Ways to Improve Network Security

This article introduces some protections you can take on your Vigor Router to keep the network safe, including how to block unauthorized users, as well as what protecting the local network from the threats on the Internet.

Contents:

• Router Security Protection
• Local Network Security
• Wireless Network Security
• Internet Access Security

Router Security Protection

Change the default admin password and enable Two Factor Authentication for Remote Access

Plenty of the routers on the market use the same default password for their management page login; thus, the login password of your router is extremely easy to guess. Be sure to change your router’s login password from System Maintenance >> Administrator Password page, and also adopt a password which is strong enough.

Two Factor Authentication can add a layer of security when accessing router from Internet. Please follow the guide Use 2-Step Authentication for Remote Access to set up two factor authentication that will not only require the administrator password but also the Auth-Code that is sent to the specific receiver, and also Use TOTP for Remote Access to setup TOTP which will need a TOTP Authenticator app to generate the time-based one-time-password.

Keep the firmware up to date

Always use the latest firmware version on your Vigor Router and Vigor AP to make sure all the security patches (and also the new features!) are included. You can get the latest firmware at https://www.draytek.com/support/latest-firmwares/

Set up Access List for management access

Access List is highly recommended when management from the Internet is allowed. You can restrict the router’s access from a selected peer only by adding it to the Access List. Since firmware 4.4.0, Vigor Router supports pre-defined IP Object, IP Group and Hostname in Access List.

Disable VPN services not in use

VPN ports are open when the VPN services are enabled, it's recommended disabling them if they are not in use.

Use Firewall features to Protect the opening VPN service.

When the VPN server serves clients from a specific country, create a country object and add the firewall rules to allow VPN access only from these IPs.

 

Block the unknown IPs by DoS Defense >> Blacklist.

 

Change the management port

By default, Vigor Router uses the well-known ports for its web interface, command-line interface, and other services. Therefore, LAN clients can easily access the management page of the router as long as they find out the router’s IP address. Changing the service port will make accessing the login page a little more difficult, you can configure this at System Maintenance >> Management page.

Enable Brute Force Protection

Once reaches the login page, even without the login password, the attacker can try every possible passphrase until eventually the correct login password is found, although it takes time. Enable Brute Force Protection allows Vigor Router to identify the IP address that has failed in login too many times, and block their login attempt for a penalty period, and it will considerably increase the amount of time that takes to find the correct password.

 

Local Network Security

Implementing VLAN for guests

Setting up VLAN on the local network allows you to isolate the guest from the private network while providing Internet connectivity to them. Also, the support of multiple subnets allows the private network and guest network to be on different IP subnets and have separate DHCP settings or policies. 
If you have a VLAN capable switch on the network, you can follow the guide Use Multiple LAN Subnets with Tag-Based VLAN to set up VLAN on Vigor Router. The multi-SSID of VigorAP can be mapped to different VLAN as well, see Add a Separate Wireless Network for Guests for more details. If there’s no VLAN-capable switch nor AP, Vigor Router can also do port-based VLAN, visit Use Multiple LAN Subnets with Port-Based VLAN for instruction.

Disable DHCP server and change the LAN IP

For a device to communicate with the router, it needs to use an IP address in the same subnet as the router. While DHCP function is enabled, the router will automatically assign a valid IP address to the device connected to the network. If you don't want un-authorized hosts to access the network, you can disable the DHCP server, and manually configure the IP on authorized hosts. You might also want to change the LAN IP range as well, so it is more difficult for the un-authorized hosts to find out the IP range. The IP and DHCP settings can be configured at LAN >> General Setup >> LAN1 Details Page.

Shut down the unused ports on the switches

An open Ethernet port gives rogue devices access to the private network; therefore, make the ports not-in-use are disabled in the Switch configuration. If you are using a Vigor Router that supports SWM (Central Switch Management) along with VigorSwitches, you can view the Switch's port status from the router's management page and shut down an unused port directly.

Wireless Network Security

Use WPA2 security mode

Since the wireless traffic is sent over the air, it can be eavesdropped by anyone nearby; therefore, be sure to apply security settings for encrypting the traffic, as well as controlling the access to the local network. Among WEP, WPA, and WPA2, WPA2 is the strongest security protocol and is what we recommend to use.

 

Use 802.1X authentication (WPA2-Enterprise)

PSK (Pre-shared Key) authentication cannot manage individual users. If someone let out the password accidentally or intentionally, Network Administrator would have to change the password for everyone to revoke the Wi-Fi access. To manage the Wi-Fi access more efficiently, 802.1X authentication, which requires every user to log in with a unique username and password, would be a better option.

To deploy 802.1X authentication, you will need a RADIUS server to maintain the user database and verify the credentials. If you don’t have a RADIUS server on the network, that’s no problem, both Vigor Router and VigorAP support built-in RADIUS server. See Use the Router's Internal RADIUS Server for 802.1X Authentication and Use VigorAP As a RADIUS Server for implementing 802.1X authentication with the built-in user database.

Hide SSID

Tick “Hide SSID” in Wireless LAN >> General Setup page, for the router/AP to stop broadcasting the existence of the wireless network so that only the users who know the SSID can gain access to the network.

Internet Access Security

Apply IP Filter

You may use Vigor Router’s built-in Firewall to manage both outgoing and incoming traffic, set up rules to block the LAN clients from using vulnerable services, or restrict the local server to some particular Internet IP addresses only. See Block FTP Service by Firewall for an example.

Block Access to Malware by Content Filter

Set up URL Keyword Filter to block the local client from accessing the websites that are associated with malware, see Blocking a Website by URL Content Filter and DNS Filter to set up a URL filter. Web Content Filter is also a great solution which helps the router to filter malicious websites automatically and allows you to block all of them without identifying every URL.