Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Buffalo AirStation 125* Hi Speed Mode Wireless Router With AOSS
Author: Joe Moran Review Date: 8/19/2004
It should come as a surprise to no one that the number of WLANs has exploded over the past several years, and wireless networks continue to spread thanks to inexpensive and ubiquitous equipment. However, people setting up these networks very often get the equipment functional and then call it quits. As a result, many networks operate without any wireless security configured, either because of ignorance of the risks or an unwillingness to endure potential configuration hassles.
Buffalo aims its AirStation WHR3-G54 with the AirStation One-Touch Security System (AOSS) feature squarely at this issue, aiming to make configuring wireless security so easy and unobtrusive that all it requires is the press of a button (which happens to be located on the side of the router-- more on that in a bit).
Inside and out, the new WHR3-G54 has been refreshed-- Buffalo has given the new model a slight makeover, but it retains the same basic design as the prior model. Gone is the old oddly ovoid shape, replaced by a clean vertical rectangle. The LAN port status lights have returned from their exile on the broad side of the unit-- they're now easily visible along with the other indicators, integrated into an attractive light bar on the front.
Other little examples of Buffalo's attention to design detail abound-- the G54's external MC antenna connector sits behind a protective sliding door that's much easier to open than the previous model, and the router's removable base doesn't need to be removed to view the unit's MAC addresses, now that it's been hollowed out.
On the software side, the interface has been cleaned up a bit and aesthetically enhanced, making it easier to look at and navigate than prior iterations. On the other hand, many of the configuration pages are still quite busy. Many configuration parameters and their various options are displayed whether they're enabled or not, making it more difficult to focus on and configure those specific settings you're interested in.
All in all, the G54 improvements are not a night and day difference, but it's at least night and dawn.
Initial setup of the G54 is fairly simple and straightforward, particularly if you use one of the setup wizards (one for DSL connections, one for cable) that get the connection up and running for you. Neither gives you the opportunity to configure any optional settings other than whether or not the DHCP server is enabled, so most people will have to delve deeper into the configuration interface to some degree.
The AirStation G54 gives you a fairly extensive degree of control over wired and wireless settings, providing useful features like transmitter power control (in 25% increments) and privacy separator, which keeps wireless clients segregated from each other. Helpfully, the G54 it also provides extensive intrusion detection capability, with e-mail alerts and pop-up notification via the Buffalo Client Manager software.
The G54 also supports all major forms of wireless encryption, from WEP to WPA with either TKIP or AES encryption. When using TKIP encryption, the unit gives you a choice of using either hardware- or software-based encryption. If you choose the latter, the G54 can accommodate 50 clients -- if the former, a mere 12. The G54 also supports pass-through authentication via a RADIUS server.
The point of the AOSS feature is to free the user from having to be concerned with such matters as encryption methods. In order to connect an AOSS-enabled Buffalo client to a compatible router, you first press the router's AOSS button for 3-5 seconds, which illuminates a flashing amber indicator on the unit. This puts the router into "AOSS mode," during which it can accept configuration requests from AOSS clients.
AOSS lets the router specify to the requesting client all the encryption settings that the router and client can mutually support, which the client then uses to configure itself automatically -- a randomly-generated SSID and encryption key are used.
I tested AOSS with a Buffalo WLI-CB-G54S CardBus card. After clicking the AOSS button in the client software, an automated wizard appeared which went through approximately 90 seconds of machinations without any input from me before bluntly responding that the wireless connection had failed. Despite the unhappy message, however, the wireless connection had not failed, and within a few seconds the client had full wireless connectivity over an AES-encrypted connection.
There are some practical limitations to consider when using AOSS. The AirStation G54 can't configure multiple AOSS clients simultaneously (though 24 total clients are supported), so they'll need to be added to the network one at a time. The AOSS process also can't be initiated solely from the client -- you must first press the button on the router to enable AOSS mode. This precludes you from physically securing (or obscuring) the router from users at your location that want to connect to your network using AOSS, but it also makes sense in order to prevent unauthorized AOSS clients from attempting to connect.
The price of convenience is often paid in flexibility, and it's a good idea to put some thought into WLAN configuration settings prior to enabling AOSS. This is because there are few -- if any -- settings that can be changed without deleting the router's existing AOSS information and starting over from scratch by reconfiguring all the clients, one at a time. Even settings that would ostensibly have nothing to do with encryption (like channel selection) seem to be locked down once there's an AOSS client on the network.
On the other hand, there are other aspects to the AOSS system that are quite ingenious. When a client is initially configured via AOSS, it is given encryption keys for all four methods supported -- WEP64, WEP128, TKIP, and AES -- irrespective of which method is initially chosen. The keys are stored on the system in advance, so that if it becomes necessary to manually change the encryption method later (say, to accommodate a non-Buffalo/AOSS device) all you have to do is change the encryption method and the appropriate key is automatically activated on the client. This worked very well, as changing the encryption method resulted in only a momentary interruption in connectivity as the router and client got on the same page.
Similarly, should an AOSS client come on board that doesn't support the encryption method currently in use, the router will step the network down to the highest universally supported form of encryption.
In addition to the WLI-CB-G54S, Buffalo includes AOSS capability for various other client devices, including PCI, USB, and wireless Ethernet clients, along with certain other wireless router models. Clients that are considered standalone, like wireless Ethernet adapters and bridges, sport an AOSS button on the hardware just like the routers do. Any device that works in conjunction with a PC, like a CardBus, PCI, or USB adapter, needs the Buffalo client software in order to enable AOSS connections.
The requirement for client software means that on Windows XP, the Wireless Zero Configuration (WZC) feature and AOSS are mutually exclusive. Buffalo says AOSS will work with any older Buffalo clients that are compatible with the Client Manager.
A caveat: I was initially unable to install the WLI-CB-G54S client software due to an odd problem with the driver CD. The CD was readable, but files and programs on it refused to execute. Buffalo was aware of the problem and has since replaced the defective CDs, but if you experience this problem you'll need to download the software from the Web site or contact the company for a new disc.
Once a client has been configured with AOSS, its information is stored in the router's database in non-volatile memory, so a router reboot or power interruption will not require the client to go through the AOSS process anew.
Obviously, the AOSS feature won't work with non-Buffalo clients, but that doesn't mean that such clients are barred from joining the network. Once the network has been configured via AOSS, it's easy enough to consult the router administration interface to see what type of encryption is being used. On the WLAN security page, however, the specific encryption key is obscured, just as it would be in a conventional configuration. You can view the encryption key used on the G54's AOSS configuration page (a strong administrative password is recommended), and then enter it into any non-Buffalo client to add it to the WLAN. You'll probably want to copy and paste from a text file, though -- in the case of a WPA pre-shared key, AOSS configured a full 63-character passphrase, which is neither fun nor easy to try and type error-free once, much less twice.
The WHR3-G54 uses a Broadcom WLAN chipset, and thus supports the so-called 125 High-Speed Mode (maybe that's why there's an asterisk in the product name?) which is supposed to provide throughput equivalent to a 125 Mbps 802.11g signaling rate, or about 34 Mbps in the real world. At close range, I saw only 29.3 Mbps using AES encryption, and about 27.9 Mbps using hardware TKIP.
All in all, AOSS proves to be a pretty useful and easy to use feature, and it should entice people to enable security on wireless networks where they might not otherwise. Of course, you get the full benefit of AOSS when you're exclusively using supported Buffalo clients, but the system is flexible enough to let you add third-party adapters without going through any more hassle than you would on a non-AOSS network. If you want to want to maintain a wireless network with a maximum of security and a minimum of grief, the Buffalo WHR3-G54 with AOSS is a fine choice.