Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
ZyXEL Prestige 316 Broadband Sharing Gateway with Wireless LAN
Author: Tim Higgins Review Date: 3/7/2001
Model: Prestige 316
- Fast routing and wireless speed.
- Only one LAN port, i.e. no built-in hub or switch - 50% throughput decrease with WEP enabled - Limited availability
NO Uplink port or Normal / Crossover switch for LAN Ports (see this page if this concerns you!)
Has DB9F Serial Console port
ZyXEL's Prestige 316 is a decent performing Ethernet/802.11b wireless router, but priced at a premium to competing products. You'll also pay a steep performance penalty if you enable WEP encryption.
ZyXEL's weak spot, particularly for networking novices, has been its DOS-like SMT (System Management Terminal) administration interface. ZyXEL has slowly been making the transition to web-based administration, and the 316 sports a "Web Configurator" (located at 192.168.1.1) that allows you to perform most setup duties (click on the screen shots below for a full-sized view).
You can manually set the 316's WAN port information or have it act as a DHCP client and obtain everything automatically. PPPoE is supported for DSL users, and @Home users can set the Host and Domain Name. You can also spoof (or copy) the MAC address of a selected LAN client so that ATT Broadband customers who are MAC address authenticated won't have to call in their MAC address to get on the air. ZyXEL continues to support the RoadRunner TAS Authentication method, if your BSP still uses it.
The 316 has a DHCP server on the LAN, which is enabled by default. You can set the starting IP and number of addresses (from 2 to 254) served, or disable it entirely. You won't be able to see DHCP lease information, however, unless you use the SMT interface.
I was able to get the 316 up and running without Telneting into the SMT interface. I was even able to put one of my test machines completely outside the 316's firewall (ZyXEL calls this the "Default SUA"), again, using just the "Web Configurator. As the screen shot below shows, you can also set up ten single port to IP openings through the 316's firewall.
But getting access to my test webserver on the 316's LAN side required fiddling with the 316's Filters, and for that, I still had to use the SMT interface.
NOTE: Opening holes in your firewall can compromise your LAN's security if done incorrectly.
Routing & Advanced Features
If' you're familiar with any of ZyXEL (or NETGEAR's) earlier routers, such as the Prestige 310 or 314, then you know what the 316 is capable of in the routing department. ZyXEL routers are known for their reliable PPPoE connection, and many frustrated Linksys users have successfully turned to the ZyXEL/NETGEAR routers when they couldn't get reliable operation.
The disadvantage that ZyXEL continues to have against its competition is that many of these features still require using the more difficult SMT interface, so if you are not comfortable with a non graphic user interface, then you may want to look for another product.
That being said, here are some of the advanced routing features of the 316:
Static Routing - You can enter up to 8 static routes
Dynamic Routing - RIP-1, RIP-2M, and RIP-2B routing protocols are supported, and you can set the unit to send only, receive only or do both with its routing information. IGMP-v1, v2 multicast protocols are also supported.
IP Alias - you can define three private subnets on the LAN side of the router and the 316 will route to and from each one and the WAN side of the router.
NOTE: The P316 will not route NETBIOS file and Printer sharing traffic among the three subnets.
Filters - Filtering is very flexible, but the hardest to use feature of the P316. Filters allow you to block data from entering or leaving your LAN. ZyXEL has provided powerful filtering capability, but, unfortunately, you need to configure it at a level that requires more understanding of networking protocols than most users will have. The P316 comes by default with filters enabled that block Telnet, FTP and HTTP (Web) access from the WAN side and limit NetBIOS traffic to the LAN.
I'm sure that many a novice user has given up trying to get a Web or FTP server running behind ZyXEL/NETGEAR routers due to the difficulty in even being able to disable the default filters. I'm surprised that among the all the information ZyXEL provides in the apps notes and extensive PDF user manual that there are no instructions on how to do this. See our Help page for the procedure.
VPN - capabilities include PPTP client passthru, LAN-side PPTP server (requires one mapped port.. see the Help page) passthru, and one IPsec client passthru.
SNMP - the 316 will function as an SNMPv1 agent and you can set Community strings, Trap addresses and other parameters. No MIBs are supplied on the resource CD and the App notes don't contain any SNMP info. But if you look in the P310 Application notes on the CD, you'll find some useful info. (See this page for SNMP Management programs.)
Logging - requires use of a syslog client. Linux and Unix users can use the clients that come with their OS. See this page for how to use syslog with a Windows or MacOS system.
If you haven't had enough yet, you'll find a complete set of "Maintenance" features, all accessible via Telnet. System status can be monitored, the unit can be reset, and error logs can be examined, among other features. Finally, for the very adventurous, you can enter the command level ZyNOS mode and do packet traces and other fun stuff!