More complex stuff
- Network segmentation can be used to isolate risky devices. Some consumer routers offer the option to create VLANs (virtual local area networks) inside a larger private network. These virtual networks can be used to isolate internet-of-things devices, which researchers have repeatedly shown are full of vulnerabilities. Many IoT devices can be controlled through smartphone apps via external cloud services, so as long as they have Internet access, these devices don't need to be able to communicate with smartphones directly over the local network after the initial set-up. IoT devices often expose unprotected administrative protocols to the local network so an attacker could easily break into such a device from a malware-infected computer, if both are on the same network.
- MAC address filtering can keep rogue devices off your Wi-Fi network. Many routers allow for restricting which devices are allowed on the Wi-Fi network based on their MAC address -- a unique identifier of their physical network card. Enabling this feature can prevent attackers from connecting to a Wi-Fi network even if they stole its password. The downside is that manually whitelisting legitimate devices can quickly become an administrative burden on larger networks.
- Port forwarding should be combined with IP filtering. Services running on a computer behind a router cannot be reached from the internet unless port forwarding rules are defined on the router. Many software programs will attempt to open ports in the router automatically via UPnP, which is not always safe. If UPnP is disabled, rules can be added manually and some routers offer the option to specify the source IP address or netblock that can connect on a specific port to reach a certain service inside the network. For example, if you want to access an FTP server on your home computer from work, you can create a port forwarding rule for port 21 (FTP) in your router, but only allow connections from your company's IP netblock.
- Custom firmware can be more secure than factory firmware. There are several Linux-based, community-maintained firmware projects for a wide range of home routers. OpenWRT, DD-WRT and Asuswrt-Merlin (for Asus routers only) are just some of the most popular ones. These typically offer more advanced features and customizations than factory firmware and their maintainers are quicker to fix flaws when identified than router vendors. Because these firmware packages are aimed at enthusiasts, the number of devices that use them is much lower compared to those that run vendor-supplied firmware. This makes widespread attacks against custom firmware less likely. However, it's very important to keep in mind that loading custom firmware on a router requires a fair amount of technical knowledge, will likely void its warranty and, if done incorrectly, can render the device unusable. You have been warned!
Sign up for CIO Asia eNewsletters.