords.
From there, the report goes on to provide some very detailed advice, including:
Limit WLAN coverage: Many small offices build out their Wi-Fi networks by placing omni-directional antennae in the middle of the coverage area. The result can often be a WLAN signal extended well outside your desired physical coverage area; would-be attackers can "sniff" your network from the parking lot or the next floor. Try to use directional antenna and limit your broadcast range to keep your WLAN signal as contained as possible.
Disable Universal Plug and Play (UPnP): The ability for devices to simply recognize each other and play nicely on the network is the greatest thing since sliced bread, at least in the consumer space. For business, it's a potential nightmare - among other issues, malware can use UPnP components to open holes in your router's firewall. Turn it off.
Use static IP addresses or limit DHCP reserved addresses: Allowing the network to automatically assign IP addresses and configure network settings makes configuring new clients a snap. It also opens up a world of security problems. Disable the Dynamic Host Configuration Protocol (DHCP), or at least limit the number of addresses that can be assigned via DHCP.
Make sure the ping response is disabled: Most manufactures set the ping to "Off" by default, but you can never be too careful. Allowing ping requests from the public Internet poses a wide range of pretty obvious security issues. Disabling this feature won't stop potential intruders from finding your network, but it will make their job a little harder.
Administrator workstations: Ensure that only workstations on authorized network segments can access the router admin tools.
The report goes on to offer pointers on network address translation (NAT), bridging and DMZ setting that can compromise WLAN security. It's an informative, quick read for anyone managing a wireless network, of any size.