Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Cayman Wireless Router
Author: Tim Higgins Review Date: 9/1/2001
- Fast routing
- Bandwidth control
- Non TCP/IP protocol bridging
- Slow wireless
- Only 40 bit WEP
- No MAC address association control
- No port filtering
Link/Activity for each of eight LAN
WAN Activity (Front Panel)
WAN Link/Activity (Rear Panel)
One RJ45 10BaseT WAN
Eight RJ45 10BaseT LAN (not
DB9F RS232 Serial console
System CD with manuals, drivers, software
Power Supply (120V)
printed "Getting Started" Guide
No Hardware Reset switch
NO Uplink or Normal / Crossover switch
for LAN Ports
Removable PC card radio with removable
patch antenna module.
The Cayman 2E-H-W11 is an 802.11b wireless router with built-in
8 port 10BaseT hub, and a fast, flexible, NAT router paired
with a poorly performing wireless side. Designed primarily
to be sold to BSPs (Broadband Service Providers), it has some
unique features that may interest experienced networkers... if
they want to pay the price.
I didn't have problems setting up the W11, since it has both HTTP
(browser) and Telnet based admin interfaces (a serial console
connection is also provided) and came with its built-in DHCP server
enabled. My trusty test PC was set to be a DHCP client and
leased an address without problem so that I could connect to the
192.168.1.254 admin server address.
During my testing, I was surprised to find the default
setup of the W11 to be very insecure. Not only does
the unit ship without a default admin password, but it
has both the HTTP and Telnet admin interfaces open to the WAN
side of the router! The unit allows multiple
users to be logged into the admin server at the same time, with
no notification of the additional logins. There's also no
way to limit WAN side admin access to either an IP address range
or specific IP address to enhance admin security.
Note on the screen shot above, that you do
get a security warning about the lack of password. But there's
nothing to warn the user that their router can be controlled by
anyone who Telnets in or types their IP address into a web browser!
This should be fixed IMMEDIATELY, since port scans for ports 23
and 80 are a daily, if not hourly occurrence for most users, even
those of us on dialup connections! Cayman also doesn't let
you set the W11 so that it doesn't respond to pings from the WAN
side, although they say this is coming in a future firmware release.
Once you secure your W11, you'll find pretty much
everything you need to set up for most BSPs. For @Home use,
you can set the router name and Domain Name for the DHCP server
to hand out to clients. ATT Broadband and other MAC address
authenticated users will need to use the Telnet interface's CONFIG
commands to change the WAN MAC address. PPPoE is supported,
but you can just enter your Username and password -- no idle time
or auto-reconnect settings are provided.
The W11 has an interesting mix of routing capabilities. You can
forward up to 64 ports or port ranges ("pinholes"), but the
mappings are static, i.e. triggered
maps are not supported. You currently can't do any
port filtering to control the services that users can access, but Cayman
says they'll be adding this in a future firmware release. You
can also set one "default host" that is effectively placed
on the WAN side of the firewall.
If VPN is your interest, you'll find that the W11
supports pass-thru for multiple PPTP or IPsec client sessions.
There's no hard limit on the number of sessions or number of sessions
per server. On the downside, "pinholes" won't
work for accessing PPTP and IPsec LAN-side servers from
the Internet (WAN), although you can try using the "default
host" function for this.
Up to 16 static routes are supported, and you can
enable RIP1, RIP2, or RIP2 with MD5 authentication for dynamic
Logging is restricted to configuration "console"
type messages, with no Web site or other IP traffic logged, and
no security ("hack") attempts. Cayman says that "a
soon to be available product" will provide security event
logging, though. You can clear the log, but can't save it
or send it to a syslog or SNMP trap server. Other links
on the Monitor page let you view a variety of router and network
The W11's routing features include a few that you
don't normally find in a consumer router, but that a BSP would
feel right at home with: (These features are available via the
Telnet admin interface only.)
You can enable bridging of non TCP/IP
protocols (such as AppleTalk and NetWare) between all router
interfaces (WAN, LAN, and Wireless). Bridging essentially
makes multiple networks look like one network by not paying
attention to IP addresses, but using devices' MAC addresses
to send data to the right place. (See this
page for more on bridges.)
The "Traffic Shaping" option
lets you set the maximum transfer rate (throughput) that's
allowed through the router. This setting applies to
all traffic through the router, i.e. you can't set it on a
per-user or application basis.
If you really want to get into the details, download
the documentation from the Cayman