Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
9/8/00 - See this info on newer firmware, Fax utility and more!
8/28/00 - Added FTP-based firmware updating. Added support information
8/1/00 - Clarified port range mapping capability, loopback status, and logging features.
100Mbps, Link/Activity, for each of four LAN ports
"Internal connection", Link/Activity for the WAN port
Printer active (FR3004LC only)
COM (FR3004LC only)
One RJ45 10BaseT for the WAN
Four RJ45 auto sensing 10/100BaseT LAN
Printer (25p female D parallel port -- FR3004LC only)
COM (9p male D serial port --FR3004LC only)
printed User guide
CDRom with HTML setup guide, PDF copy of User guide, and more
one page Quick Installation Guide
NO Hardware Reset switch
NO Uplink or Normal / Crossover switch for LAN Ports (see this page if this concerns you!)
The buzz starting building early on this router, so I was anxious to get a look at it and see what all the noise was about. The good news is that the router is fast. The bad news is that there are a few quirks to be ironed out in the firmware, the documentation needs work, and the feature set isn't as exciting as it was a few short weeks ago, given other recent product introductions and firmware upgrades. Want the details? Read on!
Setup and Basic Features
The Friendly comes in two flavors. The base model is the FR3004. The FR3004LC (which is the model that this review is based on) adds a COM port that you can attach a dialup modem or ISBN TA to and use the router to share your dialup or ISDN account. The LC also adds a Windows-compatible print server. The third model is the FR3004 USB, which drops the COM port and supplies a USB port instead of a parallel port to attach to the Print server.[[No USB version -- see updates above.]]
The FriendlyNet manual can be found on this page (845KB, PDF format). A printed copy of the manual is included with the Friendly, as well as a PDF copy and other documentation and programs on a CDROM.
Updated 8/28/00 Asante has added support info, including Mac and Windows versions of the firmware updater here. Asante's updaters are applications and don't give you access to the firmware files themselves. However, the SMC Barricade uses the same firmware and their distribution (which you can download from this page) contains the firmware binary files and instructions for uploading to the router via FTP. So even Linux users should be able to now use the Friendly!
Setup is web-browser based, with the Admin webserver located at 192.168.123.254. The Friendly comes with a default password, which you should change as soon as possible, since it's commonly known! But as you can see from the Login screen below, the Friendly reveals too much about itself to potential mischief-makers. Good security practice would replace this screen with a simple Username and Login page or popup, with no device details (not even the router name!).
You can also access the Admin server from the WAN side if you enable the Remote Administration feature (Advanced Setup page ... be sure you set a strong password! ). You can enter one IP address of a machine that you want to allow admin access to. Once enabled, you reach the admin server at port 88 for both LAN and WAN side access, i.e. 192.168.123.254:88 for LAN side access and your WAN side address plus :88 for WAN side access (Example 18.104.22.168:88).
While checking out this feature, I noticed that "loopback" doesn't appear to be implemented in the Friendly. So if you have any Virtual servers set up, you'll need to access them by their LAN IP addresses from any machines on the LAN. Asante says that this feature is in the works, however.
The router logs all admin logins and allows only one login at a time (the second login attempt will get a popup with the IP address of the presently logged-in administrator). The Admin server will also log you out automatically after a certain time period (5-10 minutes) that you can't set.
You can look at some of the Admin screens below. (Clicking on an image will open another window with a full-sized image.)
The Friendly comes with its built-in DHCP server enabled and set to be a DHCP client on the WAN side of the router. The one-sheet Quick Installation Guide that comes with the router describes how to set both Windows and Mac clients' TCP/IP properties so that the client gets its TCP/IP info from the Friendly's DHCP server. Static IP client setup is also described in the User Guide, but for Windows only.
I couldn't get the Friendly to lease an address from my test setup DHCP server and had to set a static IP on the WAN port. (Since I test on a private network, this was ok for me to do, but setting a static IP on your ISP's DHCP served network can get you into trouble and isn't advised.) Asante has been informed of the problem, but they've made no comment about a fix. I tried another DHCP server and was able to get a DHCP lease, but every other router I've tested has checked out ok with my regular DHCP server, so I suspect that Asante has a little work to do in this area. 5/25/01 NOTE: This has been fixed via updated firmware.
The router WAN setup is different from most other routers. You choose the WAN Type (see screen shot below), then a screen with the appropriate setup properties are presented to you. WAN type supported are:
Dialup (LC model only)
There's no support for the RoadRunner TAS protocol, but the Friendly can copy the MAC address from a client machine for those ISPs that do MAC authentication (like MediaOne). If you do this, make sure you connect only the machine that has the present MAC registered to the router LAN side and copy the MAC address before you connect other computers to the LAN. This feature has no way for you to specify the IP of the machine to copy the MAC address from, and it looks like it just uses the first MAC address it sees connected to the LAN ports.
The PPPoE setup screen allows you to enter your account login information, but you'll need to go to the Status screen to force a connect / disconnect, and the router Log via the Miscellaneous screen to see the PPPoE session login information. The "@Home" connection method allows you to specify a Host name, but if your Client machines need domain information, you need to go to the DHCP Server page to set that.
Speaking of the DHCP Server, you can set the starting and ending IP addresses that the DHCP server will hand out, or disable it and assign your Client IP info manually. You can't see what addresses the DHCP server has leased, however, or reserve IP addresses by MAC address.