Security Checklist （路由器安全checklist）

Security Checklist

Website by      Michael Horowitz

Home | Introduction | Router Bugs | Security Checklist | Tests | Resources | About |

 

The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure. That list includes a number of actions, like changing the default password, that are common to all routers and thus not in the list below. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.

1. WPS
• Is WPS supported? WPS has been such a security disaster that I would not want to use any router that supports it. Since WPS is required for WiFi certification, it is present in all consumer routers. Thus, it is best not to use a consumer router.
• If you are using a router that supports WPS, then check to see if it can be turned off. There are two aspects to this. When the security issues with WPS first came to light at the end of 2011, some routers would not disable WPS even when told to do so - a bug. Even now (April 2015) there are routers such as the $300 D-Link DIR 890L/R that can not turn off WPS. Rather than a bug, there is simply no option offered in the firmware to disable it.
• WPS status: To verify that WPS is disabled use a WiFi survey type application such as the excellent WiFi Analyzer on Android. On Windows, look into WiFiInfoView from Nirsoft - it is free and portable. Sadly, most WiFi survey apps do not report on WPS at all. I do not know if there one for OS X that does. Apple does not allow any WiFi survey apps on iOS.
  
  
2. NO DEFAULT PASSWORDS (added Nov. 21, 2015)
Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
• When initially configured, does the router force you to provide new, non-default WiFi passwords for every Wi-Fi network?
• When initially configured, does the router force you to provide a new, non-default password for logging in to the router itself?
  One router that does is the Synology RT1900ac (User Guide, screen shot). I have read that DD-WRT also does this.
  
  
3. LOCAL ADMINISTRATION
A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The router also needs to be protected from malicious web pages that exploit CSRF bugs.
• Is HTTPS supported? In 2013, Independent Security Evaluators tested 13 consumer routers. Some supported HTTPS, some did not. Every router that supported it, however, had it disabled by default.
• If HTTPS is supported, can admin access be limited exclusively to HTTPS?
• Can admin access be limited to Ethernet only?
• Can the port used for the web interface be changed?
• Can access be restricted by LAN IP address? To really prevent local admin access, limit it to a single IP address that is both outside the DHCP range and not normally assigned.
• Can access be restricted by MAC address?
• Can router access be restricted by SSID? The Pepwave Surf SOHO can do this (screenshot).
• Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
• Is there a CAPTCHA option for logging in? (D-Link offers this)
• Can you logout of the web interface? You should be able to. I have seen Linksys and D-Link routers without a Logoff button.
• Does it time out? It should, and you should be able to set the timeout period. See Cisco example. 
  
  
4. REMOTE ADMINISTRATION
• Can it be limited to HTTPS only? To me, this is an absolute must. The Netgear Nighthawk R700, despite great reviews, only supports remote management over HTTP which means your password travels in the clear. I have seen this too with low end Asus routers, while their higher end models do offer HTTPS.
• Can the port number be changed? (also a must)
• Can access be restricted by source IP address or source network? 
  Here is an example of this, from a Pepwave Surf SOHO router running Firmware 6.2. The "Allowed source IP subnets" is where you can set multiple IP addresses (yes, its a bit confusing) and IP subnets from which remote administration is allowed. In reference to the two previous issues, the security for remote administration can be HTTP only, HTTPS only, or both. In the screenshot, it is HTTPS only. The "Web admin port" is the port used for remote administration, in the screenshot it is 12345. The "Web admin access" can be set to LAN only or, as in the example, both LAN and WAN.
  Most of us, at home, have a dynamic IP address from our ISP which at first glance would seem to rule out using this security feature (anyone who works in an office with a static public IP address can, of course, use it). But, a couple VPN providers offer static IP addresses. One is Nord VPN, which lets an account be assigned a static IP address. TorGuard, another VPN company, also offers a static IP address ($8/month as of April 2015). If you know of another, email me.
• Does it time out? (it should) That is, if you forget to logout from the router, eventually your session should time out, and, you should be able to set the time limit, the shorter, the more secure.
• Is it off by default? It should be. The Linksys AC1900 (EA6900) has Remote administration enabled by default.
• Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
  
  
5. WIFI
No one can hack into a network that does not exist.
• Can the wireless network(s) be scheduled to turn off at night and then back on in the morning? Two routers that offer this feature are the Amped Wireless RTA1750 and theSynology RT1900ac.
• Is there a WiFi on/off button? This seems to be a rare feature. Some routers with it are the TP-Link Archer C9 and D9, the Asus RT-AC68U, The Netgear R6220 and the Synology RT1900ac. The idea is to make it easier to disable WiFi when its not needed. When this is easily done, more people will do it. The routers I have seen with a WiFi on/off button all had a very small button that was hard to reach. An exception is the NETGEAR R6400-100NAS which has the button in an easy to locate position on the top of the router. So too some FRITZ!Box routers, popular in Germany and Australia (closeup). 
  
  
6. WPA2
Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
• Verify that the router offers WPA2 exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as WPA2.
• After opting for WPA2 encryption, a better router will always use AES or CCMP (two terms for the same thing). Some routers offer TKIP as an option with WPA2. TKIP is not as secure. Meraki is high end wireless vendor owned by Cisco. I have seen a network running their hardware offer WPA2 with TKIP. If there is no secondary option after you select WPA2, then you will need to use a WiFi scanner app, such as WiFi Analyzer on Android, to see if it is using AES, CCMP or TKIP.
  
  
7. GUEST NETWORKS
In general, a guest network is a good thing. I blogged on this December 2015: 

To share or not to share - a look at Guest Wi-Fi networks

. But, all guest networks are not the same.
• Is the network defined normally or does it require a captive portal? For more on this see Warning: Guest Mode on Many Wi-Fi Routers Isn't Secure. Normal is good, captive portal is bad. For more on why this is see my blog Linksys Smart Wi-Fi makes a stupid Guest network.
• Is WPA2 supported on the Guest network? This comes from the article linked to above which points out that Belkin and Linksys Smart WiFi routers do not support WEP, WPA or WPA2 on their Guest networks.
• Perhaps the biggest security feature of a guest network is that it keeps guest users away from the private network. When this is working properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest wireless network from the same router. Put another way, you want guests to see the Internet and nothing but the Internet. Sadly, this feature is assigned many different names. Asus calls it "Access Intranet". TP-LINK calls it "Allow Guests to access my local network". D-Link calls it "Internet access only". TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
  Verify this! 
  One way to verify it is with a LAN scanner app such as Overlook Fing which runs on iOS, Android, Windows and OS X. The scan should not see any devices on the private network. Another option is, from a guest network, to try and access a NAS or a network printer or any other LAN device exposing a web interface.
• Some routers have a configuration option for guest users being able to see each other. It is more secure if they can not, but there may be times where you want to allow this. Like the feature above, this too, may be called "isolation". TRENDNET calls it "Wireless Client Isolation" and they explain that it "isolates guests from each other". TP-LINK calls it "Allow Guests to See Each Other". If there are multiple guest networks (often one on the 2.4GHz band and another on the 5GHz band), then the question becomes whether guest users on one guest network can see guest users on another guest network.
• NOTE: According to a March 2015 article at How-To Geek, older Netgear routers had an option to "allow guests to access my local network" and a separate option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6 router no longer supports two options. They were combined into a single option called "allow guests to see each other and access the local network." Not good. As the article says "There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN)..."
• Some routers let you schedule the guest network(s). It would be great if you could turn it on for X hours and then have the router de-activate it. Probably the worst thing about guest networks is leaving them on all the time. One router that can do this is the Trendnet TEW-813DRU. The company has an online emulator from which I took a screen shot. 
  If the network can't be scheduled, the next best thing is making it easy to turn it off and on. To that end, a smartphone/tablet app for controlling the router may provide an easier interface.
• Look for a limit on how long a guest user may be logged on to the guest network
• Although not a security issue per se, some routers do not let you chose the Guest network name. The Linksys Smart WiFi line, for example, always uses the SSID of the private 2.4GHz network and appends "-guest" at the end.
• A Guest user may or may not be able to login to the web interface of a router. Obviously, locking them out is more secure. A reader of this site, Sudhakar, raised this issue for the first time in Dec. 2015. I have not seen this discussed by any consumer router. The Pepwave Surf SOHO can limit router access to a single SSID, thus blocking guest users.
• Subnets: the Guest network may share the same subnet as the private network or use a different one. I would prefer different subnets. The Linksys Smart WiFi line does this.
• Nice to have: Some routers let you limit the bandwidth of guest networks. In the TP-LINK example above, it is not clear if the limit applies to the entire network as a whole or to each user individually.
  
  
1. ROUTER USERID
• Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration.
• Is there a read-only user? Most routers only allow for one userid, but some allow for two: one with full admin privileges and one that is only allowed to view stuff but not make changes.
• Many users: this seems like overkill to me, but some routers let you define multiple userids. A Verizon DSL gateway, the D-Link 2750B lets you go so far as defining groups of users.
  
  
2. ROUTER PASSWORD (updated Nov. 15, 2015)
• How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from his article: "I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ... ... my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters .... when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear. So, test if your router allows a 17 character password. It should.
• How short can the router password be? Very short passwords should not allowed.
• Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords? That is, does it say anything about the length of the password or if any characters are not allowed?
• Does the router allow brute force password guessing? After a certain number of wrong passwords does the router do anything to prevent further guessing?
  
  
3. FIREWALL
Kick the tires on the firewall looking for open ports
• All routers should get a perfect score at Steve Gibson's ShieldsUP! Run both the Common Ports test and the All Service Ports test. If all is well, it will say "Passed" in green and the status of every port will be "stealth". The passing grade also means that the router does not reply to Ping commands on the WAN port.
• The Speed Guide Security Scan tests 359 ports. Click the small blue "START" button. If all is well, it will say "Our Security Scan found NO open ports."
  
  
4. MAC ADDRESS FILTERING
I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to your network. Many people say not to bother with it both because its a big administrative hassle and because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
• The big question with MAC address filtering is whether this feature applies to all networks created by the router, or, to all networks on the same frequency band (2.4GHz or 5GHz), or, in the best case, if there are separate MAC filtering lists for each individual network/SSID? If a router supports independent filtering lists for each SSID, then MAC address filtering can be used for the main, private SSID and not used on guest networks. This makes it a practical solution as the maintenance hassle is so low.
• Another aspect that can make this much easier to deal with is comments. That is, instead of just maintaining a list of black- or white-listed MAC addresses, the router should also let you add a comment to each MAC address. This way you can easily check if computer X is already in the list or not. And, when tablet Y is lost, it makes it easy to remove it from the list. Of the routers I have seen, only AirOS firmware running on a Ubiquity AirRouter offered the ability to add a comment. It looked like this.
  
  
5. UPnP (Universal Plug and Play)
• UPnP can be a security problem as it is used to poke a hole in the firewall. Most routers let you disable UPnP. Check if yours does and verify this using the two online testers below. The D-Link DIR-880L does not let you disable UPnP.
• Does your router pass Steve Gibson's UPnP exposure test? This is the big orange button at ShieldsUP! It must.
• Does it pass the Rapid7 Universal Plug and Play Check? It must. Note: if you find that this test hangs forever, join the club. I have not yet narrowed down the circumstances that causes it not to finish.
• If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. One router that does a great job of this is the TP-LINK Archer C7 and there is an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more.
• An example of the router security enemy is the UPnP PortMapper program that can be used to "manage the port mappings (port forwarding) of a UPnP enabled internet gateway device (router) ... Port mappings can be configured using the web administration interface of a router, but using the UPnP PortMapper is much more convenient". Ugh.
  
  
6. PORT FORWARDING
   • Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
   • Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.
     
     
7. Is HNAP supported? 
   The correct answer is no. The Home Network Administration Protocol has been the basis for multiple router flaws. In April 2015 it was found to make a number of D-Link routers vulnerable. In Feb 2014 is was used as part of an attack on Linksys routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers. As far as I know, there is no way to disable HNAP. There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not support HNAP - I asked them. For a technical test, try to load HTTP://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com. For good luck, also run this test on port 8080, which would look like HTTP://1.2.3.4:8080 
   
   
8. FIRMWARE
This 

really

 separates the men from the boys :-)
• Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware? Peplink does this. See an example from December 2015, announcing firmware version 6.3. Most routers require you to seek out firmware updates on your own.
• For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
• For an existing router: can it automatically update the firmware on its own? A list of routers that can is on the Resources page. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to install bug fixes fairly quickly but delay new versions/releases. It is unlikely that an automatic updating system can be configured to do this. Also, the system needs to transparent about what its doing. This way, when a problem comes up, we can check to see if it started soon after a firmware update.
• Assuming there is no automatic firmware update process, then the question becomes how easy is the upgrade process. Better routers can completely handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means that the firmware upgrade can be done by a remote user.
• The new firmware may reset some options. To protect against this, its a good idea to manually backup all the current settings before upgrading. The Pepwave Surf SOHO always reminds you to do this. Does your router?
• If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is notoriously inconsistent at keeping their auto-update servers up to date..." Tests run by the Wall Street Journal in early 2016 found 2 of 20 tested routers incorrectly reported their firmware was up to date.
• Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded by the router itself or by you manually from the vendors website. Good luck answering this question.
• Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
• Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you easily reboot into the prior firmware. This can also help if a configuration change causes a problem. The Linksys EA6200 can also restore a prior version of the firmware.
  
  
1. Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this means they shipped extremely old software. 
   
   
2. Can it block access to a modem by IP address? See my blogs on this part one and part two.
   
   
3. LOGGING: (revised Nov. 20, 2015)
   • Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files: System, Firewall & Security and Router Status.
   • Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address.
   • Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
   • Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
   • Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
   • Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
   • Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO. 
     
     
4. EMAIL: (added Nov. 19, 2015)
Can the router send an email message when something bad happens?
• If so, what types of errors can it email about? At the least, it should be able to send an alert if one of the log files fills up.
• This is particularly useful for multi-WAN routers, that is, routers that are connected to two or more ISPs. When one Internet connection fails, it can use another to send an alert email. Peplink is great at this.
• Can messages be sent to only one recipient or to many?
• I have not seen a router that can send a text message, but there are services that convert emails into texts.
  
  
5. DDNS:
Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
• Does the router phone home to the DDNS provider using HTTP or HTTPS? Good luck trying to figure this out. The DDNS provider may have a log file that you can check or use this as a test of technical support.
• How many DDNS providers are supported? The more the better. Also good, not being limited to Dyn.
  
  
6. MONITORING ATTACHED DEVICES:
Its nice to know who/what is connected to the router
• A good router will offer, at a glance, a list of all the attached devices. Having them all shown on one screen makes it easy to spot anything out of the ordinary. This screen shot from a Pepwave Surf SOHO shows that it uses a space-saving single line per attached client.
• Along with this, a great feature to have, is the ability to give friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. This too, should make it easier to spot new devices. The name column of the Surf SOHO display of attached clients is editable, allowing you to enter anything that makes sense to you.
• I used to have a router that would only show devices with a DHCP assigned IP address. You never knew about any devices with static IPs, which stinks. In December 2014, Chris Hoffman wrote "Many routers simply provide a list of devices connected via DHCP". Hopefully this gets phased out over time.
• Internet sessions/sockets: It can be very handy to see all the connections a LAN-resident device has to the Internet. For one, you can verify that a VPN is working the way it is supposed to, that all traffic flows over a single encrypted link to a VPN server. You can also use it to verify that an online banking app really has a secure connection to the bank. And, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits. Among the routers that report on this level of detail are the D-Link DIR860L and my favorite, the Pepwave Surf SOHO. (added Nov. 17, 2015)
• Non-security: If the router is creating multiple WiFi networks, it is nice to see which devices are connected to which network. The Pepwave Surf SOHO does this in the "Network name (SSID)" column.
• Non-security: Its nice to be able to see the signal strength, from the routers perspective, for each attached wireless device. The Pepwave Surf SOHO does this in the "Signal" column.
• Non-security: Another nice monitoring feature is showing the current bandwidth used by each connected device. The Pepwave Surf SOHO does this in the "Download" and "Upload" columns. It defaults to kbps but can be changed to Mbps.
• Non-security: Its nice to have a bandwidth history. The Pepwave Surf SOHO offers a daily bandwidth summary showing total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.
• Hiding on the LAN: Here is an oddball case that I ran across. A device may be able to hide from the router, if it only talks to devices on the LAN and never makes a request out to the Internet. That is, if it only makes use of the switch in the router, but never the higher level functions of the device. You can test this if you have a printer or a NAS with a static IP address. Reboot your router, then, from a computer on the LAN, send an HTTP request to the device with the static IP address and get back a web page. Then check the router list of attached devices. Does the router show the printer/NAS/whatever as being on the network? Maybe not. Yet, it communicated with a device on the LAN. 
  
  
7. Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software. NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed files plugged into a USB port to the Internet at large. 
   If you must use a router to share files, then look for one that offers a way to safely disconnect the USB storage device. At least some Linksys routers have a Safely Remove Disk button. TRENDnet labels their button Safely Remove USB Device. And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without a hard drive. QNAP seems to start around $120, also without a hard drive. 
   
   
8. Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into the router with http://something.easy rather than http://1.2.3.4. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses setup.ampedwireless.com, Linksys uses myrouter.local and linksyssmartwifi.com. According to RouterCheck.com (the page is both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to a router.
   
   
9. SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.
   
   
10. Security Unicorn: Rounding out the list of security features is one that, to the best of my knowledge, does not exist. As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. I realize this is not perfect, but it would still be nice to have. A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company. Eero claims their routers will do this; they were expected to start shipping their first routers in the summer of 2015, but the date slipped. As of Nov. 2015, they are expected to be available in Feb. 2016.

October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers.

Rare security features

This may be asking too much of a router (that is, it may require a NGF or UTM) but I would like a log of incoming packets that the firewall discarded. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. I used to have a router that did some of this, but that was long ago.

This too, may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.

It can be argued that VLAN support belongs in the list above and I may change my mind and add it at some point. It's certainly a security feature and not all that rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Its not in the list above because many people get all the VLAN support they need from Guest networks. On the other hand, security is much improved by putting IoT (Internet of Things) devices in their own VLAN, since so many have poor security. In December 2015, I created a VLAN isolated wireless network at home, just for my Internet Radio. Many wireless devices only need Internet access and do not need to see a network printer or a NAS box, let alone computers on the LAN.

Some non-security features to look for

Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.

Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.

Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface.

Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.

Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. TheAmped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.

I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.

Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.

Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.

Website blocking is arguably a security feature, but an optional one. I have only tested it on two routers but in both cases it was lame. Each router would block HTTP access to the site, but failed to block HTTPS access. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.