Notes Over Network Devices-Router- Part 1

In day to day life we use lot of network devices for the day to day activities. I would like to write a small context over the devices and its concepts for basic understanding purposes.

1.Router :

It's An OSI layer 3 device which Routes traffic between IP subnets Routers inside of switches are sometimes called “layer 3 switches” [L3 switch]Layer 2 = Switch, Layer 3 = Router. 

 

The basic diffrence between Switch & Router can be found below[Source diffen.com]

                                           Switch                                            Router

Function	Directs data in a network. Passes data between home computers, and between computers and the modem.	Allow connections to multiple devices, manage ports, manage VLAN security settings
Layer	Network Layer (Layer 3 devices)	Data Link Layer. Network switches operate at Layer 2 of the OSI model.
Data Transmission form	Packet	Frame (L2 Switch) Frame & Packet (L3 switch)
Transmission Type	At Initial Level Broadcast then Uni-cast & Multicast	First broadcast; then unicast & multicast as needed.
Ports	2/4/5/8	Switch is multi port Bridge. 24/48 ports
Used in (LAN, MAN, WAN)	LAN, MAN, WAN	LAN
Device Type	Networking device	Active Device (With Software) & Networking device
Table	Store IP address in Routing table and maintain address at its own.	Switches use content accessible memory CAM table which is typically accessed by ASIC (Application Specific integrated chips).
Transmission Mode	Full duplex	Half/Full duplex
Broadcast Domain	In Router, every port has its own Broadcast domain.	Switch has one broadcast domain [unless VLAN implemented]
Definition	A router is a networking device that connects a local network to other local networks. At the Distribution Layer of the network, routers direct traffic and perform other functions critical to efficient network operation.	A network switch is a computer networking device that is used to connect many devices together on a computer network. A switch is considered more advanced than a hub because a switch will on send msg to device that needs or request it
Speed	1-100 Mbps (Wireless); 100 Mbps - 1 Gbps (Wired)	10/100 Mbps, 1 Gbps
Address used for data tramsmission	Uses IP address	Uses MAC address
Used for	Connecting two or more networks	Connecting two or more nodes in the same network (L2) or different network (L3)
Device Category	Intelligent Device	Intelligent Device
Bandwidth sharing	Bandwidth sharing is Dynamic (Enables either static or dynamic bandwidth sharing for modular cable interfaces. The default percent-value is 0. The percent-value range is 1-96.)	There is no sharing port can be 10, 100, 1000 and 10000 Mbps individual
Routing Decision	Take faster routing decisions	Take more time for complicated routing decisions
NAT (Network Address Translation)	Routers can perform NAT	Switches cannot perform NAT
Faster	In a different network environment (MAN/ WAN), a router is faster than an L3 switch.	In a LAN environment, an L3 switch is faster than a router (built-in switching hardware)
Features	Firewall VPN Dynamic hadling of Bandwidth	Priority rt range On/Off setting of port VLAN Port mirroring
Examples	Linksys WRT54GL Juniper MX & EX series Cisco 3900, 2900, 1900	Alcatel's OmniSwitch 9000; Cisco Catalyst switch 4500 and 6500 (10 Gbps)
Connections	Can connect to multiple PCs or networking devices via Ethernet or WiFi	Can connect to multiple PCs or networking devices (L3 switches) via Cat5, Cat5e
Necessary for Internet Connection?	No, but provides additional security and allows for multiple connections.	No
Security	Provides security measures to protect network	Port security
Manufacturers	Cisco, Netgear, Linksys, Asus, TP-Link, D-Link	Cisco and D-link Juniper

With Respective to security point of view the following checklist needs to be considered for securing the router.

Secure Router Configuration - Start With This

This relatively short list of configuration tweaks can greatly increase the security of any router.

1. Change the password used to access the router. Anything but the default should be OK, but don't use a word in the dictionary.
2. Wi-Fi encryption should be WPA2 with AES and each Wi-Fi password should be at least 14 characters long.
3. Turn off UPnP and, if your router supports it, NAT-PMP, to protect both yourself and the rest of the Internet.
4. Be smart about choosing an SSID (network name)
5. Use a password protected Guest Network whenever possible, not just for guests but for IoT devices too.
6. Turn off WPS
7. Remote Administration is probably off, but verify that it is disabled
8. Test Your Router for open ports using some online testers
9. Periodically check for new firmware. At some point you will go a year or two, or more, without any updates. Time for a new router.

Secure Router Configuration - the FULL list

For the techies amongst us, the list below is as comprehensive as I can make it. Perhaps a spy agency would be the only one to implement everything on the list. Pick and chose, and implement as many as you can.

1. If the router is new, see my suggestions for setting up a new router. Basic plan: make the most obvious few changes with the router off-line, go online behind another router to get the latest firmware, then make the rest of the changes.
2. Change the password used to access the router (this is not a WiFi password). Don't use a word in the dictionary. Two words and a number should be fine (7coldapples). For more, see my router password advice. This is often the hardest step as it requires knowing how to access the router.
3. If the router lets you change the userid used to logon to the router, change it
4. Check for new firmware. There are no standards here, every router has a different procedure. With most routers this will be an ongoing manual check, however, some are able to update themselves. Be aware of the risk; if something goes wrong you may lose Internet access. Best to do it at a time when your ISP has offices that are open, so the box can be exchanged, if necessary. For more, see the firmware updates page. Many routers no longer get firmware/software updates. If the last update for yours was well over a year ago, it may be time for a new router.
5. If any of your Wi-Fi networks (a router can create more than one) use a default SSID (network name) then change it. Do not pick a name that makes it obvious that the network belongs to you. 
6. There is more to encryption than just choosing WPA2. To begin with use AES, not TKIP. Also, Wi-Fi passwords need to be long enough to stall brute force attacks, my best guess is that 14 characters should be sufficient. And, you really should not use a password anyone has ever used before. See more about Wi-Fi passwords.. Note: The Ubiquiti AmpliFi mesh router defaults to using the same password for Wi-Fi and administering the router system. Regardless of the router being used, don't do this; each function should have its own password.
7. Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Why bother? To use a company that specializes in DNS, to get some extra security and to have easy to remember DNS IP addresses. Two suggested DNS servers are 9.9.9.9 (from Quad 9, backed up by 149.112.112.112) and 1.1.1.1 (from Cloudflare backed up by 1.0.0.1). I also like OpenDNS at 208.67.222.222 and 208.67.220.220. Another option is 8.8.8.8 (Google backed up by 8.8.4.4). Some companies offer child friendly DNS servers. I am working on a DNS Server page.
8. Turn off WPS
9. Turn off UPnP. UPnP is a protocol that lets devices on a LAN punch holes in the firewall of the router. This exposes these devices to the Internet at large where, if they are vulnerable, they can be hacked. Technically, UPnP enables port forwarding without the router owner even knowing what port forwarding is. You are safer with UPnP disabled. That said, there is a chance that disabling UPnP will break some network communication used by a device on your network, most likely an IoT device. To see if your router is doing any Port Forwarding, you can login to the router. No forwarding of ports is the safe, secure state. It also means that disabling UPnP will not cause you any grief.
10. UPnP was intended to only work on the LAN side of a router, but some routers are so miserably mis-configured that they expose UPnP on the WAN/Internet side too. This is a common, and huge, mistake, akin to a surgeon amputating the wrong leg. Fortunately, there is an online test, from Steve Gibson, that checks your router for the existence of UPnP exposed to the Internet. On the first page, of his ShieldsUP! service, click on the gray Proceed button. On the next page, click on the yellow/orange button for GRC's Instant UPnP Exposure Test. As of June 2018, he had found 54,000 routers exposing UPnP.
11. Turning off features you are not using reduces the attack surface. Among other features that should probably be disabled are Remote Administration (aka Remote Management, Remote GUI or Web Access from WAN), SNMP, NAT-PMP and Telnet access to the router.
12. Change the LAN side IP address of the router. Even better, change the entire LAN side subnet. See the page on IP Addresses for more. This helps prevent many router attacks. And, while you are at it, set up DHCP to allow for some static IP addresses.
13. If you need Remote Administration, there are a number of ways to make it more secure. See the Security Checklist page for more.
14. Many routers offer Remote Administration via a cloud service rather than the old fashioned way which required directly logging in to the router. If possible turn this off. With it active, you are trusting every employee of the router vendor.
15. Guest networks are your best friend. Use them not only for visitors but also for IoT devices. They should be password protected. Guest networks are usually, but not always, isolated from the main network. Review all the configuration options your router offers for the Guest network to insure they are isolated. The Security Checklist page has a list of options you might find.
16. Network Isolation/segmentation: Guest networks are merely an appetizer, using VLANs for network isolation is the main course. Devices that only need Internet access should be prevented from seeing and being seen by other devices on the LAN. This prevents a single hacked device from causing grief for other devices on your network. See the VLAN page for more.
17. For routers with a web interface, lock down access to the router from the LAN side. The Security Checklist page offers a dozen possible options (see the Local Administration topic) such as changing the port number(s) and limiting access by IP or MAC address. For routers that use a mobile app for administration, think about locking down access to the mobile app. This may require signing out.
18. Write down the critical information on a piece of paper and tape it to the router, face down. Include the Wi-Fi network names (SSIDs) and passwords, the router userid/password and the IP address of the router.
19. Turn off Ping reply. Sadly, different routers use different terminology for this. To test it, have someone ping your public IP address from outside your network.
20. Turn off wireless networks when not in use. Some routers let you schedule this, others have a physical Wi-Fi on/off button, others have a mobile app. In the worst case, you have to login in to the router web interface to disable the Wi-Fi. In that case, a browser bookmark can ease the pain.
21. Test if your router supports HNAP. If so, it should be replaced.
22. Your modem is a computer too. Your router may be able to block access to the modem from all devices on the LAN.
23. If your router supports outgoing firewall rules, block the ports used by Windows file sharing. You may also want to prevent any network printers from making any outbound connections. This way if a printer gets hacked, it can't phone home.
24. If the router can send email when certain errors occur, configure this feature.
25. Try to prevent your router from spying on you. If you own a Netgear router, be aware that they added "analytics" with firmware updates released in April 2017. If you don't want Netgear watching your network, you need to login to the router and disable these analytics.  Likewise, Asus and other routers include anti-malware software that may also be watching you. For more on Asus and their partnership with Trend Micro see the Bugs page from May 2017 and look for "Privacy issues with Trend Micro software in Asus routers" Trend Micro software is in other routers too and other anti-virus companies are also partnering with router vendors.
26. The Test Your Router page has many ways to kick the tires on your router. One thing to look for is open ports. At Steve Gibson's ShieldsUP! site (click the gray Proceed button), start with the Common Ports test and pay special attention to the SSH (22) and Telnet (23) ports as these services are frequently abused by bad guys. The only good status for any port is Stealth (assuming remote administration is disabled). Next, do the All Service Ports test and finally, do the Instant UPnP Exposure Test (orange button).
27. Test your router with my Shodan Query My Router page. It generates a Shodan query for your public IP address (added Feb. 21, 2018)
28. The router tests mentioned above are only a partial solution. For the most thorough test, connect the WAN port of a router to be tested (inside router) to a LAN port on another router (outside router). Then, from a computer connected to the outside router, scan of the WAN side of the inside router using NMAP looking for open ports. This lets you test all 65,535 TCP ports and all 65,535 UDP ports.Source : RouterSecurity