Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
When hotshot road warriors from big companies travel on business, they're able to use any Internet connection to log in to their office LAN through a virtual private network (VPN), an encryption-protected tunnel through the Internet to their office. The VPN link lets them gain access to all the data and programs on their desktop computer as if they were in the office—and all the data flowing back and forth over the link is encrypted making it impossible for hackers to decipher it.
Now employees in small and home offices and the self-employed can get the same convenience and security when accessing their desktop computers from the road, and also have a blazing fast wireless network in the office. Buffalo Technology of Austin, Texasstarting shipping its AirStation 125 High-Speed Mode (HSM) Wireless Secure Remote Gateway ($200) late last year. The product does everything a commodity home Wi-Fi gateways does, plus it functions as a relatively easy-to-set up VPN server.
The G54 (for short) is a WLAN access point that uses Buffalo's proprietary 802.11g-based network acceleration technology, delivering a theoretical top speed of 125 Mbps over links with devices equipped with a 125* HSM network interface card (NIC). It's a gateway that provides all the NAT (Network Address Translation), firewall and DHCP (Dynamic Host Configuration Protocol) services needed to a distribute high-speed cable or DSL Internet service to all the computers on your network.
It also has four 10/100-Mbps Ethernet ports for connecting wired devices, and it uses Buffalo's AirStation OneTouch Secure System (AOSS) for automating secure set up of computers on the network.
The VPN functions are what set this product apart. They also make it somewhat more difficult to set up, however. The Buffalo unit goes some way towards removing the complexity inherent in VPN, but doesn't go as far as it might—although the company says it will be making improvements in this area.
The first snag, especially for home office workers, will be the problem of dynamic IP addresses. The VPN client software on your laptop must be able to find your router on the Internet to make a connection. In the simplest scenario, your ISP assigns you a fixed IP address and you enter that address in the Windows VPN client software.
The trouble is, many residential high-speed access services dynamically assign addresses from a DHCP server. You may retain the same address for a long time, but it will eventually change—when you reboot your broadband modem, your router or the ISP's system goes down and comes back up again. If it changes without your knowing, the VPN client software on your laptop will have no way to find the router when you're out on the road.
The solution is a dynamic DNS (Domain Name System) service. The Buffalo product supports both the free service from DynDNS.org and a paid service from TZO. Both work in fundamentally the same way, and while they're not rocket science, both add an extra layer of complexity.
The service provider assigns you an easy-to-remember, password-protected address—yourname.gotdns.com, for example—and associates it with the IP address assigned by your ISP. Whenever the IP address changes, the Buffalo router automatically sends the new address to the DNS service provider and it updates your account.
So now you don't need to know the current IP address of your router. You can enter the easy-to-remember address from the dynamic DNS service provider into the VPN client on your laptop, and when you attempt to make a connection, the request is routed through the service provider, which looks up the current IP address for your router and routes your request to it. Connection made!
The TZO site includes a tutorial co-developed with Buffalo that explains the process in detail. TZO also provides technical support and allows you to use an existing domain name if you have one—but it charges for these services. The DynDNS site, on the other hand, is not terribly helpful, but the service is free.
The Buffalo tech support rep I talked to was able to walk me through the process of signing up with DynDNS, but admitted that not all of his colleagues would be able to do the same. He told me the company is developing a tutorial on dynamic DNS that it will include in future editions of the G54 manual.
Setting up the VPN software on the router and on the client device was relatively simple. As with most Wi-Fi routers, you use a browser-based interface to configure the unit.
To set up the VPN service, go to the Advanced settings, select WAN Settings and then PPTP Server Settings, click in the Enable radio button, enter the local IP address of the router (192.168.12.1 by default) and a range of local IP addresses of devices you want to be available over the VPN link. Then click the Add New User button and enter a user name and password. This is the user name and password you'll use when logging in to the VPN connection from the road.
On a client device running Windows XP, you can use the New Network Connection wizard in Control Panel/Network Connections to set up a VPN connection. Select Connect to the Network at My Workplace on the first panel, then click the radio button for Virtual Private Network connection on the next one. In succeeding panels, you enter a name for the link—Home, for example—then an IP address or the host name from your dynamic DNS service provider.
When you click on the icon for that connection, either in Network Connections or on the desktop if you told Windows to create a shortcut there, it pops up a dialog in which you enter the user name and password you created earlier using the Add New User dialog on the Buffalo router. The Windows client software then negotiates a connection with the router.
Once a connection is made, you can open a browser and enter 192.168.12.1/hosts.htm in the address field to see a list of resources available over the VPN link—192.168.12.1 being the default IP address of the router on your local network. From here you can access file folders for which you have permissions and download files.
For each "host"—usually a PC—on your local network, you'll see a button on this page for Wake on LAN (WoL). Some PCs can be configured to start when you click this button on the remote computer, as long as they're plugged in and connected to the router by Ethernet cable. It doesn't work with wireless clients.
The remote computer sends a data packet over the Internet and through the router to that PC. The NIC, which remains powered on at all times, receives the packet and in response initiates the boot procedure. The host can be turned completely off. As long as it's plugged in to a wall socket, it will boot.
The PC must have an integrated NIC on the motherboard or a NIC and motherboard that both support WoL and are cabled together. It also requires an adjustment in BIOS to enable WoL.
Once connected over the VPN, you can also open the Windows Remote Desktop Connection client (All Programs/Accessories/Communications) and log on to any PC on the network that you've set up to accept remote connections. Then you will be able to take control of the computer as if you were sitting at it—and even pipe sounds from it to the one you're working on.
It took me a few tries to get the configuration items set correctly to allow me to take advantage of all of these features, but I was eventually successful.
As a Wi-Fi router, the G54 was straightforward enough to set up—although when you've done a few, it ceases to be a great mystery.
In initial tests over one problem link with a Netgear 54-Mbps 11g client, the Buffalo router, which has an integrated antenna, did not provide as good signal strength as the Netgear router I had been using. The client software typically reported a connection speed of 36 Mbps with the Netgear router. With the Buffalo unit, it sometimes reported 24 Mbps.
When I changed the NIC in the client device to a Buffalo 125* High-speed Mode card, the reported connection speed jumped—as expected—to 48 Mbps. This is still a far-cry from the marketing speak of 125 Mbps, but an improvement over generic 11g gear. Plugging a Buffalo wireless indoor omni-directional antenna ($30) into the network card in the client produced a modest additional increase in reported connection speed to 54 Mbps.
The Buffalo AOSS technology automates the process of adding and configuring clients on the local network. You can even activate it by pressing the button on the side of the router. If you're using the G54 in a small office with five or more client devices and you're concerned about setting up the security features properly, this is probably a good feature to have, but for most home office users it's overkill.
Bottom line: The VPN and dynamic DNS features appear to work well, but you pay a hefty premium for them—Buffalo's WBR2-G54S AirStation 125* cable/DSL router with AOSS costs only $80. Still, if you need the VPN functionality, it's a smaller hit than some other options. Symantec's Gateway Security 320, for example, which provides many of the same features and is also aimed at small offices costs $475.