Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Linksys Wireless-G Broadband Router with SpeedBooster and SecureEasySetup
Author: Joseph Moran Review Date: 12/1/2005
Model: WRT54GS (v3) Price: $89.99 (MSRP) Pros: Speeds up and simplifies setup of secure WLAN. Cons: Security setup requires compatible client hardware; only supports the use of WPA Personal encryption when using SES.
Walk around your neighborhood with a wireless-enabled notebook, and you'll probably detect the presence of many wireless networks. You're also likely to find that many of them are unencrypted and open to use or abuse. It's a pretty safe bet that many of those unrestricted networks were left that way due to the difficulty, real or perceived, of configuring wireless encryption.
Linksys is aiming to remedy this problem and increase the number of secure networks with the SecureEasySetup (SES) feature now available on a number of the company's products, including the WRT54GS router (hardware version 3), an 802.11g device provided to us for testing. SES is also available on the WRT54G (which lacks the SpeedBooster feature) and the WRT54C compact router.
The idea behind SES is fairly simple. Rather than forcing the user to concern him or herself with the details of a router's security configuration, SES allows you to configure the SSID and encryption keys on both the router and the client with the press of a button (two buttons, actually: one on the router and one on the client).
SES is actually a technology developed by Broadcom, the vendor that supplies the chipset found in the WRT54GS and many other Linksys products. The technology is similar in concept to AOSS (AirStation One-Touch Security System), which Buffalo Technology introduced last year. Although Buffalo products also use Broadcom chipsets, AOSS was developed by Buffalo itself. Broadcom also is responsible for the SpeedBooster feature.
On the outside, the SES-enabled WRT54GS looks almost identical to its predecessors. The only new characteristic is that the device's Cisco logo (Linksys is a division of Cisco) is actually a lighted button that initiates the SES process. This logo glows orange when you first power on the router (and SES is inactive), and white when SES is functioning.
The setup wizard included with the WRT54GS caused some problems during the install process. When the wizard was executed, an error message appeared advising that the router's "drivers" did not support SES. This was in spite of the fact that the wizard prominently displayed the SES logo. It prompted me to click a button to begin an upgrade process to enable SES. Doing so inexplicably launched a generic Broadcom WLAN client utility installation routine from the CD, and after a reboot, the exact same sequence of events happened again. Despite this hiccup, I was able to bypass the setup wizard and get the router up and running manually, and upon doing this discovered that, as suspected, the router was in fact SES-capable.
To take advantage of SES, you must use a client adapter that's also SES-capable, like the WPC54GS CardBus adapter (Linksys also offers SES-compatible PCI and USB adapters). After a press of the router's SES button, which causes the logo light to blink white, you click the corresponding button on the client hardware. Well, the clients don't actually have physical buttons; you instead click a button provided in the devices' client software interface. This starts the SES negotiation process between the two devices.
After about 15-20 seconds, the logo light changes from blinking to solid white, and the connection is established. We tried this process repeatedly, and it worked flawlessly each time. Although you can only add one client at a time with this method, you can repeat the process as many times as necessary to add additional clients.
The WRT54GS supports a range of wireless encryption options, including WPA Enterprise (a.k.a. WPA-RADIUS) and the more recent WPA2, but when you use SES to configure your wireless network, it's automatically set up to use WPA Personal encryption and the TKIP algorithm (though AES is also supported).
After setting up your first client via SES, the SSID and WPA key are displayed for you to print or save as a text file. This information can be used to manually configure any non-SES clients on the network, provided that they also support WPA Personal. We were able to successfully add third-party clients to an SES network this way, but if you have any clients or operating systems that lack WPA support, you can't use SES at all.
Once a router has been set up via SES, it's essentially acting as a normal router, so you are still free to access the unit via the administration console and view or modify any configuration setting (including the SSID and encryption key) even while it's operating in SES mode. Just like a conventional router, should the device temporarily lose power, it retains its SES-configured information, so you don't need to reconfigure your clients. If you do want to disable SES, holding down the router button for five seconds will do the trick, though the next time you activate it, your SSID and encryption key will have changed, requiring you to reconfigure any non-SES clients.
Not a Panacea
SES greatly simplifies the setup of a secure wireless network and the process of adding clients to it, but it doesn't cover all aspects of security, and so it doesn't quite absolve you of all responsibility regarding security. For example, it doesn't disable the SSID broadcast, which is generally considered a helpful (albeit modest) security measure. It also doesn't enable MAC filtering or force you to change the router's default administrator password. These tasks will have to be performed manually in order to achieve comprehensive security.
If have existing Linksys WLAN hardware, you may be able to upgrade it to include SES. Linksys is retroactively adding the feature via firmware to a number of their Broadcom-based products, so check the company's Web site for your specific model and hardware version. This means limiting yourself to products from a single vendor, however; not exactly what we're supposed to be striving for in this world of interoperability. If you have the patience to hold out for a couple of years, the Wi-Fi Alliance is cooking up something similar to SES for future Wi-Fi products from multiple vendors -- but if you've got some sensitive data, or a desire to keep your broadband to yourself, don't wait.