This article introduces some protections you can take on your Vigor Router to keep the network safe, including how to prevent unauthorized users to log into your Vigor Router, how to smaller the chances of rogue devices connecting to your private network, as well as what you can do to protect the local network from the threats on Internet.
- Router Security Protection
- Local Network Security
- Wireless Network Security
- Internet Access Security
Change the default admin password
Plenty of the routers on the market use the same default password for their management page login, thus the login password of your router is extremely easy to guess. Be sure to change your router’s login password from System Maintenance >> Administrator Password page, and also adopt a password which is strong enough.
Change the management port
By default, Vigor Router uses the well-known ports for its web interface, command-line interface, and other services, so LAN clients can easily access the management page of the router as long as they find out the router’s IP address. Changing the service port will make finding the login page a little more difficult, this can be configured at System Maintenance >> Management page.
Enable Brute Force Protection
If reaches the login page, the attacker can try every possible phrase until eventually the correct login password is found, although it takes time. Enable Brute Force Protection allows Vigor Router to identify the IP address that has failed in login too many times, and block their login attempt for a penalty period, and will considerably increase the amount of time that takes to find the correct password.
Set up Access List for management access
You can restrict the router’s access to a selected IP address/subnet by adding it to the access list, this is recommended especially when management from the Internet is allowed.
Implementing VLAN for guests
Setting up VLAN on the local network allows you to isolate the guest from the private network while providing Internet connectivity to them. In addition, the support of multiple subnets allows the private network and guest network to be on different IP subnets and have separate DHCP settings or policies.
If you have a VLAN capable switch on the network, you can follow the guide How to set up multi-subnet with tag-based VLAN? to set up VLAN on Vigor Router. The multi-SSID of VigorAP can be mapped to different VLAN as well, see How to use multiple SSID on VigorAP to separate the network? for more details. If there’s no VLAN-capable switch nor AP, Vigor Router can also do port-based VLAN, visit How to set up multi-subnet with port-based VLAN? for instruction.
Disable DHCP server and change the LAN IP
For a device to communicate with the router, it needs to use an IP address in the same subnet as the router. While DHCP function is enabled, the router will automatically assign a valid IP address to the device connected to the network. To make the LAN IP more difficult to find, disable router’s DHCP server. Then you will need to manually configure IP address on the authorized LAN devices, but the other devices will need to guess the IP range before they can access the network, you might also want to change the LAN IP range as well. The IP and DHCP settings can be configured at LAN >> General Setup >> LAN1 Details Page.
Shut down the unused ports on the switches
An open Ethernet port gives rogue devices an access to the private network; therefore, make sure the unused ports are disabled in the Switch configuration. If you are using a Vigor Router that supports SWM (Switch Management) along with VigorSwitches, you can view the Switch’s port status and shut down an unused port directly from the router’s management page. Learn more about Switch Management from What is Central Switch Management (SWM)?
Use WPA2 security mode
Since the wireless traffic is sent over the air, it can be eavesdropped by anyone nearby; therefore, be sure to apply security settings for encrypting the traffic, as well as controlling the access to the local network. Among WEP, WPA, and WPA2, WPA2 is the strongest security protocol and is what we recommend to use.
Use 802.1X authentication (WPA2-Enterprise)
PSK (Pre-shared Key) authentication does not have the ability to manage individual users, if the password has been let out accidentally or intentionally, Network Administrator would have to change the password to revoke the Wi-Fi access. To manage the Wi-Fi access more efficiently, 802.1X authentication, which requires every user to log in with a unique username and password, would be a better option.
To deploy 802.1X authentication, you will need a RADIUS server to maintain the user database and verify the credentials. If you don’t have a RADIUS server on the network, that’s no problem, both Vigor Router and VigorAP support built-in RADIUS server. See How to use Vigor Router as a RADIUS server? and How to use VigorAP as a RADIUS server? for how to implement 802.1X authentication with the built-in user database.
Tick “Hide SSID” in Wireless LAN >> General Setup page, for the router/AP to stop broadcasting the existence of the wireless network so that only the users who know the SSID can gain access to the network.
Apply IP Filter
You may use Vigor Router’s built-in Firewall to manage both outgoing and incoming traffic, set up rules to block the LAN clients from using vulnerable services, or restrict the local server to some particular Internet IP addresses only. See How to block the service by using the firewall to block the certain port? for an example.
Block Access to Malware by Content Filter
Set up URL Keyword Filter to block the local client from accessing the websites that are associated with malware, see How to block a HTTPS website by URL Filter and DNS Filter? to set up a URL filter. Web Content Filter is also a great solution which helps the router to filter malicious websites automatically, and allows you to block all of them without identifying every URL.
Keep the firmware up to date
Always use the latest firmware version on your Vigor Router and Vigor AP to make sure all the security patches (and also the new features!) are included. The latest firmware can be downloaded from https://www.draytek.com/en/download/firmware/