Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Linksys WAP11 Instant Wireless Network Access Point
Author: Tim Higgins Review Date: 8/4/2001
Model: WAP11 [Original Review Date: 12/12/00]
- Access Point or Wireless Bridging for about $200! - Can attach alternative antennas - Can be setup via USB or Ethernet - Has monitoring features - Decent speed
Linksys broke open the low cost router market when they introduced their best-selling BEFSR41 router, and they just might be doing it again for the low cost 802.11b wireless bridge market. The recently upgraded WAP11 takes a leap forward in capability and a previously unheard of price. But it doesn't do everything that you might want it to...
Tip: If you don't know the difference between an Access Point and a Wireless Bridge, read this article first!
When I looked at the WAP11 last December, I saw a decent performing 802.11b Access Point, but nothing as exciting (or as low-priced) as Linksys' first low-cost router, the BEFSR41. But apparently, Linksys has decided to shake up the 802.11b wireless bridge market by adding wireless bridging capabilities to the WAP11, making it a free upgrade, and keeping the price at around $200, instead of the $450 and up that their competitors are charging.
Wireless Bridging allows you to wirelessly connect Ethernet LANs together, which can be very handy if you can't (or don't want to) run CAT5 cable between locations. The WAP11 can also be used as an 802.11b Access Point, but not both simultaneously. Let's look at the WAP11's three modes of operation:
1) Access Point - This mode lets wireless and Ethernet clients connect through the WAP11. This works the same way as it did before.
2) Point To Point Bridge - This mode lets one WAP11 talk to another WAP11 to wirelessly link two Ethernet LANs together. A nice security feature in this mode is that each WAP11 must specify the MAC address of the WAP11 at the opposite end of the wireless bridge. When the WAP11 is set to this mode, it can't talk to wireless clients.
3) Point To MultiPoint Bridge - This mode lets multiple WAP11s link multiple Ethernet LANs. This mode does not have any MAC address controls, however, and just uses the Channel number and ESSID to set up the connection. Again, when the WAP11 is set to this mode, it can't talk to wireless clients.
Tip: If you have more than two WAP11's set to Bridging mode, only one should be set to Point to MultiPoint mode.
Update 9/1/01 4) Access Point Client - This mode lets the WAP11 act as a Wireless client instead of an Access Point or bridge. Handy for connecting devices that only have an Ethernet interface.
Although it may be obvious, I'll say it anyway: the WAP11 does not provide wireless repeating. This is the ability to function as a wireless bridge and Access Point at both ends of the wireless Bridge. This would let you extend your wireless network's range without running CAT5 cabling. For now at least, products with this capability typically run $500 and up per unit.
Setup and administration are still done with two Windows based utilities. One uses the USB connection to the WAP11, the other uses SNMP and Ethernet. The features of both have been improved from the original utilities, and they both look and act almost the same. The only difference is that the USB utility features are a subset of the SNMP's. The main differences in the USB utility are:
you can enable the MAC address control list (more on that later), but can't set up the list itself.
you don't get the monitoring capabilities that the SNMP version has.
So the screen shots below are from the SNMP utility, since it has the most features. Most are self explanatory, but I'll comment on items of particular interest (click on any image to open a new window with a full-sized view).
Tip: I couldn't get the DHCP mode on the IP Settings Tab to work. So if your network doesn't use the 192.168.1.X subnet that's compatible with the WAP11's pre-set address of 192.168.1.250, use the USB utility to change the WAP11's address to match your network if you plan to use the SNMP utility.
- The Reset button is not available on the USB utility, but the Restore Defaults is. It would be better if a hardware Reset / Restore Defaults button were also provided, for the cases in which the WAP11 gets too messed up for software access.
I found that the USB utility mis-reported the firmware rev as 1.4f, while the SNMP utility had 1.4f.5 which I think is the proper revision.
- The USB utility doesn't require a login or password, but the SNMP version does. The login box will also remember the last IP that you logged into. NOTE that the password is case sensitive!
- The Find AP button will find all WAP11s available either via Ethernet or wireless link! Note that the WAP11s must first be properly set up to have the wireless ones show up, however.
- The Basic Settings Tab (not shown) allows you to set the ESSID, Channel number and Access Point name. (The AP name is just to help you tell WAP11s apart and doesn't have anything to do with authenticating the connection.)
- The Authentication Type selection can be a little confusing. The Shared Key method is more secure, but you'll need to set a WEP key and enable WEP before you can use it. This Proxim page has a good explanation of how this works.
- The Operation Mode button brings up this screen, where you can invoke the WAP11's Bridging magic that I described earlier.
The Security Tab lets you set four keys in either 64 or 128 bit mode, either by setting a passphrase to generate the keys or directly in Hexadecimal. You also reach the MAC address authorization screen via the button on this page.
This function is effective only when you set the WAP11 to Access Point mode and controls the clients that can use the Access Point. You can't enter the addresses directly, but instead must use a text file and load it into the WAP11.
Update 9/1/01 Can now Add / Modify / Delete MAC address table entries with the new firmware and SNMP Manager.
Tip: The file can be named as you like, and be located somewhere on the computer that is running the SNMP utility.
We've got Monitoring!
Last but not least is the Info Tab. It, in itself, is not very interesting, but the buttons is contains are! Readers of my other Access Point reviews have read my standard rant about the lack of monitoring features in any of these consumer priced APs... including the WAP11 with its original utilities! I'm now happy to change my tune for the WAP11, since it's the first consumer priced Access Point that I've seen that provides some level of monitoring capbility:
The Stations Tab (not shown) gives you a MAC address list of wireless clients that have successfully associated (connected) with the AP. This is only valid in Access Point mode.
The Statistics Tab gives you wireless and Ethernet network statistics, so you can at least see if things are alive.
The Trap Log displays error and other SNMP messages. I found that the log would show an entry for each time that a wireless client successfully associated with the Access Point. Unfortunately, clients repeatedly issue association requests, so you get a lot of duplicate entries in the log!
Although I was happy to see these features, they do have problems. The Stations window can't be cleared or refreshed, and continued to show a wireless client after I turned the client off. It also doesn't show in-range clients that aren't successfully associated, or their roaming status. The Statistics info can't be saved, refreshed, or cleared either. Finally, although you can clear the Trap Log, and it appears to auto-refresh when new data is received, you can't save it. Oh well, at least my complaints are about the features, instead about the lack of them!
I used netIQ's free QCheck utilityto check the WAP11's bridging performance. Tests were done with the following setup:
Local End: Windows 98SE PC connected to a 10/100 switch port. WAP11 set to Point to Point mode connected to another port on the same switch.
Remote End: Windows 98SE laptop connected to a WAP11 set to Point to Point mode via a PC Card Ethernet interface. Qcheck console run on this machine.
- Mode: Point to Point - WEP encryption: DISABLED - Tx Rate: Automatic - Channel: 11
AP f/w: 1.4f.5
Qcheck Transfer Rate (Mbps)
[1Mbyte data size]
Qcheck Response Time (msec)
[10 iterations 100byte data size]
Qcheck UDP stream [10S@500Kbps]
(Actual throughput- kbps)
(Lost data- %)
Slave to Master - Condition 1
3.4 [No WEP] 3.5 [w/WEP 64] 3.1 [w/WEP128]
4 (avg) 7 (max)
Slave to Master - Condition 2
4 (avg) 4 (max)
Slave to Master - Condition 3
4 (avg) 5 (max)
Slave to Master - Condition 4
4 (avg) 7 (max)
Comments: Since the WAP11 is the second bridge I've tested, I don't have a lot of comparison points, but these results compare favorably to those measured for SMC's 2682W. Both products have about the same Tranfer rate, but the Linksys doesn't slow down much when WEP encryption is enabled. I tested both 64 and 128 bit WEP and saw no significant difference for WEP 64, but around a 9-10% degradation for WEP 128. I questioned this, since I usually never see a difference between WEP 64 and 128 bit performance. But the difference was repeatable.
Like the 2682W, UDP streaming performance had some data loss, but not as much.
I did a quick throughput check in AP mode and got 4Mbps in Condition 1, with no WEP, and using an ORiNOCO Gold PC card client.
All things considered, I'd say that Linksys did a pretty good job with the new bridging features for the WAP11. But the biggest deal is the fact that they kept the price the same, establishing a new price point for adding 802.11b bridging capability to your LAN -- about 50% below the nearest competition!