Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Netgear RT311 Internet Access Gateway Router
Author: Tim Higgins Review Date: 4/11/2000
- Full-featured and aggressively priced. - Supports PPTP and PPPoE.
- Filtering difficult to configure. - Firmware upgrading difficult
6/11/01 Port range forwarding added by V3.25 firmware.
11/20/00 Updated links broken by NETGEAR site layout.
8/3/00 Info added about MacOS syslog shareware client.
7/19/00 IPsec client passthru support added w/ 3.20 firmware.
7/18/00 Contrary to Netgear's marketing literature, the router does not perform "stateful inspection" beyond what is done by NAT (Network Address Translation). Go here for more info.
7/10/00 The RT311 is back on the shelves again!
6/24/00 The RT311 is not being discontinued, but it has been pulled from distribution for a software update. Go here for RT311 "alert" information. - The 3.20 firmware adds web-browser based configuration and Dynamic DNS.
The RT311 is packaged in one of Netgear's trademark blue metal boxes. All connectors are on the rear panel of the unit, along with the power adapter input for the small 12VDC external adapter. The RT311 has no hardware reset button.
The front panel contains the following indicators:
Test (System status indicator)
Internet Link / Activity
Local Link / Activity
Local 100 (indicates 100BaseT operation)
The RT311 manual can be found here (rt311ref.pdf), and the Installation guide here, (rt311inst.pdf). The unit comes with an Installation Guide "poster" and a "Resource CD". This CD contains the Reference guide in PDF format, HTML based Applications and Help pages, and the Windows-only "FirstGear" setup utility.
The Netgear support Web site includes FAQ , applications notes, and a download area for firmware updates. (You can browse the "downloads" file listings by going to this page.)
Setting up. Deja vu all over again...
Version 3.2 firmware adds web browser based configuration, eliminating the need for the Firstgear configuration program. Go here for firmware download info.
The word in the newsgroups is that the RT311 is the same as the ZyXEL Prestige 310 router. Neither ZyXEL or Netgear will confirm that this is the case, but one look at the admin interface was enough to tell me that it's the same box! The difference between the two is that the RT311 has a metal case, longer warranty (5 yrs vs. 2), toll-free 24x7 support, and a different setup program.
The "FirstGear" setup program is a Windows-only application that Netgear ships the RT311. (See screenshot below. Click on it for a larger view.)
I had a little trouble getting to this screen and the instructions in the Installation Guide didn't help. (You need to click on the line that is highlighted in the Login screenshot below. This selects a router to configure. Then click on the Configure button.)
FirstGear will let you set the RT311 for one of the two RoadRunner login protocols or just the normal "Standard" service. You can also set a static IP and DNS server on the WAN interface or set the router to pick the info up from a DHCP server. Finally, you can set the base address of the LAN side of the router and the Subnet mask used.
Fortunately (especially for non-Windows users), if your ISP uses a DHCP server to assign your IP address, and doesn't use a special login protocol (like the RoadRunner TAS) or PPPoE for authentication, the RT311 will work "out of the box". Just set your computer to obtain its IP address information automatically (or from a DHCP server), connect it to the RT311, reboot your client and you should be in business.
More advanced configuration issues must be performed with your favorite Telnet program from the LAN side. Also, if you are not a Windows user, you must do all configuration by Telnet. This will be no big deal for Linux and Unix users, but it may be the first time a MacOS user has had to deal with a terminal emulator and Telnet. Here are a couple of screens so that you can get a feel for the interface (you can click on them for larger views):
Security Note: Netgear ships the RT311 with a WAN Telnet filter enabled, and administration password. This ensures that, if nothing else, novice users won't be able to connect the unit to their cable or DSL modem and then have the RT311 cracked into before they even know what's happening.
Update 6/11/01 V3.25 firmware removes these filters.
If the default LAN IP of 192.168.0.1 is not compatible with your local numbering scheme, and you are not a Windows user, you must perform all initial configuration via the serial connection and a VT100 capable terminal program. This provides access to the same interface like Telnet above, but does not require a functional TCP/IP connection. The included serial cable and adapter is compatible with most PCs but Macintosh users must supply their own serial cable.
Given this setup method, Netgear tries to make things as easy as possible for users to set up the unit. The documentation (in the Reference Guide on the CD) is clear and they even include normal, and "crossover" UTP cables, a DB-9M to DB-9F serial cable, and a DB-25F to DB-9M cable adapter! However, since virtually all comparable routers have simpler to use and understand web-based setup, this interface may cause networking novices (particularly MacOS users) to look for other, easier-to-use solutions.
You can manually set the RT311's WAN port information or have it act as a DHCP client and obtain everything automatically. The RT311 can handle "host name" authentication (like @Home uses) , the RoadRunner TAS Authentication methods, and allow you to set the WAN interface MAC address equal to that of a NIC connected to the LAN side. This last method will help MediaOne/RR users whose service is tied to a specific NIC avoid having to call in their new MAC address.
On the LAN side, you can set the starting IP and range of addresses that the DHCP server will hand out (up to a max of 32 addresses), or disable it and assign your IP info manually.
Upgrading the firmware
The firmware upgrade process may be the worst "feature" of the RT311. The first method requires using the serial connector on the back of the RT311, connecting a computer running a terminal emulator capable of XMODEM transfers (Windows' HyperTerminal for example), and typing in commands to transfer files.
Your alternative is to use TFTP and Telnet over an Ethernet connection. This method requires typing in commands once you are connected, and can therefore be error prone.
Update 4/19/00 Netgear refers you to Walusoft's Web site for a TFTP client. However, this product is no longer free. You can obtain a free FTP/TFTP client/server application from 3COM's Software Library. (Thanks to Al Cardi for this tip!)
3CD207.zip(approx. 950KB) 3CDaemon version 2.0 revision 7. Freeware. Integrated TFTP/FTP/Syslog Daemon for Windows 95/98/NT (Note the included Syslog daemon which will come in handy if you use the RT311's logging capability)
3cs117.zip(approx. 1046KB) 3CServer 1.1.007 - a TFTP and FTP server and client for Win32
The TFTP clients in these applications don't support answering a password challenge, so you'll first have to temporarily disable the RT311's admin password before you can use it. Remember to restore the password when you are finished upgrading the firmware!
Netgear added the ability to upgrade the firmware via FTP in their 2.50 firmware update. This removes the cost issue (since there are free FTP clients available), but the upgrade process is still more error prone than that of competing products.
The RT311 has a number of features that network-savvy users will appreciate. It supports the RIP-1, RIP-2M, and RIP-2B routing protocols and you can set the unit to send only, receive only or do both with its routing information. You can set up to 8 static routes in the RT311 itself. These features make it easy to incorporate the RT311 into larger networks with multiple routers.
You can open holes in the RT311's firewall so that servers on your LAN can be accessed from the Internet, but you are limited to 8 port-number-to-LAN IP mappings. You can't specify TCP or UDP protocol, and you can't map port ranges, either.
Update 6/11/01 V3.25 firmware adds 10 sets of port range forwarding.
One of the eight mappings is dedicated to the Default Server mapping. This is similar to the DMZ Host, or Exposed Computerfeature on other routers. Any inbound service request that doesn't have a defined IP address to handle it will be sent to the Default Server. This leaves seven single port mappings for users to set. If you want anything more complicated in the way of mapping, you'll have to dig into Filters.
Filtering is very flexible, but the hardest to use feature of the RT311. Filters allow you to block or pass data matching specific criteria that you set from entering or leaving your LAN. Netgear has provided powerful filtering capability, but, unfortunately, you need to configure it at a level that requires more understanding of networking protocols than most users will have. The RT311 comes by default with filters enabled that block telnet from the WAN side and limit Net BIOS traffic to the LAN.
Network Administrators will find a complete set of "Maintenance" features, all accessible via Telnet. System status can be monitored, the unit can be reset, and error logs can be examined, among other features. If you have a system that supports the UNIX syslog feature, the RT311 will even log activity to it (see this page for a list of Windows and MacOS syslog clients). Finally, for the very adventurous, you can enter the RT311's OS mode and do packet traces and other fun stuff!
VPN and PPPoE
The RT311 will allow PPTP clients on the LAN side to access PPTP servers on the Internet. You can also set the unit to allow a PPTP server on your LAN to be accessed from the Internet (go here if you need help with this).
7/19/00 IPsec client passthru support has been added w/ 3.20 firmware, and PPPoE support was been added in the 2.50 firmware
We put the RT311 through our usual speed test (details of how we tested can be found here.) WAN to LAN routing measured in at about 2.8Mbps, which is pretty respectable. When I ran a LAN to WAN check, I got a slightly higher 2.9Mbps. Each of these measurements were made with no traffic in the opposite direction. I did run one pass of a simultaneous WAN to LAN and LAN to WAN test. In that case, the slowest transfer rate clocked at about 2.1Mbps, which was impressive!
Even with all the things you can do with the RT311, there are still a few things you can't, such as:
set content filtering.
control user access by time period, password, or any other method.
act as a VPN endpoint.
The RT311 is a capable router at an attractive price, with good routing speed, support for PPTP and PPPoE and even logging (with a little work!). But it just may be too much to handle for network novices if they need anything more than basic connection sharing capability, due to its hard to use Admin/Setup interface. Although the RT311 supports "DMZ" capability, gamers also may want to look at other products due to the limit of 7 single mapped ports and the difficulty of using the more advanced Filter capability.
But if you're not into on-line games and just need to get multiple users connected for web-browsing and email, this product may just be what you need. Just stay out of the Telnet interface!