Router configuration: Security best practices

[Logi]

What are the basic security configurations to the router I should do from the Default one, thank you

 

[OzarkEdge]

What are the basic security configurations to the router I should do from the Default one, thank you

My install notes (Asuswrt) have security-related items noted *. Let me know if anything is missing.

OE

 

[ColinTaylor]

IIRC the default settings are already secure. i.e. no remote access, enforced user-specified passwords. In other words, the user would have to make changes that reduced the security.

P.S. I'm not going to get into the academic arguments over things like WPA3 vs WPA2.

 

[OzarkEdge]

IIRC the default settings are already secure. i.e. no remote access, enforced user-specified passwords. In other words, the user would have to make changes that reduced the security.

Probably true... the insecurity comes when not knowing what not to change.

Some things like UPnP and WPS are enabled, but if you don't use them you might as well disable them.

Some things like Auto Firmware Upgrade are disabled now and arguably should be, but you never know for sure without checking since stranger things have happened from one release to another.

And so on.

OE

 

[netware5]

Rule #1: The only port opened on the WAN side shall be the port the VPN server listens on! All outside access to other LAN services (HTTP(s), SSH, FTP, SMB, etc.) shall be done via the VPN tunnel. Disable WAN access to WebGUI and SSH.
Rule #2: "VPN server" means either OpenVPN (preferred) or IPSec server. The PPTP VPN server is not considered as secure.
Rule #3 (it is a result from applying Rule #1): Do not use Asus Android App!
Rule #4: Disable UPnP and WPS!
Rule #5: Change the name of the admin user from the default name "admin". Use strong password.

 

[heysoundude]

Rule #1: The only port opened on the WAN side shall be the port the VPN server listens on! All outside access to other LAN services (HTTP(s), SSH, FTP, SMB, etc.) shall be done via the VPN tunnel. Disable WAN access to WebGUI and SSH.
Rule #2: "VPN server" means either OpenVPN (preferred) or IPSec server. The PPTP VPN server is not considered as secure.
Rule #3 (it is a result from applying Rule #1): Do not use Asus Android App!
Rule #4: Disable UPnP and WPS!
Rule #5: Change the name of the admin user from the default name "admin". Use strong password.

why not WireGuard for rule #2?

 

[netware5]

why not WireGuard for rule #2?

Just because it is too "young" I like it, but I am a 60+ "dinosaur" and do believe that the conservatism is a preferred approach when we deal with computer security. The OpenVPN has a long and successful history and a lot of operating experience.

 

[Logi]

Rule #1: The only port opened on the WAN side shall be the port the VPN server listens on! All outside access to other LAN services (HTTP(s), SSH, FTP, SMB, etc.) shall be done via the VPN tunnel. Disable WAN access to WebGUI and SSH.
Rule #2: "VPN server" means either OpenVPN (preferred) or IPSec server. The PPTP VPN server is not considered as secure.
Rule #3 (it is a result from applying Rule #1): Do not use Asus Android App!
Rule #4: Disable UPnP and WPS!
Rule #5: Change the name of the admin user from the default name "admin". Use strong password.

Why OpenVPN is preferred to IPSec?

Thank you for all your recommendations.

 

[ColinTaylor]

Just because it is too "young" I like it, but I am a 60+ "dinosaur" and do believe that the conservatism is a preferred approach when we deal with computer security. The OpenVPN has a long and successful history an a lot of operating experience.

Also, WireGuard is not an option in the GUI (although Instant Guard may be).

 

[netware5]

Why OpenVPN is preferred to IPSec?

Thank you for all your recommendations.

It depends on your priorities. Personally I prefer the OpenVPN as most mature solution, its security has been independently verified many times. It is able to create Ethernet tunnels. But it is slower and sometimes difficult to configure. Here you can read one of the hundreds comparisons made available in the Net. https://codilime.com/blog/ipsec-vs-openvpn-what-are-the-differences/

But in any case both are sufficiently secure, which is not the case with PPTP (the third solution available in AsusWRT FW).