Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Symantec Gateway Security 360R
Author: Ronald V. Pacchiano Review Date: 8/5/2004
Model number: SG360R
Secure wireless VPN solution
Unique Anti-Virus Policy Enforcement
Duel WAN Port and back up serial connectors
Expensive for all the bells and whistles
Limited Content Filter
No support for WPA
The Price of Protection
Symantec's philosophy is to do security right rather than follow the pack. While this is a commendable approach, the cost of doing it right often is not cheap. Small businesses that have been getting by on security software designed for home users might be a bit surprised at the expense involved in creating a proper network environment.
This brings us to the subject of this review: The Symantec Gateway Security 360R is a high-performance, low-maintenance firewall designed specifically for small businesses. The packaging of the 360R, the flagship of Symantec's 300 series of Gateway Security product line, is ultra modern. It's very thin and flat with a fancy aluminum top plate and black trim. It immediately gives you the impression that this is a serious piece of networking equipment — but, as we'll discuss later, that comes at a serious price.
The 360R isn't just a pretty face. It also packs impressive features such as a Stateful Packet Inspection (SPI) firewall, IPsec VPN gateway support, intrusion detection and prevention, content filtering and a unique anti-virus policy enforcement mechanism.
The 360R has no license requirements for the number of users that can be online at any time. It's equipped with dual WAN ports for bandwidth aggregation (i.e., combining the bandwidth of two ISPs) and also supports load balancing. In case of an ISP service failure, the unit has a built-in serial port for backup to an analog modem or ISDN line.
If you want wireless access, the 360R can be upgraded to a high-speed 802.11b/g VPN-secured wireless access point. Unlike Internet usage, however, VPN access does require a license for each user. To that end, the 360R includes the Symantec Client VPN v8.0 software and comes with a 10-session client-to-gateway license. However, it can also function as a less-secure WEP access point.
The 360R can support a recommended maximum of 15 VPN tunnels. Symantec also recommends having no more than 75 total users on the gateway. Firewall throughput speed is about 60Mbps. An integrated 8-port 10/100 switch makes it easy to get your network connected. LAN switch VPN authentication can even be enforced on a per-physical port basis.
The Price to Go Wireless
On the surface, the 360R sounds like it would be the perfect addition to a small business' network. However, as mentioned earlier, its features come at a price. Let's start with the cost of the unit itself. The MSRP is around $759. I've seen it for sale online in the high-$600, low-$700 range.
To upgrade the unit to wireless access point status will cost you about $249. Once the access point (basically a PC Card) is inserted into the 360R, a new wireless menu is added to the configuration interface. You then configure it just as you would almost any other access point.
However, there are few things about Symantec's implementation of the wireless access point that is troubling. First of all, the system supports WEP encryption, but not the newer, more secure, WPA. Nor does it support MAC address filtering.
Symantec says it doesn't support these security methods because they can be easily circumvented and offer users a false sense of security. Its IPSec-based VPN authentication is much more secure and almost as easy to implement, the company says. Fair enough. However, since each VPN user requires a license and the total number of VPN tunnels supported is limited, I would have appreciated at least having the option of implementing either WPA and/or MAC filters. Also, to be Wi-Fi Certified by the Wi-Fi Alliance, products now have to support WPA.
Another thing I found unusual about the Symantec configuration was that in order to configure the encryption key to use HEX numbers, you're required you to place a "0x" at the beginning of the key. So for example if your key was "1234567890," you'll need to enter it as "0x1234567890" for it to be recognized as a HEX key. This could be confusing to some people or simply over looked during the setup. Why the HEX option wasn't available as a drop down menu option, as it is with everyone else is beyond me.
Lastly, $249 just strikes me as a lot of money for an access point; especially on top of the $700 I already spent on the Gateway itself. $149, maybe $179 would make it much more palatable.
If you choose to implement Symantec's VPN solution for your wireless access, you should be aware that it is going to cost you more than the price of the access point option. As I mentioned before, the unit supports a recommended maximum of 15 VPN connections and it comes with a 10-session client-to-gateway license. Granting those last five users access to a VPN connectionis going to cost you about $200. Personally, I don't understand why vendors (and not just Symantec) feel the need to charge you more money just to use something you've already paid for. If it supports 15 users, then the price should iniclude a 15-user license.
Stopping Viruses in Their Track
The anti-virus policy enforcement feature works by monitoring local host and remote VPN clients and verifies that they are using the appropriate AV software (version, definitions and so on). If not, it will either log a warning or just outright block them from gaining access to the network. This is a cool feature because it prevents someone on your staff from attaching an unauthorized system to your network, minimizing the chances of infection.
The anti-virus policy enforcement feature works in conjunction with your anti-virus software. If you are using a package like Symantec's Anti-Virus Corporate Edition, which has a parent server and managed workstations, the 360R will continually monitor the server to verify that all of the clients are in compliance with the current security settings.
In an unmanaged environment (one without a parent server), Symantec gives you a utility to install on one of your workstations, which essentially makes it the parent server and uses it as a baseline for maintaining compliance standards. The computer you assign to this server role will need to remain on at all times for anti-virus policy enforcement to be effective.
Sounds good right? Well here's the catch. In order for you to take advantage of this functionality you need to be using a compatible anti-virus package. If you invested in Norton Anti-Virus (any version) before you purchased the 360R, you'd be out of luck. It's not compatible. The only products that can take advantage of this feature are the Symantec-brand anti-virus and client security products. The most inexpensive package would be the five-user version of the Symantec Client Security package at a price of about $320.
The reason for this, Symantec says, is because it wants its business customers to use software specifically designed for a business environment. While I agree that this is the preferred situation, if you already had a significant investment in another anti-virus package, you might not be so willing to walk away from it and potentially spend thousands more for something that will essential do the same thing. I can understand Symantec not supporting McAfee or one of the other competing anti-virus vendors, but they should at least support Norton products.
Finally the 360R comes with Symantec's 90-day Silver Support package. This gives you three months of access to Symantec's technical support staff during normal business hours. After the 90-days, Symantec highly recommends you upgrade your service to the Gold Support Package for a full year at a cost of $179 ($149 for other 300 series models).
With all of the extra expenses the 360R incurs, one that I wouldn't complained about paying for is a subscription to maintain the content filter. In order for a content filter to be effective, it needs to maintain an up-to-date listing of all of the questionable or offensive sites on the Web. A good content filter subscription will block sites based on numerous variables (questionable site content, specific site names, category and so on.).
Regrettably, Symantec's content filter is just a simple URL static list that allows you to block or allow up to 100 sites. Each entry needs to be manually entered into the gateway. This is not only time-consuming, but leaves plenty of room for error. As far as content filtering is concerned, offering aa subscription service would have made more sense.
So let's recap: If you wanted to take advantage of all of the 360R's features, you would pay the following:
Approximately $700 for the 360R
$249 for the Wireless Access Point
$199 for the Additive 5-session Client-to-Gateway license ($299 for 10, $399 for 25)
$320 for the 5-User Symantec Client Security package and
$179 for the Gold Support Package
That brings the grand total to $1,647
Worth the Money?
Committing to the 360R is by no means an inexpensive proposition, but it's not unreasonable. Most of the competitors in this market segment will charge you a lot more for the type of features found in the 360R. User licenses alone can easily run into the thousands. So, unquestionably, there is value here.
Appreciating that value might be a hard sell for small business owners who don't understand the nuances of network security and who might be somewhat shell-shocked by the price — particularly when they compare it to the $100 wireless Linksys router they picked up at the local CompUSA for their home office.
So How Did It Work?
Typically, installing a router is pretty simple — at least to achieve basic functionality. Configuring the 360R is similar to other routers. DHCP is enabled by default, so you just attach it to your network and point your Web browser to the unit's IP address. A wizard will then guide you through the unit's basic configuration. The Web interface is relatively easy to navigate, but with its stark colors and detailed options it can be a bit intimidating for anyone other than an IT professional.
When we first installed our test unit, it would run fine for the first few minutes, but shortly thereafter, it would completely lose all network conductivity. The only way to correct the problem was to reset the unit to the factory defaults. A phone call to Symantec reveled that the 360R was suffering from a compatibility problem with some older Cisco products, like our Cisco 1700 series router.
To solve the problem, Symantec sent a beta version of new firmware (v2.1.0 Build 505) to correct the issue. It seemed to have worked. Shortly after the upgrade, our test system started performing has we had expected. That firmware build should be posted on Symantec's Web site in a few weeks, but if you experience this problem before hand, the company says it will send you a copy of it.
Once the unit was up and running again, it performed as we originally anticipated. Network performance was good, users had no problem gaining access, the wireless connection never dropped and we even established a stable site-to-site VPN tunnel between two offices. One was equipped with the 360R, the other the SonicWall Tele3.
The Product Is Right, Is the Price?
With the 360R, Symantec does network security right. Trying to get small business owners with limited budgets to buy into that philosophy might be another story. Not many small business owners appreciate the need for this level of security or understand the cost and discipline it takes to keep a network safe.
In the end, though, if you use the Symantec Gateway Security 360R has it is intended, it will protect your network and go a long way towards helping you establish good networking polices and practices for your staff.
While the price may seem high, it offers good value for the money. Its vast feature set is impressive. If you need to support remote users and locations, a secure VPN solution is a great thing to have.