Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
D-Link Wireless Router Plus Switch
Author: Tim Higgins Review Date: 1/3/2001
- Fast routing and wireless speed. - Supports dialup modem WAN connection.
- More expensive than competing products. - No wireless performance monitoring
2/27/01 Checked for WEP enabled throughput degradation (results here).
1/4/01 Misc. spec/feature updates. Added info about no print server.
Check this page for a summary of the product's wireless capabilities and this page for its routing features.
Ethernet LAN Link/Activity
Ethernet LAN 10/100
One RJ45 10BaseT Ethernet WAN
Three RJ45 10/100BaseT switched Ethernet LAN
One DB9M "COM" port.
printed User's Manual
printed Quick Installation Guide
CDRom with PDF copies of documentation
Two CAT5 UTP cables
100-240V Power supply
Two moveable position, non-detachable dipole "rabbit ears"
Hardware reset button
NO Uplink port or Normal / Crossover switch for LAN Ports (see this page if this concerns you!)
D-Link has rolled out so many 802.11b 11Mbps wireless products in the past few months that it was hard to choose which one to review first! They decided to send the DI-713 Wireless Router Plus Switch and it looks like a good decision! Let's see why...
Setting up - Router
The 713 strongly physically resembles the SMC 7004WBRand its browser-based admin screens are similar to those of the Barricade and Asante FriendlyNET (see screen shots below). The routing feature set is virtually identical to that of those routers and should handle most users' needs.
NOTE that the 713 does not have the built-in Windows print server that the SMC product has.
The 713 set up easily for me since it comes set as a DHCP client on its WAN port and with its DHCP LAN server enabled. D-Link even includes two normal UTP cables for connecting the 713 into your LAN. Setup is web-browser based, with the Admin webserver located at 192.168.0.1. The 713 comes with a default password, which you should change as soon as possible, since it's commonly known!
D-Link includes a printed Quick Start poster and printed User Manual, with PDF copies of them on a CDROM.
NOTE: Early shipments have only one UTP cable and don't contain the CDROM.
D-Link's web and FTP sites have no information that I could find on the 713, however. So if you have problems you'll have to contact Tech Support (the call is not free). You can also try our Wireless Troubleshooting pages.
Your WAN connection can be via static IP, assigned Dynamically, via PPPoE, or even dialup modem (via the built-in serial COM port... you supply the modem). The 713 will clone a MAC address for MediaOne/RR users, and allows you to set the Host Name and DHCP server Domain name for @Home users. There's no support for the RoadRunner TAS login, however, if your RR ISP is still using it.
You can access the Admin server from the WAN side if you enable the Remote Administrator Host (Advanced > Miscellaneous Items page ... be sure you set a strong password! ). You can enter one IP address of a machine that you want to allow admin access to. Once enabled, you reach the admin server at port 88 for both LAN and WAN side access, i.e. 192.168.0.1:88 for LAN side access and your WAN side address plus :88 for WAN side access (Example 220.127.116.11:88).
"Loopback", i.e. using the WAN side address for forwarded services from LAN clients, worked just fine. The 713 will even redirect your Admin page request to port 88 if you have the Remote Administrator Host feature enabled and you forget to type 192.168.0.1:88 to reach the Admin server.
The router logs all admin logins and allows only one login at a time (the second login attempt will get a popup with the IP address of the presently logged-in administrator). The Admin server will also log you out automatically after a certain time period (about 5 minutes) that you can't change.
The default configuration of the 713 was properly secured, with no open TCP ports found (I did not scan UDP ports), and no response given to the scan probe. The logging feature captured my scans (see below) accurately.
Advanced Routing features
As I said previously, the 713's router feature set is very similar to the SMC Barricade and Asante FriendlyNET. I'll just quickly recap the features and you can check the Asante review if you want more details.
NOTE: Opening holes in your firewall can compromise your LAN's security if done incorrectly.
Port Forwarding - You can set 10 single port to IP address "Virtual Servers". No choice of TCP or UDP protocols...both are forwarded for a specified port.
"DMZ" - You can place one computer completely outside the 713's firewall.
Special Applications - You can specify four sets of port ranges (each set can have multiple port ranges and single ports within it), and specify a single outbound port that the router watches. (Go here for an explanation of how this feature...also sometimes called "Triggered Maps"... works.)
Access Control - You can enter a list of individual and multiple port ranges for each of 4 IP address groups and set the group to either block or allow access on the listed ports. You can't block access by MAC address.
Logging - The log shows mostly admin-related activity, logging Admin page logins and dialup and PPPoE session connects. It also captured my port scans, logging both the IP address and port numbers scanned. It does not log URLs, or anything else related to Internet traffic that passes through the router. You can't save or print the log, have the log sent to a file on a LAN machine, or emailed. You can clear the log only by rebooting the router.
Routing - The 713 has neither a Static routing table nor support for RIP.
VPN - Both PPTP and IPsec client passthru are supported. Update 1/4/01: 8 simultaneous PPTP or IPsec client sessions can be supported. One IPsec server can be supported on the LAN side (you'll need to set Port 500 as a Virtual server). No information as to whether a LAN PPTP server can be accessed from the WAN side, however.
That about covers the features of the router, except for the speed trials. You'll find them on the next page.