Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
D-Link RangeBooster N 650 Router
Author: Craig Ellison Review Date: 9/7/2006
Price: $129.99 list
Pros: Massive amount of configuration options
Cons: No support for WEP encryption (yet)
D-Link's entry into the 802.11n Draft 1.0 market is the Rangebooster N 650 four port router. It's part of their "Platinum Plus" series of products that promises superior speed, range and security as compared to all other D-Link wireless products, and now assumes the top spot in D-Link's lineup of products.
At first glance, the DIR-635 appears very similar to the Platinum series WBR-2310 router. In fact, the hardware tooling is identical. The black and silver trimmed case is sleek and attractive. From the outside, the only obvious difference is the three antennas required for D-Link's implementation of the Atheros XSpan chipset.
The first thing you'll notice when you open the box is that there's no printed quick start guide. A piece of yellow tape that covers the four LAN ports instructs you to run the CD first. The DIR-635 is supplied with an excellent, almost idiot-proof step-by-step setup wizard. The wizard asked if I was replacing a router or installing a new one. I selected "replacing a router." Step-by-step animated instructions walked me though uncabling the old router and hooking up the new one. In addition to configuring the Internet connection, the wizard provided basic setup for the wireless connection. The only prompt was for the SSID (network name), and the wizard suggested a name like the Smith Family Network. (In general, that's a bad idea. You really shouldn't name your wireless network with a name or address that might provide clues to your identity.)
Simple, animated step-by-step wizard guides you through setup.
The installation wizard also recommended installing the included trial version of Network Magic, a networking utility that simplifies sharing files and printers on your home network. You can also configure some of your wireless security features through the Network Magic interface. At the conclusion of the installation, the router rebooted and checked for an active Internet connection.
In general, the setup wizard worked very well, but it did have a few shortcomings. Some of the advice provided was questionable (such as naming your wireless network), but more importantly, it didn't guide me through setting up a secure wireless network. Nor did it prompt to change the administrator's password for the router. Both of these oversights are interesting, as the CD jacket has places for writing down the SSID, security key and administrator's password. In addition, in the absence of a printed quick start guide, the wizard should have included steps for attaching the three antennas. It would also have been nice if the wizard had included a link to the router's administration home page to facilitate additional configuration. However, if you do run into problems, the package includes an insert that provides you with links to D-Link's support site, a support e-mail address, and the toll-free phone number for their 24-hour support.
The DIR-635 is a router with four 10/100 Mbps LAN ports, a robust SPI (Stateful Packet Inspection) firewall and a Quality of Service (QoS) engine that prioritizes time-sensitive traffic such as VoIP or gaming traffic. The 802.11n Draft 1.0 wireless component is based on Atheros' XSPAN technology. (You can read the FAQs on Atheros' technology).
802.11n Draft 1.0 products hold the promise of superior performance for both range and throughput. The products based on Draft-N achieve some of their performance improvements by using a 40MHz-wide channel. Standards-based 802.11b/g uses 20MHz. To avoid interference to (and to provide compatibility with) legacy 802.11b/g products, Draft-N products are supposed to periodically check for legacy traffic, and back down to a 20MHz channel if discovered. So while laboratory tests will yield performance numbers in excess of 100Mbps throughput, real world performance in areas with legacy networks will be reduced. I tested in a real world environment with multiple adjacent wireless networks.
The Web-based user interface on the DIR-635 features tabs across the top of the interface for Setup, Advanced, Tools, Status and Support. As each tab is selected, related options appear on a vertical navigation bar. Setup, for example, has options for setting up your Internet connection, LAN and Wireless settings.
The router supports DHCP reservation, a feature not found in too many routers. With DHCP reservation, you can "reserve" an IP address for a specific MAC address. This is useful when setting up a server on your network. You want to ensure that it gets the same address every time, but you want to leave the server configured for obtaining an address using DHCP. Interestingly, the DHCP server randomly assigned IP addresses out of its DHCP pool. D-Link is aware of the issue, and though not a problem, it will be addressed in a future firmware release.
The Wireless setup tab lets you configure all but the most advanced wireless options. By default, the router is configured for auto channel selection, 802.11b/g/n, and auto 20MHz/40MHz. Unlike the early days of Atheros "Super G," there isn't a way to force the router to use 40MHz channels. Atheros' Clear Channel Assessment ensures that the 40MHz channel is used only when it won't cause interference. There is an option to disable all wireless features (but then why did you spend all that money on a Draft N router?), as well as to disable broadcasting the SSID.
Note that there isn't an "n only" mode. The default is Mixed 802.11ng, 802.11g and 802.11b.
As part of the good neighbor policy, the only choices for transmission rate are 20MHz or Auto 20/40 MHz.
Security is disabled by default. It's important to note that the RangeBooster 650 only supports WPA Personal (PSK) or WPA Enterprise which requires an external RADIUS server. The default WPA mode is legacy, which supports both WPA (TKIP) as well as WPA2 with the more robust AES encryption. The DIR-635 as tested did not support WEP, so if you have legacy wireless devices that only support WEP, it might be time to consider upgrading them to newer, more secure technology. D-Link says it's likely that support for WEP will be added back into the router for 802.11b/g modes in a future firmware release, even as soon as this month. The version tested was 1.06.
If you're really into configuring your router, you'll love the RangeBooster N. Clicking on the Advanced tab brings up 11 configuration options on the vertical navigation bar including Virtual Server, Port Forwarding, Application, Application Rules and QOS Engine configuration.
The virtual Server configuration allows you redirect a public port on the router to an individual LAN address. There are 12 pre-defined services such as FTP, HTTP, Telnet, POP3, etc., or you can enter your own public and private ports. Additionally, you can choose TCP, UDP, Both or Other for each virtual server defined. The router supports up to 24 virtual servers.
Port forwarding allows you to open a range of ports on the router and to redirect data to a single PC on the network. You can open ranges of ports, multiple individual ports, or in either format. There are 79 applications with pre-defined port ranges, including many popular games as well as Playstation 2 and Xbox Live. 24 port forwarding rules are supported.
The advanced settings configuration page shows 11 categories down the left side. Port Forwarding has 79 pre-configured applications. Context-sensitive Hints and Help are always available on the right side of the screen.
Application rules are similar to port forwarding in that they open single or multiple ports when the router senses data sent to the Internet on a "trigger" port or port range. These application rules apply to all computers on the internal network. There are six pre-defined applications, including AIM Talk and BitTorrent, or you can define your own application. As with Virtual Server and port forwarding, the router supports 24 application rules, and you can schedule each rule for "always" or "never."
In addition to the configurable Quality of Service (QoS) engine, the DIR-635 has options for configuring network filters, access control, Web site filters and inbound traffic filters. The SPI firewall configuration includes settings for Application Layer Gateways (ALG) for such protocols as PPTP, IPSec, RSTP, FTP, etc. ALGs handle the IP payload for some protocols to make them work with network address translation (NAT). I was also pleased to see that D-Link supports Dynamic DNS with the most comprehensive list of DDNS providers (12) that I've seen.
Tools options showing nine categories down the left side. The DIR-635 has excellent support for a large number of DDNS service providers.
Though there are many available configurable settings, the default settings shouldn't require much tweaking. Throughout the user interface, help and hints are available in a window on the right hand side of the screen. In fact, if you read all of the help, it's not a bad primer on networking.
The real test of the router is its wireless performance. To test the DIR-635, I set up two notebooks, each with a D-Link RangeBooster N 650 (model DWA-645) Draft-N compatible card. I tested in infrastructure mode and, using two streams of data with IPerf, sent traffic between the two notebooks. Since the traffic was being sent between the wireless notebooks, the total throughput is approximately double the number reported by IPerf.
The DWA-645 client card driver installation gives you a choice of using Windows Zero Config or DLink's wireless client (seen here). The DLink wireless client shows signal strength and which channels are used by neighboring wireless networks.
I tested in a typical home environment (mine). Before testing, I did a site survey and discovered six nearby wireless networks.
I created four test scenarios, and for each one, ran performance tests a number of times. The results below are the average throughput for each test scenario.
Same room (1)
Living Room (3)
Test One -- Both notebooks in the same room as the router. The router was over six feet away from the notebooks. Result: 62.8 Mbps. Test Two -- One notebook in the same room as the router. The second notebook was moved to a bedroom over 19 feet away. There was one wall between the router and the client. Result: 56 Mbps. Test Three -- One notebook in the same room as the router. The second notebook was moved to the living room downstairs. Result: 49.3 Mbps. Test Four -- One notebook in the same room as the router. The second notebook was moved to the kitchen directly below the location in test two. Result: 35.4 Mbps.
Indeed, the D-Link DIR-635 router/DWA-645 client card combination provided excellent performance and coverage virtually anywhere in our home test environment.
My one disappointment with the router was that the LAN ports were only 10/100Mbps. Many of the new breed of routers are equipped with four Gigabit LAN ports. Since many notebooks and desktops have built-in Gigabit Ethernet adapters, it would be nice to have a router that supports Gigabit.
I'll be re-testing the D-Link products when they release firmware drivers that improve interoperability with other vendors' Draft-N products as we get them. For now, the RangeBooster N 650 Platinum Plus looks like a winner.
By now, you probably know that upgrading the near-legendary Linksys WRT54G series routers with free, often open-source firmware is one of the best bargains going. Replacement firmware typically offers a plethora of advanced router and firewall features rarely found on sub-$100 hardware.
DD-WRT, a free, open-source firmware coded and distributed by “BrainSlayer,” has emerged as one of the leading, most powerful and also user-friendly firmware replacements for the WRT54G series. DD-WRT is available for an increasingly wide range of routers besides the WRT54G, including models by Asus, Belkin, Buffalo Devices, Motorola and Siemens.
There are caveats to upgrading your router, and the process is not without risk, so beware. We'll assume you've got DD-WRT successfully installed, and forge ahead...
In this first detailed look at new features you can get from open source router firmware, prepare to be dazzled by the capabilities of... the Dynamic Host Configuration Protocol (DHCP) (define).
Out of the box, most routers and PCs are designed to manage their IP addresses automatically. The PC, whether wired or wireless, requests an IP address and related network parameters from the router using the DHCP protocol. The router plucks an unused address from its pool of available addresses, hands it to the client, and everyone is smiling.
This process results in what is called a “dynamic IP address” – every time the PC connects to the router (on boot-up, for example, or wireless association), it is assigned a new IP address. The router may assign the same address it assigned in the previous session. Or it may not. You don’t know and, usually, you don’t care.
There are cases, though, when you want your client to receive a predictable, consistent IP address. The most common scenario is when you run a server on your client PC. Suppose you run a Web site on a PC at home, and you need access to this server from elsewhere – work, school, your laptop in the park. Your router “hides” your server from the outside world, which is normally a good thing for security. This is why a higher power invented Port Forwarding (define).
Your router will allow you to forward traffic destined for a specified port to a specific machine. In its simplest form, you can configure your router to forward incoming traffic destined for port 80 – the default port number for Web traffic – to the IP address of the PC running your Web server.
What is your Web server PC’s IP address? If it receives its address automatically from the router – you don’t know for sure. It could change, and your port forwarding would become unreliable.
One solution is to manually assign your Web server its IP address and network parameters, rather than use DHCP. However, this may limit your ability to easily connect that machine to other networks — a more likely problem for laptops. If your ISP changes name servers on occasion, this could also break your manual network configuration.
Ideally, if you continue using DHCP on your client yet can rely on always receiving the same IP address, you’re having your cake and eating it, too. Which begs the question – why would you have a cake if you weren’t going to eat it? Isn’t that the purpose of cake?
Fortunately, DD-WRT makes it easy to create static DHCP addresses for your network. Combining the best of both worlds, a static DHCP address allows your clients to continue receiving their network parameters automatically, yet you know exactly which IP address will be assigned.
Open a browser and connect to your router’s administration page. The default address for DD-WRT is http://192.168.1.1, but may vary if you’ve reconfigured it.
Go to the Setup/Basic Settings menu. The router may first ask you to log in with your administrator password. (The default is root/admin). Scroll down the page to “Network Address Server Settings (DHCP).”
Make a note of the pool of addresses the router uses when assigning dynamic IPs. Here, we see a pool of 100 addresses, beginning at 192.168.0.100 and ending at 192.168.0.200. It will be important later that your static DHCP address assignments fall outside this pool. (If you make any changes here, be sure to save your settings.)
Go to the page Administration/Services. Here’s where the action is. Below the “Static Leases” heading, click the “Add” button to create a new DHCP entry field.
Enter three values: the MAC address (define)of your client machine’s network adapter, a host name for the machine, and the IP address you want it to be assigned. Choose any host name you like, such as “webserver” or “gameserver”. Choose an IP address which follows the same pattern as those in your DHCP address pool (in our example, 192.168.0.x). Choose a number for x which is outside the address pool seen in step 3 (in our example, 201).
You can find the MAC address for your network adapter in either Windows XP or Mac OS X with a few clicks.
Windows XP Click Start/Settings/Control Panel/Network Connections and click the name of your network connection. Wired connections are typically named “Local Area Connection,” while wireless connections are called “Wireless Connection”. In the Status window, click Support, and in that window, click Details. Your MAC address is the series of hexadecimal pairs labeled “Physical Address”. Use colons rather than dashes to separate the pairs in the DD-WRT interface.
Mac OS X Go to the Dock/System Preferences/Network. Click the Ethernet tab. Your MAC address is labeled “Ethernet ID”.
With your MAC address, host name and chosen IP address entered into DD-WRT, be sure to click Save Settings at the bottom of the page. If you want to add another static DHCP entry, you must save your settings first, then click Add to create a new entry.
If you like, add a port forwarding entry for your new static DHCP address. In our example, we set up a Web server on our client PC. Our Web server listens for traffic on the default port 80. But our ISP blocks incoming traffic to port 80, because they don’t want us running Web servers (ours is for private personal use, we totally swear). Go to Applications & Gaming/Port Forwarding in the DD-WRT menu. Click Add to create a new forwarding entry. We enter an identifier into the “Application” field, in this case, “webserver”. The router will listen for traffic on port 8088, so that we can connect from outside without being blocked by the ISP. Our destination IP address is the static DHCP entry created in step 5, and our destination port is where our Web server is actually listening, port 80. Be sure to check Enable for this definition to take effect. And, of course, Save Settings.
You are now, as they say in the new Taco Bell ads which are vastly inferior to the ones with the talking Chihuahua, “good to go.” Even if you don’t run Web, game or other servers on your local machines, you never know when a stable, predictable IP address will come in handy.