Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
If nothing else, the advent of broadband technology has emphasized numerous
security holes in many of our most trusted network operating systems. These
shortcomings prove that we can't take our privacy for granted and need to take
every precaution to protect ourselves and our data from Internet intruders.
High-end network routers however can be very expensive and the cost of hiring
specially trained people to ensure that the job is done right doesn't help matters.
ZyXEL Communications understands this situation and developed a series of Internet
Security Gateways the just might be what your looking for.
Their ZyWALL series of routers are incredibly feature rich, are available for
various environments and can be configured by a person with a minimum of network
experience. In spite of a deceivingly simple installation, the ZyWALL products
have enough bell and whistles to please even the most demanding tech-heads.
And while the ZyWALL routers are by no means cheap, the feature set they offer
makes them a veritable bargain.
We recently we had the chance to spend some time with two products in the ZyWALL
family; the less than $150 street ZyWALL 1 and the ZyWALL 50 which retails for
around $630. These two products are very similar in operation and function,
but are designed for two very different audiences.
For the home office user or telecommuter there's the ZyWALL 1. This model shares
the majority of its features with the ZyWALL 50. In addition to the basic goodness
of the ZyWALL 1 feature set, the ZyWALL 50 has higher aspirations and is aimed
directly at the needs of small business users. Advanced firewall capabilities,
superior content filtering and the ability to generate a large number of VPN
tunnels make this a total Internet Security Solution.
Support for Dynamic DNS
Detailed logging and alerts via e-mail
Supports up to 50 VPN Tunnels (ZyWALL 50)
Excellent content filtering
No auto-sensing ports
User Guide on CD only
No integrated switch (ZyWALL 50)
Firewall rule creation can be confusing
Both the ZyWALL 1 and ZyWALL 50 are DSL/Cable modem routers with integrated
firewall and VPN functionality. They share many common features, but differentiate
in the number of VPN tunnels they support and the depth of the content filtering
ZyXEL designed both of these products to support numerous routing protocols.
These include TCP/IP, RIP-1, RIP-2, ICMP, ARP, IP Multicast and IP Alias. An
abundance of security protocols provide network users with even greater protection.
Encryption comes in the form of Network Address Translation (NAT), PPTP, IP
Sec, Digital Encryption Standard (DES), Triple DES (3DES) and Internet Key Exchange
(IKE). To help defend against Denial of Service (DoS) attacks the ZyWALL products
make use of Stateful Packet Inspection (SPI) technology to continuously examine
incoming data packets. The ZyWALL 50 can support one PPTP server connection
at any given time and both units have built-in support for Dynamic DNS. This
is important for users that don't have access to a static IP address.
Small business administrators will like the two products' logging and content
filtering capabilities. Content filtering on the ZyWALL 50 is excellent. It
can be configured by either domain name, keyword, or a subscription based content
filtering service. Filter updates can be setup for automatic download on either
a daily, weekly or monthly basis and is free for 6 months. On the ZyWALL 50
workstations can be exempted from the filtering. Filtering capabilities on the
ZyWALL 1 are based on Keywords and specific services can be blocked, but there
is no subscription service available. The ZyWALL 1 can exempt one workstation
from the filtered services and sites.
The system and filter logs of both products collect a wealth of information
to help with the monitoring of network traffic. Logs can collect data on anything
from System Errors to blocked Web sites and even network attacks in real-time.
When someone tries to visit a restricted site they are informed that the site
has be blocked and to contact the System Administrator. The access attempted
is then logged. The routers reports on which Web sites have been visited, which
IP address made the request and the time that the access took place. These logs
can be e-mailed to the administrator daily or weekly.
Almost every aspect of the routers operation can be customized using the browser
based interface. NAT settings can be altered, static routes and additional firewall
rules can also be created. Specific Web features like ActiveX, Java and cookies
can be blocked as well. The Filtering capabilities were very good and kept restricted
sites from being reached when using either the qualified domain name or the
sites IP address.
Both ZyWALL products have built-in DHCP capabilities and can handle client
IP assignments. A 4-port switch is integrated into the ZyWALL 1 so you can get
a small group of users up and running quickly. Auto-sensing ports are not part
of the package, so you'll need to use the uplink switch when working with crossover
and straight through cabling. The ZyWALL 50 doesn't have hub or switch ports
on it. So you'll need to make sure you have an external switch available before
you begin that network installation. I would have liked to have seen at least
an 8-port switch on the unit.
One of the most valuable features of these products is their ability to generate
a secure Virtual Private Network (VPN) tunnel with other offices or remote users.
IPSec in conjunction with SHA-1 and MD5 authentication techniques have come
a long way in securing VPN traffic. The ZyWALL 50 can support up to 50 VPN tunnels
while the ZyWALL 1 is limited to only one VPN tunnel.
Installation and Configuration
The Web-based management system is well thought out, easy to navigate and simple
to use. For most users the configuration wizard will get your router properly
configured. Advanced menus and maintenance screens will smooth out any installation
glitches that the wizard can't solve. Future updates to the gateways operation
are easily installed thanks to an upgradeable firmware.
Connecting both products to our network was very straightforward and required
nothing more then plugging in the ZyWALL and connecting the appropriate LAN
and WAN ports. In the case of the ZyWALL 1, we just connected our PCs to the
integrate 4-port 10/100 switch and plugged the cable modem into the available
WAN port. The ZyWALL 50 required connecting the router to an external switch.
Our Road Runner cable modem automatically assigned the ISP information to both
ZyWALL products so we were functional without having to perform any additional
configuration. DHCP is enabled by default so our workstations were assigned
IP addresses automatically.
The ZyWALL 1 and ZyWALL 50 Internet Security Gateways are both easy to install,
configure and administrator. Most of the features can be setup by a person with
a moderate amount of networking experience, but if your going to try and tackle
some of its more advanced features, like firewall rule creation or NAT customization,
you had better have a good understanding of network operations.
The ZyWALL 50 is an impressive piece of hardware that offers many of the options
of a CISCO router without the need for a CCNA to do the configuration. The ZyWALL 1 is ideal for the telecommuter and is ideal
suited to its task.