Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
D-Link NetDefend DFL-CPG310 Security Appliance
Author: Aaron Weiss Review Date: 5/16/2006
The modern networked office requires a certain degree of vigilance, and not just from midnight burglars. Thanks to increasing network safety consciousness, you probably already have a router firewall on your broadband connection and anti-virus software on all of your PCs. The D-Link NetDefend DFL-CPG310 bundles these, wireless security, VPN (define), and many other network safety and management features and wraps them all up into a "UTM" or Unified Threat Management (define) appliance.
With a list price of $499.99, how does the NetDefend CPG310 differ from a typical small office router/firewall? What does its price tag nearly five times that of most wireless G routers really buy?
Wireless Router with Failover and Print Server The DFL-CPG310 connects your LAN to the Internet as a router. It features four wired Ethernet ports and supports 802.11b/g wireless clients. You can connect clients with G, Super G or XR support to the CPG310 for speeds up to 108Mbps. These features alone are common on many SOHO routers.
Going beyond the average router, D-Link has added dual WAN ports for Internet failover (define). If your office has access to two broadband connections for example, cable and DSL you can connect both to the CPG310.
The router also includes a serial port that can connect to an external dial-up modem. Should any one option fail, the router can automatically failover to a working connection, preventing any disruption in Internet connectivity. For some businesses this safety net could be critically valuable, while for others, overkill.
With the $499 "PowerPack" software upgrade, multiple NetDefend routers can failover to one another.
The CPG310 supports WEP (define) and WPA (define) encryption as well as RADIUS (define) authentication with or without encryption. You can also limit connected clients to an approved MAC address (define) list.
Unlike more basic routers, the CPG310 isolates the wireless LAN from the wired LAN. Each must reside on separate local IP subnets (define). By default, the wireless LAN cannot even access the router's administration interface. Out of the box, the CPG310 prefers security convenience.
The appliance also features a USB print server that lets you connect any USB-capable printer and share it within your LAN or across the Internet.
QoS Traffic Shaping Quality-of-Service, or QoS (define), lets you classify different kinds of network traffic and assign each class a priority. The CPG310's support for "traffic shaping" is more sophisticated and configurable than simplified versions found in some cheaper SOHO routers. By default the router includes four traffic priority classes ranging from low priority to urgent. Using firewall rules, you can quickly classify specific applications.
A typical QoS configuration, for example, would assign VoIP (define) traffic to the "urgent" classification and sending e-mail to the slower "low priority" class. The CPG310 lets you assign a maximum traffic rate for both upstream and downstream QoS. Creating your own traffic classes in addition to the four defaults is only possible with the PowerPack upgrade.
Firewall and SmartDefense The CPG310 includes a highly configurable firewall. Its most basic configuration is a simple slider with three levels of protection: high, medium and low. Each is preset to allow and disallow kinds of traffic. At its lowest setting the firewall will allow all outgoing traffic from the LAN; at its highest setting, only major network services such as Web, e-mail, FTP (define) and VPN are allowed.
You can customize the firewall well beyond these basic templates and allow incoming traffic from a list of common servers including Web, e-mail, telnet (define), FTP and VPN (define). For any applications not on this list you can create custom rules. Rules let you block, allow and/or forward traffic from a network application. Unlike many less expensive routers, the CPG310 actually includes only a very short list of preconfigured applications. If you want to create a rule for applications outside this list, you need to know which ports it uses.
What really separates the NetDefend appliance's firewall from your garden-variety SOHO router is its so-called "SmartDefense" technology. As an SPI or stateful packet inspection firewall, the NetDefend goes beyond merely blocking or allowing network ports. It analyzes communication patterns over time to discern the "intent" behind the traffic.
For example, SmartDefense is aware of four types of Denial of Service attacks (define), or DoS. In a DoS attack, the malicious software attempts to flood the router with data in an attempt to overload it and interrupt its normal functioning. A DoS attack occurs not simply from a certain kind of data on a certain port, but a pattern of behavior. SmartDefense recognizes the pattern and can be configured to take actions, such as blocking and/or logging, when detected.
VPN Virtual Private Networks allow computers to connect with each other securely whether they are on the same LAN or halfway across the world. The CPG310 can be configured as either a VPN Server or Client. Most offices will set it up as a VPN Server, thereby allowing clients outside your network to securely connect to your internal resources such as e-mail, printer and shared files.
The router includes (both on CD and as a free download) the CheckPoint SecuRemote VPN client for both Windows and Mac OS X. Using this client either within your LAN or from a machine elsewhere on the Internet, you can create a completely secure VPN connection to the router.
The base CPG310 supports two VPN networks and includes a five-user license for the SecuRemote client software. Upgraded to the PowerPack, VPN support is bumped to 15 VPNs with a 25-user license for the client software. The PowerPack also increases VPN throughput from 20 to 30 Mbps.
Subscription Services The CPG310 can be actively updated through D-Link's annual subscription service. The least expensive, at $99 per year, includes firmware and security updates, online and telephone support and dynamic DNS (define).
With dynamic DNS your router can post its IP address to an online DNS service even if your broadband provider does not provide you a static IP. Dynamic DNS is becoming a more common feature on mid-range routers with far lower price points.
Anti-Virus The CPG310 includes the VStream anti-virus scanner that analyzes a variety of traffic including e-mail, Web and FTP on-the-fly for virus fingerprints. You receive an initial database for virus definitions as part of the included 90-day subscription to D-Link's anti-virus service.
A $299 per-year subscription to D-Link's anti-virus service buys you both security updates and support plus updated virus definitions. You can continue to use VStream anti-virus scanning without a subscription, but the router will not receive new virus definitions.
As D-Link notes, scanning for viruses at the network perimeter may not be complete protection. Because a virus can enter your network through other means files on a CD, Zip disk, or thumb drive for instance desktop anti-virus software may still be prudent.
Web Filtering Another $199 per year buys you access to the CPG310's Web-filtering feature. Less specifically a security defense, Web filtering lets you block LAN access to certain categories of Web content such as adult, gambling or Web-mail sites. In the workplace, content filtering is often used to "increase productivity" by reducing distractions.
As with most Web-filtering services, you have no control over what sites are included in the 30-plus categories. Nor can you create white or blacklists to specifically include or exclude certain sites.
One Box Fits All? With the NetDefend CPG310, D-Link certainly stuffs a lot of functionality into one box. The unit goes well beyond the basic router/firewall/wireless features found in most small office network appliances. Of course, it has a price to match.
Getting the most out of the CPG310 requires a reasonable level of networking knowledge. There are a couple of basic wizards included in the administration interface, but they merely brush the surface of this unit's features. Some features such as QoS involve settings spread across several categories. It would be nice if, for your $500, D-Link included a printed manual a 485 page PDF file included on the CD isn't quite the same.
Despite its broad array of features, the CPG310 could provide better performance on some of its basic offerings. Its wireless range, for example, is significantly more limited than the ZyXEL X-550 or Linksys WRT54G routers, both of which cost about $100.
Taking into account the extra $499 for the PowerPack upgrade and as much as $500 per year in optional subscriptions to keep the unit up to date, the NetDefend CPG310 is not just a security solution, but a serious financial investment. Its sophistication and price may well exceed the needs of many small businesses. Match the CPG310 with a medium-sized business, and now you're in business.