Home network and router security | Traficom
Skip to main content
Transport and Communications Agency

Home network and router security

Your modem or router is the gateway to your home network, which is why it is especially important to keep it secure. Your modem and router may be two separate devices, or you may have a single device that serves as both a modem and a router. In these instructions, we go over the basics of router security to help you protect your home network and personal data.

This page details the most important security settings of your home network device that you should be aware of:

  • Disable remote access to your router from outside your own network or make sure that the feature is secure.
  • Change your default password.
  • Updating your device – enable automatic updates.

You can configure your home router via its admin portal, which you can access by entering your router’s IP address into your browser address bar on your computer or laptop and signing in using the username and password marked on your router. Depending on your router’s settings, signing in to the admin portal may require your computer or laptop to be connected to the router’s network. You can find the IP address used for configuring your router in the device’s user manual or on a sticker attached to the device, for example. The password is marked on the router, unless you have already changed it.

Why would criminals be interested in my device or home network?

Criminals are constantly scouring the internet for vulnerable network devices both manually and by automated means. Once hijacked, network devices can be used to carry denial-of-service attacks, for example. Distributed denial-of-service (DDoS) attacks are often carried out using remote-controlled devices that the attacker has hijacked. Criminals can also use hijacked network devices to cover their own tracks or carry out attacks from IP addresses in the target country. The latter is effective because malicious traffic originating from the network of a domestic ISP is not as easy to detect as malicious traffic originating from a foreign network. Denial-of-service attacks are also often prevented by temporarily cutting off traffic originating from foreign networks. Such measures will obviously not affect domestic hijacked devices. This is a good example of why a single hijacked device in the domestic network will not always be immediately detected based on the various rules used in data traffic management.

The most important security settings

The rule of thumb is to connect the internet to the WAN port on the device and the devices on the internal network to the LAN ports. Although the products are made to be consistent in terms of, for example, gate naming and colour coding, there is still a lot of variation. You should always check the instructions for use of the appliance to make sure the connections are correct.

For security, it is important to connect the network cables to these ports correctly.

The WAN port is used to connect the router to the internet. Only the apartment's internet cable should be connected to this port. Depending on the type of connection, this cable comes either directly from the building distributor, via a DSL modem or, in the case of a fibre connection for example, from the operator's fibre adapter.

LAN ports connect devices that need internet access to the home's internal network. Computers and printers, for example, are connected to these ports.

The cable for the incoming internet connection to the apartment must not be connected to the LAN port of the router. This connection effectively bypasses the router's protections and exposes other devices on the local network to harmful traffic coming directly from the internet.

It is important that all home devices are connected to a protected internal network and that they are not directly connected to an external network.

You may have received separate connection instructions from your internet service provider. Please read and follow the instructions carefully.

Some routers have features that may be convenient and useful, but make your network less secure. If your router has remote access enabled, criminals who breach your home network will be able to change your router settings remotely. Because of this, you should disable remote access (sometimes called remote management) on your router. In some cases, this feature can be used to access home networks remotely, but regular users have no reason to keep the feature enabled.

Routers usually have default usernames and passwords for accessing the admin portal marked on them. Leaving the default username and password unchanged is a security risk, which is why you should change the default username and replace the default password with a stronger one when you sign in to the admin portal for the first time.

Criminals are constantly looking for firmware vulnerabilities in network devices to exploit. Updates are a way of patching these vulnerabilities. It is therefore important to keep your home router updated to prevent criminals from exploiting vulnerabilities in old firmware versions that have been patched with updates. ISPs offer automatic updates for some routers, but there are also router makes and models that require the user to carry out firmware updates manually. Updates can be downloaded via the device admin portal or the manufacturer’s website. In other words, what you should do is check the make and model of your router and try to find the latest firmware version on the manufacturer’s website, unless it is available directly via the admin portal.

The SSID, or service set identifier, serves as the name of a Wi-Fi network. SSIDs are used to tell Wi-Fi networks apart. A default SSID may reveal the manufacturer of the router, potentially tipping off attackers about vulnerable routers. Because of this, you should choose an SSID that does not directly identify the location or manufacturer of your router. You can change your SSID by signing in to your router’s admin portal. Please note that if you have home smart devices or automatic systems, you will need to update the new SSID or password on them as well to continue using them.

A firewall is like the digital equivalent of traffic police, controlling the borders of a network based on pre-defined rules. A firewall can be used to prevent specific inbound or outbound data traffic. You should keep your homer router’s firewall enabled. You can check its status and settings via the router admin portal;the firewall can usually be found under the ‘Firewall’ section of the portal. Check that the firewall is enabled, and if the manufacturer offers features that protect against various types of attacks, you should enable them too. In general, it is a good idea to configure the firewall to prevent any unnecessary connections.

The data transmitted via your Wi-Fi network can be encrypted to prevent others from seeing what you do on your network or accessing your personal data. If you want to encrypt your home network, enable WPA3 Personal or WPA2 Personal in your router settings. You can check whether they are already enabled via your router’s admin portal, where the options can be found under ‘Encryption options,’ for example. If neither of these options are available on your router, your router is nearing the end of its life cycle.

Restarting your router can fix network and connection speed issues, as doing so clears the router’s cache. Clearing the cache also contributes to information security.

If a router is infected with malware, the malware may stay hidden and operate in the background without the user noticing. However, restarting the router may interrupt the malware’s processes. Malware can be removed from a router by factory resetting the router. However, when doing so, it is important to also check any other devices on the same network for infections.

Restarting a router also confirms any changes made to the router and its settings for the devices using the router.

Many routers allow you to set up a guest network with a different name and password than the primary network. You can set up a new network and assign it a name (SSID) and password via your router’s admin portal. The process of establishing guest networks may differ slightly between manufacturers, but generally proceeds the same way. Guest networks can also be encrypted in the same way as normal home networks. Establishing a guest network is a good security measure for several reasons:

  • A separate SSID and password ensure that fewer people have the information needed to sign in to your primary Wi-Fi network.
  • If a device infected with malware is connected to the network, the malware will most likely be prevented from spreading beyond the guest network to other devices.
  • You can also set up a guest network specifically for IoT devices. IoT devices are not always fully secure, so using a guest network can prevent your entire home network from being compromised in the event of an IoT device being hacked or leaking data.

How to check your home network's visibility on the internet

The first step in finding out how visible your home network is, is to find out the public IP address of your internet connection. A public IP address is, as the name suggests, the address from which devices in your network are visible to other internet users. In many mobile broadband routers, the connection is routed using the so-called NAT Network Address Translation, where the external (WAN) address of the home router is not yet actually a public IP address.


- You can check your public IP address
   - In your router settings
   - At https://bittimittari.fi/en  (remember to disable any VPN connection for the test)
       1. Select "Proceed to measurement"
       2. Select "Start measurement" and wait for the measurement to complete
       3. Once the measurement is complete, select "specifications" at the bottom of the page
       4. See your public IP address at: "IP Address" (e.g., IPv4: 123.134.245.67 or IPv6: 2001:4860:4860:0:0:0:0:8888 or 2001:4860:4860::8888)

Once you have determined your public IP address, you can view the visibility of that address through Shodan, Censys or similar services.

If you are using an IPv4 address (e.g., 123.134.245.67):

- https://search.censys.io/hosts/xxx.yyy.zzz.vvv/ (replace xxx.yyy.zzz.yyyy with the IP address received in step 1)

- https://www.shodan.io/host/xxx.yyy.zzz.vvv (replace xxx.yyy.zzz.yyyy with the IP address received in step 1)

If you are using an IPv6 address (e.g., 2001:4860:4860:0:0:0:8888 or 2001:4860:4860::8888):

- https://search.censys.io/hosts/abcd:ef01:2345:6789:abcd:ef01:2345:6789 (replace the example address with your IP address)

- https://www.shodan.io/host/abcd:ef01:2345:6789:abcd:ef01:2345:6789 (replace the example address with your IP address)


The services may contain different information, so it is recommended to check the information with both services. In most situations, it is not a good idea to have anything visible from home networks on the public internet side. When you want to access home network services remotely, special care must be taken with the public visibility of the services.

A search service view where nothing from the internal network is visible to the public network. If the search service results differ from the image, you should consider whether certain services are intentionally open to the public network.

Page was last updated