Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
ZyXel Prestige 652 Series ADSL Security Router
Author: Joseph Moran Review Date: 12/20/2002
Model Number: Prestige 652 ($499)
Includes DSL CPE and provides line diagnostics
Strong firewall, filtering, alerting and logging
Not all features configurable via Web browser-interface
On the surface, the ZyXel
Prestige 652 may appear to be another garden-variety broadband router, but
it's clearly targeted at small businesses rather than the home or home office
markets. The Prestige 652's features, flexibility, and price ($499) all reflect
the business focus. It is distinguished by a strong and flexible firewall, a
comprehensive content filtering capability, and excellent alert and logging
The Prestige 652 also includes built-in DSL equipment, so you can't use it
in conjunction with a cable modem (ZyXel has other products that incorporate
cable modem hardware). The Prestige 652 provides but one 10/100 Ethernet port,
so an additional switch is a must unless you've got a one-computer network.
(The port features an uplink switch so you can use either a straight-through
or crossover cable.) The unit also provides a console port for direct configuration
from a PC and a serial port that can connect to either a analog or ISDN modem
as a backup to the DSL.
Because the Prestige 652 incorporates its own DSL CPE, the first order of business
is to chuck whatever DSL gateway your ISP provided you with, since it won't
be necessary and can't be used with the 652. Indeed, the Prestige 652 is just
the type of device you would likely get from your ISP for business-level DSL
As a result, if you haven't received the 652 from your Internet provider, the
initial setup procedure of the unit will require a little bit of preparation
and gathering of information in advance. You'll need circuit-specific information
like the Virtual Circuit Identifier and the type of encapsulation in use. The
652 supports eight different encapsulation methods, including PPPoE, (Point-to-Point
Protocol over Ethernet) and PPPoA (Point-to-Point Protocol over ATM).
The kind of information that's required to get the 652 up and running is typically
not published by the ISP for customer use, and you may or may not be able to
obtain it from the technical support line. In my case, my ISP was unable to
help me and I ultimately received assistance from ZyXel technical support.
Given the proper information, the setup is relatively straightforward. It's
wizard-based, and only consists of about a half-dozen fields. Once I had the
telco info, getting Internet connectivity took only about 20 seconds.
The Prestige 652 features the obligatory Web-based configuration utility, but
that's not the only, or even the necessarily the best, way to interact with
the unit. Like all ZyXel products, the 652 is based on the ZyNOS operating system,
and in addition to the Web-based interface, you can also configure the unit
via telnet or console cable. When connected to the unit in this way, you're
presented with ZyXel's SMT (System Management Terminal), a menu-driven interface,
but you can also configure the router via a command line interface similar to
Most people will probably choose to configure the unit via a browser-based
interface, and the most features are configurable this way. Some of the more
advanced features can only be accessed via the SMT or command line modes.
The ZyXel supports many of the customary features of a broadband router, whether
for business or home use. This includes things like Network Address Translation
(NAT), Dynamic DNS, and DHCP. The 652 takes some of these features a step further
than usual, however.
For example, the unit can serve as a DHCP server, but also as a DHCP relay,
obtaining and distributing addresses obtained from another DHCP server on a
remote network. It also supports both one-to-one and many-to-many NAT, so if
you happen to have a range of global IP addresses from your ISP, you can map
them individually or as groups to specific internal addresses, which is helpful
when you want to precisely monitor network traffic.
A testament to the potential complexity of the ZyXel Prestige 652 is the size
and scope of its manual. It's 330 pages long, so fortunately for the environment
the manual is provided as a PDF and not a printed document. Most of the manual
deals with configuring the router directly via the ZyNOS SMT, so you can probably
safely toss it to the side unless you plan to employ some of the more advanced
features of the router.
On the other hand, the manual is worth a perusal if security is important to
you. The firewall section not only goes into considerable depth in discussing
the Prestige 652's security capabilities, it also provides good technical explanations
of various kinds of IP denial-of-service attacks like SYN flood, Smurf, and
The space the Prestige 652 manual devotes to security is not surprising, and
the firewall features of the router reflect this level of attention. You can
specify individual sets of rules for LAN to WAN and WAN to LAN traffic, and
you can separately define TCP, UDP, and ICMP timeouts to ensure that inactive
sessions are dropped after a given amount of time.
Here's a nice feature: any rule you define can have an alert associated with
it, so attacks can be immediately logged and/or e-mailed to the network administrator.
The Prestige 652 provides VPN capability via IPSec (but not the older PPTP
or L2TP protocols) and it provides two levels of encryption -- DES (56-bit)
and 3DES (168-bit). Two simultaneous VPN tunnels are possible.
Remote Management and Logging
When it comes to remote management capability, the Prestige 652 gives you a
good deal more flexibility than most routers. Like others, you can specify a
client IP address and port for remote access. However the Prestige 652 can be
accessed remotely three different ways-- via the Web, Telnet, or FTP, and you
can apply individual settings for each type. You can also individually specify
whether each type is accessible from the LAN, WAN or both.
The Prestige 652's Maintenance menu includes a system status page that goes
beyond simply displaying the LAN and WAN address information -- also available
is such information as link state, upstream and downstream bandwidth, and the
CPU load on the LAN port. There's also a diagnostics page that lets you run
various tests on your DSL circuit, including checking the noise margins on both
the upstream and downstream connections.
Recognizing that control of employee Internet access is important in a business
environment, the Prestige 652 includes some fairly sophisticated content control
features. You can block your users' access to Web sites by keyword, and you
can dictate a schedule for when the blocking will take place. The schedule can
be particular days of the week, every day, or just certain part of the day.
For the boss, you can also specify an IP address or range of addresses that
signify trusted users that are exempt from the content filtering restrictions.
Those who like to keep close tabs on the happenings of their network will really
like the Prestige 652, because it has more logs than Abraham Lincoln's birthplace.
The content filters, VPN, and firewall are all separately logged. Because logs
are useless unless read, you don't need to connect to the router to check them;
they can be output to a Syslog server (though you need to configure that via
Given the ZyXel Prestige 652's features and price, it's almost certainly overkill
for a typical home or home office deployment. Because you might need to use
the menu or command line methods for some configuration, it's not necessarily
the product for neophytes or those who want a "plug it in and go"
solution. But for strong security, logging, and alert features it's a good choice
a small and growing business.