Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Kingston Fast EtheRX 10/100 Internet Access Router
Author: Tim Higgins Review Date: 6/5/2000
- Built-in 7 port 10/100 hub. - Flexible port forwarding (including ranges).
- No VPN support. - Windows only firmware upgrade.
9/13/01 Product discontinued. Kingston has discontinued all non-memory related product lines.
6/7/00 Kingston has released the PPPoE firmware. Download link added. Info on I-Mail server clarified.
10BaseT LAN collision
100BaseT LAN collision
Seven LAN Link/Act (one for each port)
Seven LAN 100BaseT (one for each port)
1 RJ45 10BaseT for the WAN,
7 RJ45 autosensing 10/100BaseT LAN and 1 shared uplink RJ45
Two switches to reset router to factory defaults and to disable DHCP LAN server
NOTE: No reboot hardware or software switch
Where have I seen this before?
Take a UMAX UGate Plus, add a 7 port 10/100 autosensing hub, subtract the UGP's VPN capabilities and price it reasonably at about $230 street, and you've got the Kingston KNR7TXD!
Not that that's a bad deal at all! The EtheRx (man, I keep typing that wrong!) plugged into my network and began sharing duties without my even touching its admin features! Kingston ships the box with the WAN port set as a DHCP client, the LAN side's DHCP server enabled, and with all WAN side ports nicely secured.
The admin interface which is accessible via web browser from the built-in HTTP server at 192.168.0.1, is similar to the UGate Plus's. The basic settings you'll need to set up the router are spread among a few screens, but the first page you get tells you what you need to do. Here are a few screen shots so that you can get a feel for what the admin features are like. (Click on a screen to open another window with a full sized view.)
The EtheRx allows you to name the router, but not to set a domain name for it, so some @Home users might have trouble getting it to work. It also doesn't support the RoadRunner TAS login protocol. The WAN port MAC address is plainly shown on a few screens so that MediaOne/RR users whose service is locked to their NIC will be able to call in the new MAC address during router installation. Note that the EtheRx doesn't allow you to clone or change the MAC address.
I checked to see if I could access the admin functions of the router from the WAN port and found the HTTP port was safely closed.
The main advantage that this box has over similar routers (besides more ports in its built-in hub) is its flexible port forwarding abilities. You can forward up to 20 single ports, 20 more port ranges, and specify UDP or TCP ports. You can also "expose" one computer, putting it completely outside the NAT firewall.
Opening holes in your firewall, can compromise your LAN's security if done incorrectly.
On the outbound side, you can establish groups of users and deny access completely or filter particular ports to control available services. You can't enable/disable this filtering by time of day, however.
Update 6/7/00 PPPoE support has just been added. You may need to download the new firmware from the link on this page, if your router doesn't come with rev 650B or higher firmware (Check the Device/LAN status page).
The EtheRx's original firmware had an email sharing ability. Kingston just released their 650B firmware, however, and removed this capability (and added PPPoE support). They still let you run your own POP3 server, however, by including a copy of their I-Mail POP server application (not to be confused with Ipswitch's Imail). (I-Mail is described in the PDF Quick Installation guide.)
I-Mail provides a POP3 server that you install on one of your LAN computers. This server can either create "Virtual Mailboxes" from a single ISP-assigned email address, or can act as a "Virtual Email Host" if you have your own domain name and multiple email addresses. You can create up to 250 "Virtual Mailboxes" and I-Mail also has flexible control of receiving and sending mail.
The downside is that the "Virtual Mailbox" email addresses are a little odd looking. For example, if you are sharing the account:
the email addresses would look like:
A little cumbersome, but better than paying for more POP mailboxes from your ISP! I didn't check this function on the EtheRx.
Using our normal test method,WAN to LAN routing measured in at about 2Mbps. This is a bit on the slow side of many of the routers I've tested, but still fast enough to keep up with most broadband connections. But a LAN to WAN check revealed a very slow 0.6Mbps, so you probably wouldn't want to host a webserver behind this router.
The EtheRx's "don't have"s are typical for this class of router:
No content filtering.
No time-based access control
No support for the RoadRunner TAS login protocol
No PPTP or IPSec Client passthru support
Not a bad first effort for Kingston, but I think they need to add support for at least PPTP clients for users with VPN applications. A software reboot button would be nice, too, for remote administration. They'd probably do better by dropping the price a bit, given the price wars that are being waged.
But if you've been frustrated by the limited port forwarding capabilities of other routers and have a decent sized LAN that can use the 7 ports, then the EtheRx is worth a look.