UPGRADE
YOUR
ROUTER
If you’ve determined your
router needs upgrading,
now is the perfect time to
put security at the heart of
your purchasing decision.
And that means looking
beyond consumer routers
for something more suited
to a SOHO environment.
These types of routers
receive frequent firmware
updates (as opposed to
none in many cases) to
close security loopholes
and occasionally add new
features, plus they feature
useful extras such as
built-in VPN servers, more
granular parental controls,
and firewalls.
While SOHO routers
carry a premium, they
don’t have to cost the earth.
Synology’s RT2600ac
(above) costs around $ 200
from newegg.com, and
while it’s not the quickest,
it’s certainly a lot more
secure than any consumer
router and is one of the
most affordable routers
we’ve seen supporting
WPA 3 encryption.
Like most SOHO routers,
the RT2600ac has no
built-in modem, so if you’ve
previously been using a
modem router, keep that
as your modem going
forward. Setup is relatively
straightforward: consult
instructions on placing
your existing modem
router into modem-only
mode (if it doesn’t exist,
you’ll need to examine
ways of setting it up in
bridge mode), then connect
its WAN port to your
router’s WAN port to link
them together.
SOHO routers are
traditionally more complex
to set up and use, which
is another reason why the
RT2600ac is a good choice.
It runs its own dedicated
operating system, Synology
Router Manager (SRM),
which receives frequent
updates and provides a
relatively simple point-
and-click interface, as well
as allowing access via a
mobile app.
SRM can also be
extended via applications
you download and install
from the internet, including
Security Advisor, an app
that scans your router’s
security settings to reveal
weak points and suggest
improvements. We’re
pleased to report that after
following the advice in this
tutorial, we got a ‘Good’
security rating from our
RT2600ac on both home
and work baseline checks.
Make sure guest devices are isolated from your network
SECURE YOUR WI-FI NETWORK
With your router’s own
administration portal locked down,
it’s time to turn your attention to
your physical network. In other
words, we’re going to secure both
its wireless and wired connections
to prevent any hackers within
the vicinity of your network from
gaining access.
Let’s start with your Wi-Fi
network. Navigate to its Wireless
settings to see what encryption
you’ve applied. As a bare minimum,
it should offer WPA2-PSK with
support for AES (avoid the more
vulnerable TKIP encryption). Make
sure WPA2-PSK/AES is selected if
this is the case.
Modern routers support the
newer WPA3 standard, Synology
added support for this via a
firmware update, but not all your
network devices will. WPA3 support
is required at both hardware and
OS level, so even if your computer’s
Wi-Fi adapter supports WPA3,
you’ll need to be running Windows
10 or 1 1, or Ubuntu 2 0.04 or later.
Compatible Apple devices include
iPhone 7 , iPad 5 , Watch 3, Apple TV
4K, or Mac from 2013 with 802.11ac
support. Android devices need to be
running Android 10 or later.
Don’t forget all your other
wireless devices too: your TV,
consoles, Roku box, and so on.
It’s likely you won’t be able to
switch exclusively to WPA3, but in
anticipation of this, your WPA3-
compatible router should offer you
a backward-compatibility setting
that offers WPA 3 to those devices
supporting it, while falling back
to WPA2-PSK/AES for those that
don’t. In the case of the Synology,
configure this via Wi-Fi Connect >
Wireless > Wi-Fi section: Select
WPA2/WPA3-Personal from the
dropdown menu.
CHANGE AND HIDE YOUR SSID
Your network ‘advertises’ itself
to others using its SSID, and
there are two ways in which you
can strengthen this part of your
network. First, change the SSID
name—the default usually includes
the router’s model or manufacturer,
which can aid a determined hacker
in gaining entry to your system by
revealing what hardware they are
up against. You can do this from the
Wireless section of your router’s
configuration utility.
You can go further and prevent
your network from advertising its
presence by disabling the SSID
broadcast signal (it’s a simple
‘Hide SSID’ checkbox on the Archer
VR900). This prevents your network
from showing up when people
nearby scan for Wi-Fi networks to
connect to; instead, anyone wishing
to connect to your network for
the first time must manually type
in the SSID when setting up the
connection (thereafter, they will
connect automatically as usual).
It’s not a perfect solution as
hackers can still easily sniff out
the SSID using legitimate tools
such as inSSIDer (www.metageek.
com/products/inssider/), but it
does deter casual snoopers. We
suspect the extra layer of security
outweighs the inconvenience of
manually entering your SSID each
time you connect a new device to
your network.
RESTRICT GUEST ACCESS
All modern routers offer a separate
guest wireless network for visitors
and other infrequent users, and it’s
something we strongly recommend
you enable, again using the best
encryption your router supports
and with a strong password.
By default, the guest network
should remain isolated from the
rest of your network, so while
visitors can access the internet,
they can’t use network resources
such as shared folders or printers
or peer into shared folders.
JAN 2022 MAXIMUMPC 45
©^
NE
WE
GG
.CO
M
