Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
MacSense XRouter Pro
Author: Tim Higgins Review Date: 7/23/2000
- Nice access control features.
- Easy Mac and Windows upgrading
No on-line admin help.
- A little on the expensive side.
Firmware added PPPoE setting to the One Page Setup, implemented MAC
address cloning, and added a "Force DHCP Renew" feature. View
Link/Activity, Full/Collision for each of four
Link, Activity for the WAN port
One RJ45 10BaseT for the WAN
Four RJ45 auto sensing 10/100BaseT LAN
printed User guide
CDRom with HTML setup guide and PDF copy of
One UTP cable.
Reset switch (back panel)
Normal / Crossover switch for LAN Port #1.
If you liked MacSense's XRouter, then you may like the XRouter Pro even
more! MacSense has taken their popular XRouter, substituted a 4
port 10/100 auto sensing switch for the 4 port hub, added Content
filtering and access controls, and threw in Static Routing and Dynamic
routing capabilities while they were at it. And all this while keeping
the street price only about $20 higher than the original XRouter!
Oh, and they changed the color to a see-thru gray (I think it's called
and Basic Features
The XPro sets up as easily as any of the routers that have browser based
administration. You just need to power up the XPro, connect a computer
with its TCP/IP set to obtain an address automatically (or from a DHCP
server) to one of the LAN ports, boot the computer and then enter 192.168.1.1
in your browser Location box. If you've set it up right, you'll
get a login box (the XPro comes set with a default password, which you
should change as soon as possible, since it's commonly known!) where
you just enter the password and you're in.
Most of what you need for basic setup is on a single page, which you
see along with selected other setup pages, below. (Clicking on an
image will open another window with a full-sized image.)
(If you'd like to play with a virtual XPro Admin interface, you can try
it out here.)
The XPro can be a DHCP client or be statically set on the WAN side.
You can enter a "host name" (useful for @Home user authentication),
but the XPro doesn't allow you to enter a domain name (needed for
some @Home affiliates), support the RoadRunner TAS login, or allow you
to change the WAN side MAC address (to ease MediaOne installations).
It does, however, support PPPoE.
On the LAN side, you can set the starting IP and number of addresses
that the DHCP server will hand out, or disable it and assign your Client
IP info manually. You can also use the Status Monitor page and check
your WAN and LAN IP info and also see what addresses the DHCP server has
The most unique feature of the XPro is its Access controls, which allow
you to control access by URL, IP address and port, or combination of both.
The URL Access controls allow you to either block access to up
to 20 URLs or allow access to only a list of 20 URLs. This
feature is smart enough to block all secondary domains (i.e. site1.domainname.com,
site2.domainname.com) of the domain you enter, whether you
enter www.domainname.com or just domainname.com.
The downside is that the selections apply to all LAN computers.
The XPro doesn't announce its blocking action with a special message or
anything. All that happens is that the user's browser hangs while
trying to access a blocked URL. If you want to limit access for
just certain machines on your LAN, you need to use the IP Access controls.
The IP Access controls give you five ranges of IP addresses. For each
one, you can select four individual and one range of TCP, UDP or both
types of ports to block. You can't control access by MAC address,
Along with the Access controls comes a URL log. This log shows
the URLs that have been accessed via the XPro, along with a "Pass"
or "Blocked" indication. MacSense doesn't say how many
URLs the log holds, and it's cleared each time you change the URL Access
controls. You also can't save the log to a file and the only way
to get a printout is by taking a screen shot.
Opening holes in your firewall can compromise your LAN's security if done
Moving along to more common Advanced features, the XPro's port mapping
or "Virtual Server" features include one DMZ computer and 10
single ports. You can select TCP, UDP or both protocols on each
mapped port, but no port ranges are supported.
"Loopback" is supported for Virtual servers, so you won't
have problems reaching any of your LAN side Virtual servers via the WAN
side IP address or domain name (if you have one).
Although I didn't confirm this, reader Barry Barnett reports that the
XPro nicely supports Apple's QuickTime Real Time Streaming Protocol
(RTSP). It opens the RTSP ports only when needed and without using
a Virtual Server mapping.
The XPro also has a "Remote administration" feature that when
enabled allows you to reach the built-in administration HTTP server from
the WAN side. But if you use this feature, which is disabled by
default, be sure you set a
If you enable Remote administration AND have a Webserver
(Port 80) set as a Virtual Server, the Webserver will be what
you see when you enter the XPro's WAN port address in your web browser.
Other routers handle this situation by moving the Admin server to another
port, but I couldn't find where MacSense hid the Admin server port!
Finally, the XPro has a static routing table and supports RIP-1 and RIP-2
in case you use it in larger networks where it needs to play nice with
The XPro supports multiple PPTP and IPsec clients on the LAN side of
the router. MacSense says Nortel Extranet, Checkpoint, and Intraport
clients have been confirmed to work.
I haven't been able to get a clear answer on LAN side server support
for either of these protocols, however.
up the test track
MacSense said that the XPro was faster than the original XRouter... and
they were right! The speed of the XPro almost outpaced my test
setup! Let's cut to the chase:
All numbers are in Mbits per second (Mbps).
(Details of the measurement method can be found here.)
A few items of note:
The router really was equally fast in both directions! No skimping
on the LAN-WAN transfer rate.
For the "Simultaneous" test, port 80 is forwarded to a
LAN-side webserver. File download via web-browser is started
on both machines simultaneously. The number is calculated as
Transfer speed (Mbits/sec)=
((Filesize in MBytes/sec x 2) / Total Xfer time) x 8
In the "Simultaneous" test, the transfers
finished at just about the same time. Not sure why the Simultaneous
rate is faster than the one-way rates, but it was pretty consistent.
The LAN "Collision" LED was lit almost constantly
during the WAN-LAN transfer, but didn't seem to affect the transfer
Conclusion: Up there with the fastest low-end routers!
The XPro looks like a strong entry in the "Who wants to be the next
Linky?" competition going on in the low-end router market.
The Access controls, and high bandwidth are very attractive advantages.
And although Mac compatible firmware upgrading only makes a difference
to a relatively small group of customers, if ya' need it, the XPro's got
But MacSense, here's the "To Do" list if you really want the
XPro to be the king of the hill:
add Port range mapping (throw in Triggered maps while
you're at it!)
keep the price competitive,i.e. follow the pricing curve
And although there's no evidence of the following problems: