Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
The EtherFast is packaged in a very cool purple and gray box. All RJ45 jacks (one WAN, 3 LAN, 1 shared LAN/Uplink) are on the rear panel of the unit, along with the power adapter input (the router is powered by a small external power unit). No cables are included with the product.
A recessed reset button (nice touch, having it on the front panel), and a full complement of indicator lights is on the front panel including:
WAN Link, Activity, & Diag ("Diag" lights if the unit malfunctions)
Link/Activity and Full/Col for each of the 4 built-in 10 / 100BaseT auto sensing, switched, ports ("Full/Col" lights steady if port is running full duplex. Flickers if collisions are detected on a port)
Yes, you read that right. This <$200 router includes a four port 10/100 full-duplex switch! A first for this class of router! So those speed freaks out there can pop this guy into their network and not worry about Mom's web surfing slowing down their Quake death-matches.
NOTE: The 10/100 switch is on the LAN side only! The WAN port is 10BaseT, since most broadband connections only run 1 to 1.5Mbps at best. You'll get 100Mbps full-duplex transfer from computer-to-computer only (if your NICs and drivers support it). Computer-to-Internet speed will be limited by the speed of your Internet connection, but the switch function will keep that slower connection separate from the faster LAN connections.
The EtherFast manual can be found here (~ 1.6MB in PDF format). A printed version is included with the router. You also get a floppy disk that contains a Setup Wizard for Windows users only. More on that below.
Go to this page for help and additional information for the Etherfast.
You don't need the Wizard to setup the router, but it can help inexperienced users get going more quickly. The Wizard does the following:
checks for an Ethernet adapter,
makes sure it has a working TCP/IP protocol,
prompts the user to set a static IP address (which the user will need to enter), or obtain address information automatically.
searches for routers and asks the user to select one to use.
The Wizard won't work if you have multiple network adapters installed. If you're changing from using a software router and have two NICS in the PC that you're using to setup the router, you're better off going right to the router setup screen.
The EtherFast has browser based administration, and sets up easily. You just power up the EtherFast, plug a computer with its TCP/IP set to obtain an address automatically (or from a DHCP server) into one of the WAN ports, boot the computer, launch your web browser, and enter 192.168.1.1 into your browser Location box. You'll get a login box (the EtherFast comes set with a default password... a good security feature) where you enter the password and you're in.
Security warning! Please follow the User Guide's instructions and change the admin pages' password during your intitial setup. The admin HTTP server is accessible via the WAN side of the router by default in Firmware versions earlier than V1.22.
If you don't change the admin password to a strong password, you may find uninvited "guests" in your LAN's computers.
Most of what you need for basic setup is on a single page, similar to those on the UMAX UGate 3000 and MacSense XRouter, and makes setup easy. Here's what you can do from this one screen:
set the WAN port IP information manually or have it act as a DHCP client and obtain everything automatically.
set the "Router name" field for those ISPs (like @Home) who require an assigned host name from any computer that is requesting connection. Entering your assigned name in this field will make sure that you don't get disconnected when @Home authenticates your connection.
set the domain name of the router. Again, some ISPs require this to be set in order to authenticate the connection. (I'm not sure if the EtherFast's DHCP server also passes the domain information to the Client machines.)
change the IP address of the LAN side from its default of 192.168.1.1.
find the WAN and LAN port MAC address and Firmware revision. You'll need the WAN port information if your ISP locks your service to a specific NIC (some MediaOne/RR affiliates do this). Update 7/11/00You can change the WAN port MAC address to whatever you want if you upgrade to the 1.30.5 firmware.
Many users will never need to go past this first screen, but if they do, they'll find screens for doing the following:
Changing the password.
Checking the router status
Enabling / disabling the DHCP server and changing the starting address of assigned IP addresses. You can also check the DHCP client table.
Getting help. (You can also access related help from a button on each setting page.)
The EtherFast has an interesting mix of advanced features. It has some routing features that you don't typically find on this class of router. But other feature limitations make it look more like other routers in this price range.
Perhaps the most interesting, useful feature is the EtherFast's ability to handle PPTP connections from multiple clients! I didn't test this capability, but if it's true, then Linksys may have a first in this area!
Update 1/11/00 Linksys has confirmed the multiple PPTP client capability.
Also interesting is that you can enter static routing entries or let the router dynamically adjust its routing tables. You can set the router to either Gateway (the normal NAT-based operation) or Router mode (if you have another NAT gateway to connect you to the Internet) and separately specify whether the router transmits RIP1, "RIP1-Compatible", or RIP2 protocols and receives RIP1 or RIP2 protocols.
The port mapping (Linksys calls this "Forwarding") is limited, but probably adequate unless you have a lot of Clients on your LAN that need to accept inbound connections. You can open ports in the firewall so that servers on your LAN computers can be accessed from the Internet, but you are limited to 10 port-number-to-LAN IP mappings and you can't specify TCP or UDP protocol... it forwards both. In addition, one computer can be completely placed outside the firewall (DMZ Host).
4/23/01 Port range mapping (10 port ranges), port range filtering, and logging features added by 1.37 firmware.
Update 4/23/01With 1.37 firmware, you can control Internet access on up to 5 ranges of IP addresses. For each IP address range, you can set a range of TCPor UDP (or both) ports to be filtered. You'll have to manually assign the Client IP address information for filtering by IP address to work reliably (a fairly standard requirement).
You can also enter up to 50 MAC addresses that will have all Internet access blocked.
Update 7/11/00 Limited logging has been added with the 1.30.5 firmware.
Finally, Linksys's Competitive Matrix lists an "Application Sensing Tunnel" that they say "... can sense the application type and open multi-port tunnel for it... " but I can't figure out what it does or how it works!
Go here for a list of applications that the Linksys supports.
Is it Hot?
Update 3/11/01 The results below have been reversed, WAN for LAN, to be consistent with present testing methods.
I finally ran the Qcheck suite of tests on Linky. Here's what I found:
[Tests run with Ver 1.37.1 firmware]
Qcheck Transfer Rate (Mbps)
[1Mbyte data size]
Qcheck Response Time (msec) [10 iterations 100byte data size]
Linky's speed has definitely improved with the later firmware and is very competitive with most routers in its class.
NOTE: Linky showed a tendency to lock up on the WAN-LAN UDP streaming tests. First run would go ok, but second run would lock up the router, requiring a reset button press to get it going again.
You won't be able to do the following with the EtherFast, but these limitations are common in the routers in this price range:
No content filtering.
No time-based access control
No "official" support for the RoadRunner TAS login protocol (Linksys says it works with some RR affiliates, not with others)
Updated 2/25/01 This section summarizes problems that have been reported by users. Also check the Help Page.
Hosting Quake3, Unreal Tournament, and other servers may not work, but this problem may be reduced or eliminated with the 1.37.1 firmware.
Firmware updates are frequent and add new features, but often break existing functions.
Problems continue with maintaining PPPoE connections, especially for Sympatico users. The combination of PPPoE and either PPTP or IPsec is particularly troublesome. See this page.
You may encounter long delays in reaching Linksys Tech support. Some unfriendly and unhelpful tech support personnel have also been reported, especially on weekends. You may also be asked to leave a call-back number instead of being able to talk to a Tech Support person. Email support requests often go unanswered.
Some NICs (including Linksys NICS!) don't seem to work with the built-in switch. Symptoms are no Link LED and/or inability to connect to other computers. Go here for help on this.
(700+ opinions and many, many emails later, I figured it was time to again update this summary!)
Linksys continues to hold its own in the price / performance battles with the other low cost routers that have been introduced since this router first hit the streets. The BEFSR41 and the newer 1 port BEFSR11 are runaway best sellers and have given this entire market segment a real kick in the pants! Linksys also has excellent retail distribution, which gives it a definite advantage over its competition.
That being said, the ongoing problems mentioned above, and Linksys' overloaded Tech Support group have caused a good deal of frustration and bad feelings among a number of users. Users are especially frustrated by new firmware releases that add new features, but break existing ones. Although Linksys has been hard at work on the problems, solutions have been elusive in some cases. This has caused some users to give up and buy other products.
So the new bottom line is more like:
"Great product for most users, an exercise in frustration for some, and users with advanced needs (especially for large numbers of mapped ports) may not be able to successfully use the product."