Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
SMC 7208BR Barricade Router and Storage Server
Author: Tim Higgins Review Date: 3/29/2001
- Fast NAT router
- NAT router not properly secured
- Expensive compared to separate solutions
- No DMZ
- No Access Controls
Link/Activity for each LAN port
100BaseT detect for each LAN port
Link/Activity for WAN port
100BaseT detect for WAN port
one RJ45 10BaseT WAN
seven RJ45 10/100BaseT LAN
one RJ45 Uplink port
one DB9M serial port
one DB25F printer port
printed User's Guide
CD with PDF manual and utility program
one UTP Normal cable
100-240VAC Power supply
Has Power/Shutdown switch
Has Reset switch
The Barricade 8 Port 10/100 Mbps Storage Server (also known as
the Broadband Storage Server or BSS) is SMC's first foray into
the Network Attached Storage market. It combines a 20GB
networked drive with a 7 port 10/100 switch and throws
in a NAT based router for good measure. Unfortunately,
the router part doesn't live up to the "Barricade" name...
The BSS's split personality is reflected in the Front and Read
panel arrangements. The Front Panel contains no connectors
and five indicator lights, none of which indicate LAN activity.
The rear panel is where most of the action is, with all connectors,
the cooling fan, Power/Shutdown switch, and all LAN indicators
located there. Since I tend to connect and disconnect equipment
frequently, I ended up facing the rear panel towards me, which
gave me a good view of network activity, but no indication of
disk operation. I would have loved to have just one more
LED on the rear panel, indicating disk activity!
Like the regular "8" port Barricade, the
BSS also has just 7 LAN ports. This time, though,
they count the "uplink" port as the 8th port (instead
of the WAN port!). Of course, you can use only the 7th port
or the uplink port, but not both at the same time!
The BSS can be administered via a web browser, or with
a Windows based utility. I tried both, but didn't
see any advantage in the Windows program, so did most
of my testing with the browser interface.
The opening screen presents you with choices
for both Configuration and Storage Management. We'll
cover the Configuration features first.
The BSS's admin server is located at 192.168.123.254 and
it comes with its DHCP LAN server enabled. So you just attach
a computer set to be a DHCP client (obtain IP address automatically),
either reboot or do a DHCP Release/Renew, fire up your web browser,
enter the IP address above and you'll be in business. Note
that you can change the base address for the DHCP server (I did
because it conflicted with another router on my LAN), the range
of addresses that it serves, and disable it if you want.
The BSS can be configured with Static IP information,
be a DHCP client, or negotiate a PPPoE connection
on the WAN side. If you attach a dialup modem to the BSS's
serial port, you can get your Internet connection from a non-broadband
ISP, too. Host and Domain names are supported for @Home
users, and the WAN MAC address can be set to whatever you like
for those users who need this ability.
Since SMC calls this a "Barricade", I
expected to see all the familiar Barricade router configuration
screens. What I got, however, was quite different, as you
can see in the screens below.
This is because SMC sources the BSS from a different
company than its current Barricade routers. The key differences
No VPN (PPTP or IPsec) pass-thru support
No Access Control (port filtering)
No "DMZ" (ability to place one LAN
computer outside the NAT firewall)
Content Filtering: On the plus side, however
is the BSS's ability to do keyword based Web site access filtering.
You can enter either domains or IP addresses on the "Allow"
or "Block" lists to control the sites that can be accessed.
You can't just enter a word or string. You need to enter at
least the domain name and top level domain, i.e. blahblah.com,
or it won't be accepted.
feature is good in theory, but I didn't have much luck getting
it to work. When I enabled it, access was blocked to all sites,
no matter which configuration I tried. Logging didn't
work either. There's also no notification that you're
trying to reach a blocked site. Your browser will just
hang, leaving you wondering what's gong on.
You can also individually choose to block ActiveX
the BSS's firewall. You can have the filtering active only
during a certain time of the day (just one range) and certain
days of the week (one range), or all the time.
Note that these content filters apply to all
users, so you can't establish lists of users with different
Port Forwarding: The BSS supports both "Special
port ranges) and "Virtual Servers" (single forwarded
ports) methods for port forwarding, but again, things are a little
quirky in the execution.
The "Special Applications" can only be
used for applications that trip the trigger port from the LAN.
This means that they can't be used to allow access to LAN side
servers... you need to use the "Virtual Servers" feature
to do that. But although that feature looks like
you can define seven different ports (although you can't change
the names), the forwarding is actually limited to the default
port values shown.
While checking out the port forwarding, I
found that the admin pages are
accessible from the WAN side of the router whenever the
"Enable Internet Access" box is checked
on the Internet Access Connection admin screen.
The "Enable Services" checkboxes
don't appear to work either, i.e. the services are available,
whether or not the boxes are checked.
Finally, a port scan showed the following
TCP ports open by default: 80 (HTTP), 139 (NetBIOS--VERY
INSECURE), 515 (print spooling), and 3128 (unassigned)
In all, a pretty disappointing showing for the router
part of the BSS.