Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
Not so long ago network routers were all rather the same, providing basic "Internet sharing" functionality. But as broadband use has become more popular for a wider variety of activities, today's routers often have specific personalities targeting one type of user or another.
Netgear's ProSafe FVG318 wireless router aims to find a niche somewhere between the typical home network and security-conscious SOHO or small business user. With a street price between $115-$120, the ProSafe costs about twice that of a garden variety router, but less than half that of full-featured "security appliances."
Out of the Box
The ProSafe SVG318 is noticeably larger than many routers. Its durable metal housing features an 8-port LAN switch [define], accounting for its generous size. Netgear seems to be targeting the ProSafe at a medium-sized network that may need more than the usual four wired Ethernet ports in additional to wireless users. Note, though, that you can add a multiport switch to any router rather inexpensively to support a large number of wired clients.
On its rear is a single 5dBi antenna. Because it's detachable, the ProSafe is suitable for connection to a more powerful antenna. But unlike some lower priced competitors, the ProSafe does not employ any MIMO [define] or multiple in, multiple out technology to achieve best in class range and signal strength. It does support Super G technology with XR (or "extended range"), which can achieve a 108Mbps link with Super G-capable wireless clients.
When you first connect to the ProSafe's browser-based administration interface it doesn't require any login. A wizard offers to guide you through network setup including connecting to your broadband provider and setting up wireless security.
Like most broadband routers, the ProSafe can retrieve a DHCP-assigned [define] IP address from a server, be assigned a static address, or log in to a PPPoE [define] server, which is typically used by DSL providers. You can configure the ProSafe to clone your PC's MAC address [define] or, for that matter, manually enter any MAC address you want.
For users with dynamically assigned IP addresses, the ProSafe supports DynDNS.org, TZO.com, and Oray.net, three third-party services that can map a static domain name to your dynamic IP address.
The wireless access point [define] is disabled by default. Once enabled, you can configure several degrees of security. The ProSafe lets you disable broadcasting your network name, although most experts agree that this is really not a useful form of security. You can configure a "Wireless Station Access List," which is the ProSafe's name for a MAC address filter. Many experts also believe that even a MAC filter is not a strong form of security because passive sniffers [define] can discover and masquerade under allowed MAC addresses.
The strongest form of wireless security is encryption and here the ProSafe offers a spectrum of choices. Traditional WEP [define] encryption is available in 64- and 128-bit varieties. Although WEP is now considered the weakest form of encryption, it's far better than none, and is supported by the widest variety of wireless clients.
For stronger security, the ProSafe supports both WPA [define] and WPA2 encryption. Either can be used with PSK (pre-shared key) or an external RADIUS server [define]. For either mode you can enable WPA, WPA2, or both for clients that may support one but not the other. Note that the ProSafe does not include its own RADIUS server.
Firewalling and Filtering
The "Safe" in the ProSafe model line partly refers to its firewall and content filtering features. First and foremost, the ProSafe offers an SPI, or stateful packet inspection, firewall. The firewalls often found in less expensive routers are "dumb," meaning that they know only to block or allow certain classes of network traffic.
In contrast, an SPI [define] firewall analyzes streams of traffic and can draw conclusions about its intent. SPI firewalls like that in the ProSafe are particularly effective at blocking Denial of Service (DoS) attacks [define] and other forms of malicious network activity that could outsmart a conventional firewall.
A traditional port-blocking firewall works in combination with the ProSafe's SPI awareness. You can define services based on their port and protocol, and apply rules to these services allowing or blocking them. Optionally, rules can be enforced according to a schedule, such as on weekdays or weekends.
Rules can be used to promote or demote the priority of a certain kind of traffic, known as QoS or quality of service [define]. In a typical configuration you would define a service for VoIP traffic and create a rule promoting this traffic to the highest priority level.
Compared to many other routers, including less expensive models, the ProSafe includes only a limited selection of pre-defined services. While adding custom services is not difficult, you will need to consult reference materials to find out which ports they use.
You can port forward incoming traffic to a particular LAN client, but the ProSafe does not support remapping ports or port triggering.
Besides firewalling, the ProSafe supports limited content filtering. You can block sites containing ActiveX components, Java applications and cookies, or those reached via a proxy server [define]. Keyword blocking is very coarse the ProSafe will block any page containing that keyword either in content or its URL. So if you block the keyword "gamble" the ProSafe will not only block access to sites containing the word "gamble," but even Google searches for that term, or any domain name with the word.
However, you could setup google.com as a trusted domain, which will bypass the content filter. Similarly, you can designate a single LAN address which will bypass the filter.
The "ProSafe" name also relates to VPN, or Virtual Private Networking [define], the most secure form of networking. A VPN allows two clients to communicate through an encrypted "tunnel," even if they are connected via the Internet. With VPN you can join your office LAN from a laptop in a hotel, for example, and enjoy the same security as if you were inside the office.
The ProSafe can support VPN connections between client computers and the router, or between the router and another VPN router. It supports up to eight simultaneous tunnel connections.
VPN's can be complicated to setup. Netgear has made a strong effort to simplify the process with a setup wizard that will guide you through most typical VPN configurations. Because VPN's can vary widely, the online electronic documentation offers a series of step-by-step "recipes" for creating a variety of VPN architectures.
Netgear promotes the ProSafe's VPN as "optimized" for use with their matching "ProSafe VPN Client software" product. The VPN client, though, is not included with the router and is available as a separate purchase with a current street price between $40-$50 for a single user license.
Advanced administrators can host a VPN with the ProSafe with full control over policies and certificates.
Netgear includes some basic logging and monitoring features in the ProSafe. The router is SNMP [define] compatible so that it can be managed with standards-based network monitoring software (including Netgear's own NMS which is not included).
Most activities can be set to log, which is disabled by default. You can log attacks detected by the SPI firewall, blocked pages, administration activity, all traffic activity either within the LAN or to the Internet, and rule events.
Logs can be sent to an external syslog server and/or sent via e-mail to a specified address.
Today's routers are jacks of many trades. As a wireless access point, the ProSafe's performance rated average. Its signal strength and throughput, connected to a Netgear client card with Super G support, trailed below that of a similarly priced MIMO router.
The ProSafe's firmware presented some quirks. For example, on most routers you can see which wireless clients are currently connected. The only feature on the ProSafe that would seem to offer this data is called "Attached Devices." But the list always showed up empty, no matter how many clients wired or wireless were connected to the router.
When managing the router through its administration interface, it would occasionally hang and become unresponsive until it was power-cycled. As with many routers, chances are good that these quirks will be ironed out with future firmware upgrades, which are easily applied through the administration interface.
At a price point in between feature-filled home network routers and enterprise-class business routers, Netgear's ProSafe stands out for strong VPN support and its SPI firewall. These strengths combine with average wireless performance and somewhat limited port control and content filtering.
Aaron Weiss is a regular contributor to PracticallyNetworked.