Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router ó and by extension, your network ó is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Author: Ronald V. Pacchiano Review Date: 1/11/2002
Model: LITE + (MSRP $299)
First impressions are important and trying to get past a bad one can be quite difficult. This was the situation faced with the SnapGear LITE+ VPN router. When I first received the test unit my initial impression was "What are they kidding?" The LITE+ just screams cheap. I started to refer to it as "the Fisher Price Router." It's made of beige plastic and weighs only 12oz. The documentation was weak. Yet it carries a price tag of almost $300.
In spite of these initial shortcomings the LITE+ is a decent product with a formidable feature set. In fact, if the LITE+ didn't suffer from some quality and configuration issues it might have received the Practically Networked Recommended seal.
- Secure VPN capability - No need for 3rd Party VPN client software - Excellent Port Filtering and Access Control features
- Cheap Feeling Construction - Configuration options aren't explained clearly - Configuration task settings are very repetitive
On the inside
At the core of the LITE+ is a 66MHz Motorola ColdFire CPU. The product's operating system is based on a derivative of Linux 2.0 kernel called uClinux which was developed for microcontrollers without Memory Management Units (MMUs). The LITE+ comes equipped with an integrated 4-port 10/100BaseT switch and a total of 6MB of memory: 4MB of RAM and 2MB of Flash. It supports the RIPx, BGP, OSPF routing protocols.
The system is managed through a Web-based interface and even has an integrated serial port so you can share a 56K modem Internet connection. Like other products in this class, the LITE+ gives you broadband Internet connection sharing capabilities, DHCP services, NAT, PPPoE support and Port forwarding services. It also packs in some features normally found on more expensive products. This includes advanced firewall features like Stateful Packet Inspection, port/service restriction based on IP address or user class and full VPN support based on either PPTP or IPSec security protocols.
The "Fisher Price Feel" mentioned earlier can be contributed to an overall lack of attention to detail. For starters, the documentation could have done a better job explaining some of the router's more advanced features and configuration options. Instead what you usually get is a quick overview. Port numbers on the back of the unit don't coincide with the LED link numbers on the front of the unit (Port 1 is 4 and Port 4 is 1) and there is a test light on the front of the unit which is constantly blinking, giving the appearance that the unit is either in a diagnostic mode or experiencing a communications problem. This is actually referred to in the documentation as "The Heartbeat." Re-labeling this to something more descriptive would've been helpful.
Installation and Configuration
Installation of the LITE+ was relatively simple. After connecting the unit to the network I installed and ran the included setup utility. Most routers, like those from Netgear, have a pre-defined IP address. The LITE+ doesn't. SnapGear says this is to prevent conflicts with your existing network. For a large company this could be a concern, but for the SOHO market the LITE+ targets, this shouldn't really be a problem. The setup utility uses the network address of the host system as a template when assigning an IP address to the unit. Note that if the host system isn't part of a preexisting network it will assign the LITE+ a "169" IP address. A 169 address is typically used by systems when no network can be found, which makes it a useful troubleshooting tool. Having it assigned automatically negates that function.
To begin configuration, I used the Web browser to surf to the router's IP address. Click on Connect to the Internet and enter your connection type and ISP information. Configuration options (like DNS, Gateway, etc.) need to be set and applied one at a time. Most routers would let you to enter all of this information and apply it at once, but not the SnapGear. When finished, restart the router.
At this point you'll either need to reconfigure your workstation with a static IP address or setup the router's DHCP services. By default DHCP is disabled so would-be administrators will have to have some understanding of DHCP functions to configure it correctly. Additionally, there is no predefined DHCP range, so you'll need to do this manually.
One of the SnapGear LITE+'s better features is its ability to apply port filtering and access control settings to either individual systems or classes of users. For example, you could give all of your sales people full access to network services (like Internet and e-mail) while other personnel, like a receptionist, can be limited to just e-mail. You can also set policies individually by IP address. However, if you're looking to filter content by category or content, the LITE+ has no such ability. Nor can it be configured to track WAN usage. The way the configuration menu is setup, all port forwarding rules need to be entered individually. Being able to configure multiple ports simultaneously would be nice.
One of my concerns with the LITE+ is its logging and reporting abilities. Information on attempted attacks is limited at best and logs can't be e-mailed directed to an administrator upon intruder detection. This is a short coming that needs to be addressed. The unit has no DMZ capabilities, preventing you from placing a PC outside of your firewall. This isn't a major concern for most, but some applications might require this. A firmware update (version 1.51) is now available for download which might address some of these. We'll see.
Virtual Private Network (VPN) solutions used to cost gobs of money to design and build. Today, many low cost routers, including the SnapGear LITE+, possess these features and give network administrators the freedom to implement these high-tech solutions relatively easily.
Secure connections can be implemented using either the Point-to-Point Tunneling Protocol (PPTP) or IPSec. PPTP supports various authentication methods including PAP, MPPE, CHAP, and MSCHAPv2 and RC4; which combines strong authentication plus encryption. For an even stronger level of protection implement your VPN using IPSec. IPSec support includes a variety of protocols including ESP, MD5, SHA1, IKE Key Exchange, DES and 168-bit 3DES encryption. The LITE+ can support up to five simultaneous PPTP tunnels or 12 simultaneous IPsec tunnels.
The LITE+ can be configured as either a PPTP VPN client or server. The client configuration would be used to connect to another router in a remote office to create a small WAN. It uses PoPTop (The Open Source PPTP Server) to allow remote Internet users to connect to your local area network (LAN). PoPToP is compatible with Windows 9x/NT/2000 Dial-up Networking and Linux PPTP clients. Unlike some other routers that require third party VPN client software, the LITE+ works right out of the box.
I tired running our usual Qcheck test on the LITE+, but ran into a number of problems. Qcheck was having trouble getting from the PC connected to its WAN port and the PC on the WAN side could not talk to any of the PCís on the LAN side. After a fair amount of fine tuning I was finally able to generate performance numbers from the LAN-WAN side, which were in fact, a bit quicker then the ones we saw with the Netgear FV318. WAN-LAN testing is still incomplete and Iíll update those numbers as soon as possible.
Qcheck Transfer Rate (Mbps)
[1MB data size]
Qcheck Response Time (msec) [10 iterations 100byte data size]
Qcheck UDP stream† [10 seconds at 500Kbps]
(Actual throughput- kbps)
(Lost data- %)
WAN to LAN
LAN to WAN
Additionally, while adding rules to the system and configuring its port forwarding settings the LITE+ would occasionally drop itís IP address preventing us from access it or passing data. This forced me to rerun the setup utility multiple times. Updated firmware is available on the Web site Iíll install it and see if any of these issues get resolved.
As the saying goes, you can never undo a bad first impression and many of our initial impressions of the SnapGear LITE+ were substantiated. The documentation should have been better and the Web interface, while easy to use, requires too many repetitive functions to enter configuration data. The "Fisher Price" feel negates the creditability of what is otherwise a solid network router. With a little time and attention to detail the SnapGear LITE+ VPN Router could become a serious contender in what is quickly becoming a crowed market.
Despite its problems, the LITE+'s firewall and VPN capabilities are excellent for the money and the fact that you don't need a 3rd party client to get remote users up and running on the VPN makes it all the more attractive. So while we can't award it the Practically Networked seal of approval, we can say that we see a great deal of potential here and hope it continues to evolve.