Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Netgear Super G Wireless Router — Security Edition
Author: Joseph Moran Review Date: 9/1/2005
Price: $99.99 Pros: includes one-year license for PC-cillin security suite; service-based parental controls
Cons: limited hardware/software integration
Security is an important part of any home network, but too many people often ignore it due to either ignorance or inconvenience. Addressing the problem, Netgear offers its new WGT624SC Super G Wireless Router — Security Edition, which combines a hardware firewall with a security software suite in the form of Trend Micro's PC-cillin Internet Security 2005 application.
The WGT624SC isn't the first broadband router to include a software firewall application, but two things set it apart from previous combos. For starters, you get a full, one-year license to Trend Micro's firewall rather than the typical 60- or 90-day trials. You also get a bit of integration between the hardware and software.
To set up the router you can use one of two wizards — one on the included CD and the other built-into the router's browser-based administration console. (Advanced users can bypass the wizards and configure the unit conventionally by entering a specific URL into the browser.) In lieu of entering the unit's IP address, you can access the WGT624SC by typing either routerconfig.com or routerconfig.net into the browser. (Netgear owns of both domain names and configures its products to respond to either URL.)
The router's WLAN function is turned off by default, and you must explicitly activate it during or after the initial setup process. This keeps you from unwittingly creating a wireless network without encryption (or to dissuade you from doing so intentionally).
A 54 Mbps, 802.11g device, the WGT624SC also supports the so-called 108 Mbps Super G enhancements that improve wireless performance when used with a compatible client adapter, and the unit also supports either WEP or WPA-PSK (Pre-Shared Key) to secure wireless communications.
Two distinct security software components come with the WRT624SC. One is a small dashboard application that takes the form of an Internet Explorer plug-in. You install it on all your computers, and it checks for possible security problems like spyware or Trojan software, active file and print sharing or known OS vulnerabilities. (Unfortunately, it also identifies cookies as spyware.)
Although you can view the results of the last scan on each machine in your network from any PC that has the dashboard installed, the ability to initiate scans remotely or schedule them to take place automatically would be even better. Netgear plans this capability for a future version, but for now, you can only initiate scans manually from a specific machine.
PC-cillin Internet Security 2005 is the real meat in the WGT624SC's software bundle, but it doesn't come with the router — you have to download it from Trend Micro's Web site. The download starts as a 60-day trial, but registering the router gets you a serial number you can use to extend the license for a full year. You get only a single PC license, but you can install the software on additional PCs for $20 each, which isn't a bad price considering the $40-to-$60 you would expect to pay for similar applications. The security suite includes all the necessary features, including anti-virus, firewall, a spyware scanner and spam control.
Of course, anti-virus software effectiveness decreases when it's not regularly updated. To help you keep all the copies of PC-cillin anti-virus fresh, the WGT624 admin console provides a status page that lists each client running PC-cillin and flags a system when its software or virus definitions are out of date.
It also lets you know when a system on your network doesn't have PC-cillin software. The status page is handy, but it has a few weaknesses. For example, it doesn't tell you if a PC has security software other than PC-cillin. And because it doesn't track the changes in DHCP address allocation, it sometimes indicates the presence of a system long after it has been removed from the network (or had its IP address changed).
Many broadband routers have the capability to control Web access by blocking a list of specific Web sites or URLs that contain specific keywords. However, at best this method provides imprecise and incomplete protection against potentially harmful material. In fact, the only way to get a comprehensive defense against child-unfriendly content is by subscribing to a service, such as the one is included with the WGT624SC. The parental control feature is priced separately from the software and costs $29.95 for a year (one year's service is included with the WGT624SC). You can access this feature from the router's browser-based administration console.
By default, the WRT624SC (Parental Controls are a feature of the router, not the Trend Micro software) will block access to sites in a dozen potentially offensive categories, and maintain a tally of how many access attempts were made for sites in each category. You can modify the filters to include any or all of 40 other categories of information to which you may want to restrict access. (For example, you can block access to Real Estate sites if you're concerned about a housing bubble.) The controls can be configured to take effect according to a defined schedule, and you can bypass any blocked page by using an override password.
For more flexibility and fine control over Web access, you can set the Parental Controls to per-user mode, which lets you create individual accounts and create a customized access profile for each person. In per-user mode, the logs get correspondingly more detailed, indicating the account from which an access attempt originated.
Overall, the WGT54SC's content filters did a good job of identifying and intercepting Web pages, but they weren't perfect. For example, Chat/Instant Messaging is one of the categories you can choose to block. After doing so and launching the AOL Instant Messenger application, a browser window appeared implying that the service would be blocked. In spite of this, however, the AIM application worked normally. Netgear says that the filters aren't designed to block application traffic, only prevent access to Web pages. Similarly, the filters block only TCP port 80, so SSL-encrypted pages that begin with https:// (which use port 443) may not be recognized.
The integration between hardware and software with the WGT624 could be better — it's enough to provide information but not enough to automate housekeeping tasks like software updates. Still, when you consider the price of security software alone, the $99 WRT54SC represents a good value. Plus, $20 for each additional PCs represents even more savings for households with multiple computers.
Joseph Moran is a regular contributor to PracticallyNetworked.com.