Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
SonicWALL SOHO3 and TELE3
Author: Steven J. Vaughan-Nichols Review Date: 11/21/2002
Model Numbers: SOHO3 ( $495), TELE3 ($495)
If you're like me and you believe that a firewall belongs on a box of its very
own--not with a router, not on a PC--then SonicWALL has a pair of appliance firewalls
that will tickle your fancy and fit your bill: the SOHO3 and the TELE3. The
only real difference between the two is that the TELE3 is designed from the
get-go for home and small branch office (less than 10 people) users to use a
virtual private network (VPN) to connect with the main offices, while the SOHO3
can be upgraded to handle more users and doesn't come with network-to-network
Easy to set up
Simple to manage
No DMZ Port
Confusing product selection
Both TELE3 and SOHO3 come with wide area network (WAN) and local area network
(LAN) ports. But they don't have a demilitarized zone (DMZ) port, so if you're
running a Web or e-mail server, you'll need to move up the SonicWALL family
Given this configuration, you normally set up the SonicWALLs between your cable
or DSL router and the network. My situation was a little difference. My DSL
provider uses an Alcatel Speed Touch USB device for the DSL connection and a
PC, using Internet Connection Sharing (ICS), as the router.
While not covered in the manual, the solution is simple enough. You connect
the PC router's Ethernet cable to the SonicWALL's WAN port and from there you
link the SonicWALL's LAN port to a network port on your LAN hub. In my case,
that's a Dell PowerConnect 3024 Fast Ethernet/Gigabit Ethernet switch. To make
a long story short, it worked like a charm after some cable swapping.
Any user who's done any networking work at all shouldn't have problems with
the SonicWALLs in most setups. The manual clearly covers how to connect the
firewall using Network Address Translation (NAT, typically cable modem, frame-relay
or T1); NAT with Point-to-Point Protocol over Ethernet (PPPoE, typically DSL)
and NAT with a Dynamic Host Configuration Protocol (DHCP) client that's often
found with both cable and DSL setups. Sound complicated? Don't sweat it; the
manual makes it easy to figure out what's what.
Once the power in on and the cabling is in place, basic installation is done
using a Java application off a supplied CD-ROM. Actually setting up and managing
the SonicWALLs is done from an easy-to-use Web interface.
Like any good firewall should, the SonicWALLs blocks all incoming ports except
for the ones like port 80 for Web surfing. The firewall also makes it easy to
choose and pick from all the other common Web ports that your applications might
need. Going beyond many other such appliances and popular applications like
ZoneAlarm, the SonicWALLs also supports video-conferencing's difficult to firewall
Unfortunately, the SonicWALL's default, like many other firewalls, is to allow
all outgoing network transactions. That's fine in 99% of all situations, but
if a backdoor Trojan like Backdoor.Goster or Backdoor.GWGhost has already infected
your systems, your PCs are still compromised and you'll be none the wiser.
With the SonicWALL's interface you can seal up any possible leaks from the
inside. Better still, before setting up SonicWALL, or any other firewall for
that matter, run an up-to-date virus checker on your PCs to make sure that a
backdoor program isn't already in place. After all, if the fox is already in
the chicken coop, locking the coop's door isn't going to help much.
In addition to port and protocol firewalling, the SonicWALLs come with Stateful
Packet Inspection (SPI). In SPI, data packets are checked, in short, to make
sure that they're legitimatize packets that should be going in and out of your
network. For example, incoming Internet Control Message Protocol (ICMP) redirect
packets are forbidden entry since they could be used to misdirect traffic.
Beyond the fancy words, what it all means is that the SonicWALLs go a step
beyond basic firewalls to make sure that your systems stay safe.
The firewall also comes with many other optional features such as client VPN
licenses, content and anti-virus filters. If anything, though, these systems
have too many options. For example, there are at least three SOHO3 models and
up to 14 different options for each one. Yes, you can certainly get exactly
the firewall you need, but it can be downright confusing picking it out. Fortunately,
SonicWALL's Web site has a walk-through system to help you pick the right combination
for you, but I still found it a touch confusing and I've been running firewalls
for almost twenty years now.
Some of the features have a few quirks. For example, you can block access to
a given Web site by name, but if someone inside your network knows the site's
IP address, they can still get to it. It's not a major problem, but it does
point out that no matter how easy a firewall appliance can be to manage--and
the SonicWALLs are certainly that--you still need to take security seriously.
Most users, though, won't have to worry about such issues though. Out of the
box, the SonicWALLs do their main job of protecting your network flawlessly.
Moreover, if you use DHCP to give your PC network addresses and you run a wireless
network, you'll be especially interested to know that the SonicWALLs can act
as DHCP servers with a significant security twist. You can set the SonicWALLs
to lock DHCP leases to a given MAC (machine level) address. With this, only
devices with authorized network interface cards (NIC)s can get on-board your
network. While hardily a perfect solution to wireless security problems, it
can help keep network traffic hitchhikers off your bandwidth.
In addition to basic firewall protection, the TELE3 comes with a good network-to-network
and PC-to-network VPN and you can add this feature to most SOHO3 models. Unlike
most VPNs, which can slow network throughput down by about 10%, I didn't' see
any such slowdown when using the TELE3.
Whether you're a VPN user who needs a TELE3 to connect with the main office
without fuss or muss, or just a SOHO user who wants a SOHO3 to block Internet
attacks, SonicWALL is for you.
The only thing you really must be careful of is that you get the right combination
of hardware and software options you need. The SonicWALL Web site isn't as useful
as it could be with this critical question. Fortunately one of SonicWALL's most
important resellers, SecureHQ, has an excellent Buyer's
Guide and FAQ that goes a long way towards helping you making the right
SonicWALL buying decision. And, trust me, a SonicWALL decision will be a right