Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
SnapGear PRO Internet Security Appliance
Author: Tim Higgins Review Date: 8/15/2001
- Extremely fast
- Built-in PPTP server and client endpoints and IPsec endpoint
with no per-user licensing
- Two serial ports for simultaneous WAN dialup/ISDN and dial in
- Windows client required for setup
- No DMZ
- Need to work out some kinks in the features
10/9/01 - New firmware
upgrade available. Version 1.4.2 promises "improved
firewall, port forwarding and IPSec support for IP aliases."
One RJ45 10BaseT for the WAN
One RJ45 10BaseT LAN
Two DB9M "COM" RS232
printed Quick Install guide
one normal UTP cable
one crossover UTP cable
100-240VAC Power supply
power supply AC cord
Reset switch always clears unit to factory
NO Uplink or Normal / Crossover
switch for LAN Ports (see this
page if this concerns you!)
SNAPgear is a new entry into the SOHO router market, with
a sharp focus on providing PPTP and IPsec VPN capabilities without
putting too large a dent in your pocket.
& Basic Features
SNAPgear, which is a wholly owned subsidiary of embedded
OS supplier Lineo,
is a very new company with a mission... to bring VPN networking
to the masses! The product line is based on the Motorola
ColdFire processor (the PRO uses the 5307 clocked at 90MHz) running
Lineo's uCLinux OS, and is based on Lineo's SecureEdge
reference design platform. It starts with
the $249Lite model and ends with the $549PRO model, which is the one they sent us for review.
All versions have a serial port that can
support dialup or ISDN WAN connection, in addition to the 10BaseT
WAN Ethernet port. The $399 SOHO+ and PRO models
have a second serial port that can be used to simultaneously
support a dialup/ISDN WAN and dial-in RAS connections.
These two models also support Telnet-based configuration, and
RADIUS/TACACS+ authentication. The PRO, however,
is the only model to have a security co-processor, which helps
with the encryption processing and allows the PRO to support a
total of 40 PPTP and 70 IPsec tunnels (more on
The $299 Lite+ is the only model to include
a 4 port 10/100 switch. All other versions have just one 10BaseT
LAN port, with no uplink connector or switch. SNAPgear does
include both normal and crossover UTP cables to make your setup
job easier, though.
SNAPgear makes no secret about being Linux based and even lets
you view, edit, save, and restore key Linux configuration files!
So I found it curious that I needed to run a Windows based installation
program to assign an IP address to the router before I could access
the HTTP (web) based admin pages. As a result of this and other
decisions that SNAPgear made about the setup process, it took
me longer than it should have to set up the unit. So that
you don't repeat my experience, here's how the unit comes set
No IP address assigned
WAN port not set to be a DHCP client
LAN DHCP server not enabled
So make things easy on yourself, and assign a
static IP to the PC that you use for setup. The setup
program will detect the subnet you're in and you'll just have
to enter a number from 1 to 254 to complete the IP address for
Once you assign the SNAPgear an address, you'll be able to reach
the admin pages, where you'll need to enter the other information
to get you connected. The Connect to Internet page (not
shown) gives you the choice of Cable Modem, Modem, ADSL, and Do
not Connect to Internet for non-PPPoE, Dialup, PPPoE, and no Internet
connection respectively. The ADSL setup page shown
here gives you the options you'll need to get set up with most
PPPoE based BSPs. Note that the Cable Modem setup page has
choices for Generic, Big Pond Advance (a popular Australian BSP),
and @Home networks.
The SNAPgear will also let you change the WAN MAC address
for AT&T Broadband and other BSPs, but you'll have to go
to the Advanced > Flash Upgrade page!
You'll probably need to visit this page, where
you both set the IP address and subnet mask for the router itself,
and find the settings for the router WAN port.
Your set-up may also include a visit to the LAN DHCP server page.
In this screen shot, I've already set up the server and have a
few IP addresses leased. Note the ability to end a lease,
but also the absence of MAC address info for the lessees.
DHCP server does not automatically pick up gateway and DNS server
info from the WAN settings. You'll need to set them manually
using an entry area that's not shown on the screen shot, toward
the bottom of the page.
The SNAPgear has a decent set of routing features, but there are
a few quirks you'll need to be aware of, and features that they
don't have. First, the good stuff:
Port Forwarding ("Services") -
The first screen shot shows enables (or disables) for Web (HTTP)
and Telnet services, and also common ICMP based services.
The second shot shows that you have the ability to forward
an unlimited number of single TCP or UDP ports through the
firewall. Unfortunately, you need to define them one at a time
and there are no copying or editing features. There's also
no way to disable a defined port... you have to delete it.
There are no port ranges and no "DMZ" or "Exposed
Server", i.e. the ability to place one computer on the WAN
side of the NAT firewall.
Access Control/Port Filtering ("Security
You can separately set default filtering for all LAN and dial-in
clients (a nice touch), or define filtering for each LAN IP address.
The filter definitions can include multiple TCP and UDP ports
and there is no limit to the number of client filters that can
be defined. However, you can't enable filtering for specific
times or the day or days of the week.
In addition to the missing items mentioned above, here are a few
other things that you should know about:
DMZ - You don't have the ability to place
one computer completely outside the firewall, which may be
required for using applications such as NetMeeting, gaming,
or other applications that you can't get to work through the
Content Controls - You can't control
the type of Web sites that users can visit
Logging - This feature really isn't totally
missing, since router configuration changes are logged
and you can even send them to a syslog server.
But you can't see any information on who's accessing what
through the gateway, or attempts to "probe" your
network from the WAN side.
Alerts - You can't get an email notice
of attempts to access your network or other nasty attacks
Remote (WAN) Administration - You actually
can access the admin pages from the router's WAN side, as
long as you don't also want to access a LAN based webserver.
If you do, your webserver will take precedence over the built-in
admin page server, and you can't move the admin server to
an alternate port. Note also that you can't restrict
external admin access to a specific IP address or address
range to help with security, and the SNAPgear allows multiple
administrators to be logged in, with no warning message.
Server "Loopback" - You won't
be able to access any of your mapped LAN based servers by
using the SNAPgear's external IP address (or assigned domain
if you have one). You'll have to use the "private"
LAN IP address instead.
That's it for the routing features. Now we can look at what SNAPgear's
really bringing to the party... their VPN features!