Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Author: Tim Higgins Review Date: 3/23/2000
IPsec and PPTP for VPN.
- Built-in 4 port 10BaseT hub.
- On-line documentation only.
Version 2.1 firmware adds an optional Web blocking subscription
service ($49/year), port range mapping, port range blocking, protocol
blocking, and a limited Socks5 proxy.
5/3/00 PPPoE support added via
Version 1.5.7 firmware update.
The SOHO is packaged in a small, bright red box. All 10BaseT RJ45
jacks (one WAN, 4 LAN, no uplink) are on the rear panel of the
unit, along with the power adapter input (the router is powered by a small
external power unit). One normal UTP cable is included with
The front panel has a full complement of indicator lights including:
On and Mode ("Mode" blinks if the unit isn't happy)
WAN Link & Data
Link & Data for each of the 4 built-in 10BaseT hub ports
There is no reset button on the unit, but a "Reboot" button
is available via the web-based administration pages.
WatchGuard / BeadleNet has improved the installation process from when I tested
the BeadleNet SOHO2000. Although the one page "installation
guide" that comes with the unit still tells you to go to a web page to
register your unit, you no longer must register your unit in order to
obtain the installation instructions (which you can view here).
You do have to register, however, in order to gain access to the Help,
Support and Live Security pages of the router admin screens.
The SOHO has browser based administration, and sets up easily.
You just power up the SOHO, plug a computer with its TCP/IP set to obtain
an address automatically (or from a DHCP server) into one of the WAN ports,
boot the computer, launch your web browser, and enter 192.168.111.1
into your browser Location box.
If everything is working, you'll get the Admin page opening screen. NOTE:
The Admin pages are not password protected by default, but you can set a password
on the User Information Admin page.
When I opened my router's admin page, the page included a clickable
link telling me that a software update was available. Even nicer
was the fact that all I had to do to update the router firmware
was to click on the link! No searching for a firmware updater.
No inability to update because I'm using a non-Windows computer. No futzing
with selecting a router and selecting a firmware code update file.
All routers should be this easy to update! (Hey, you other guys!
Are you listening?!)
Although there's a System Status page that summarizes your SOHO's setup
(and contains the WAN port MAC address that you'll need for some
MediaOne affiliates' setup and the router Reboot button), you'll
have to visit the Public Network, Private Network and Firewall pages to
complete your router setup.
The Public Network screen lets you set the WAN port to either
have its IP address info set manually or pick it up from your ISP's DHCP
server. You can input a computer name and Domain name (which @Home
users will need) and specify a primary and secondary DNS server.
There isn't any provision for the TAS login that some RoadRunner
users need, however, and PPPoE isn't supported, although a firmware
upgrade is scheduled for April.
The Private Network (LAN) screen lets you Enable/Disable the DHCP
server and set the server's base address, subnet mask and first address
that the server will issue. The base SOHO will hand out only 10
addresses. You can upgrade it to handle either 25 or 50 users, however.
Fun with the Firewall
Since security is WatchGuard's business, they did a good job of clearly
describing Firewall settings. There are two views into the Firewall settings,
Basic and Advanced.
The router default is to deny all incoming data. The Basic settings
use drop down boxes to select common services to map to the IP addresses
in the SOHO's DHCP server range. You can specify up to 5 port mappings.
The only other thing that the Basic screen lets you do is to enable "Web
Activity Tracking". However, this feature isn't yet implemented.
If you click on the Advanced screen (no password protection to access
it), the dropdown boxes disappear in the port mapping section and you
enter the port number and IP addresses directly. You still only
get 5 single port to IP mappings. You can't specify TCP or
UDP and you can't forward port ranges. Although this keeps
things simple, it's limited, especially considering the price of the SOHO. Update 9/4/00 Version 2.1 firmware adds port range mapping & Socks5 proxy for
ICQ and IRC.
Further features available in Advanced mode are:
You can set one IP to have "DMZ pass through",
which places it outside the SOHO firewall.
Remote logging (sent over an encrypted channel to a
WatchGuard log host only)
Allow temporary WAN access to the SOHO's admin HTTP
(This allows WatchGuard support to see and/or fix problems in your
setup. It times out after 10 minutes. If you want constant
WAN access to the server, you'll have to map a port. If you do this
be sure to set a password on the User Information page!)
Disable Microsoft Networking from LAN to WAN.
WatchGuard has given the SOHO very flexible VPN capability.
You can have multiple PPTP and IPsecclients on the
LAN and you can also host one each of a LAN-side PPTP and IPsec
server. I didn't check either of these capabilities.
The SOHO doesn't have detailed logging capabilities, but it does have a
Network Event log and a Network Statistics feature.
When you register the SOHO, you can also register for the WatchGuard's
Live Security feature. Live Security alerts you to SOHO firmware
updates (as I found out when I installed the SOHO and described above),
allows you to easily update your firmware, and subscribes you to an email
list that periodically delivers security related information including
new Virus alerts. These Live Security emails are archived and you
can access them by clicking on the Live Security link in the SOHO admin
page Navigation bar. I was unable to access any of the archives
after repeated attempts, however.
The SOHO passed my download test with
flying colors, clocking in between
4.3 and 4.5Mbps. The SOHO might be even faster than my measurements,
because my baseline computer to computer measurement without the router
was pretty close to what I measured with the SOHO in between.
I also checked LAN to WAN transfer speed, since some users will
be hosting FTP, HTTP, or other servers behind the SOHO. Some of
the other products I've tested have had noticeably slower LAN to WAN vs.
WAN to LAN routing speed, but not the SOHO. The LAN to WAN measurement
was virtually the same as the WAN to LAN performance. Impressive!
Note that I did not test simultaneous routing in both directions.
I encountered no corruption, timeout or other problems during the tests.
Like its competitors, the SOHO doesn't do everything. Here's the list:
No detailed traffic logging.
No content filtering. Update 9/4/00 Version
2.1 firmware adds an optional Web blocking subscription service ($49/year)
No access control Update 9/4/00
Version 2.1 firmware adds port range blocking & protocol blocking.
Blocking applies to all machine on the LAN, i.e. you can't block
specific ports/protocols on specific machines.
No support for the RoadRunner TAS login protocol
The SOHO has a lot going for it. It's fast, includes a 4 port 10BaseT
hub, supports PPTP and IPsec clients and servers, has the best
software update process I've seen, and the Live Security feature supplies
a steady stream of Internet security information.
On the downside, although port forwarding has been improved, the SOHO
doesn't have the triggered maps that lower priced competitors now have.
Also, its hub is 10BaseT vs. 100BaseT, and its price point is high, (although
close to or below most other IPsec capable products). I also found
its Web site-based-only documentation system inconvenient and somewhat
frustrating at times. (In fact, during the course of preparing this review,
the WatchGuard site was temporarily unreachable more than once.)
I would prefer to see some sort of user documentation included with the
SOHO, even if it is on CD-ROM rather than printed.
On the whole, the SOHO's a capable unit, and I'd expect WatchGuard's
toll-free 24/7 support to be a cut above its competitors, given WatchGuard's
focus on the corporate market. But the competition's catching up fast
in features and pressing downward on price, so WatchGuard better keep
their design team busy!