Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
D-Link SecureSpot DSD-150
Author: Joe Moran Review Date: 10/26/2006
Internet-connected computers (particularly those running Windows) face a host of threats from various sources — these days it can often seem as if your PC is at risk from everything but e.coli.
Using a broadband router/firewall for protection is a good start, but it can't guard against some of the most serious and prevalent threats like e-mail or Web page-borne infections and most don't prevent kids from accessing inappropriate content. For that kind protection you typically need to supplement your router's [define] firewall [define] with Internet security software that runs on a PC. Of course, PC-based security applications protect only the systems they run on, so an increasing number of households with more than one computer face the expensive prospect of buying separate security software for each system, or even worse, leaving some computers unprotected.
D-Link says that it's SecureSpot DSD-150 is a solution to this dilemma, offering a simpler and less-expensive way to protect multiple systems on a network. The $99 SecureSpot is a hardware device that protects up to four PCs and provides most of the features you'd expect to find in a comprehensive Internet security suite, including a firewall, parental controls, anti-virus and spam filtering, along with personal data protection and a pop-up blocker.
We found that the SecureSpot can be a cost-effective way to protect multiple systems and their users from various Net-based threats. On the other hand, it doesn't eliminate the need to install software on your systems, and certain aspects of device configuration may be confusing to some.
Pricing and Features
The SecureSpot is a small, nondescript black box with two RJ45 [define] ports that sits between your cable modem/DSL device and your broadband router. As is the case with most security products these days, the SecureSpot is a subscription-based product — the purchase price is good for the first year of service, and renewals will set you back $79.99 annually. Out of the box, the SecureSpot will protect up to fourPCs on your network, but you can add additional systems for $19.99 per year.
In a nutshell, the SecureSpot functions as a Internet proxy device that works in conjunction with managed security provider Bsecure, a company that provides the management interface as well as the online databases that give the SecureSpot the capability to identify the content of web sites and recognize threats like viruses, spam and so on.
Strictly speaking, the SecureSpot isn't a hardware-only solution. Many functions, such as the firewall, content controls, and spam filter — are self-contained, but some — including the anti-virus scanner and certain aspects of the firewall — are provided by a thin-client utility that must be installed on each PC you want to protect. The client runs on either Windows XP/2000 or Mac OS X 10.3/10.4 (we used it with XP systems).
Getting the SecureSpot physically connected isn't difficult. D-Link provides step-by-step graphical instructions on what connects to what, and since the SecureSpot doesn't need to communicate directly with your broadband router, it shouldn't matter what kind of device you use (we used a Netgear WPN824).
The first time you try to access a Web site after installing the SecureSpot on your network, you're automatically taken to a Web page to activate the device and create your administration account on BSecure's SecureSpot management server. The next step is to download and install the thin client onto each system on your network — opening the browser on any system takes you directly to a client download page.
The SecureSpot operates in one of three general security modes. The default mode, Medium, requires that systems run the thin client to browse the Web or use any Internet-enabled application like e-mail or instant messaging. You can eliminate this restriction by setting the security mode to Low, but for either mode, parental control restrictions can be thwarted by removing the SecureSpot from the network. To guard against this, the SecureSpot's High security mode causes the client to check for the presence of the SecureSpot device, and if it's not found an administrator login is required before Internet access is granted. This feature worked as advertised when we tried it, and you can't uninstall the client without the admin password (though you could conceivably access the Net unchallenged by using a PC sans client.)
SecureSpot lets you block certain types of applications.
SecureSpot configuration is handled via the SecureSpot Control Center, a browser-based interface that connects to the back-end server rather than directly to the device. (Accessing this control panel seemed to work better with IE. With Firefox things were dicey.)
Most SecureSpot functions that are performed through the hardware can be configured centrally for all systems on your the network. When you try to configure a feature that's part of the thin client (like an anti-virus scan) the browser will launch the relevant part of the thin client on individual PC you're using for further customization options.
Parental Controls and Firewall
The material children can access on the Internet is a serious concern for many parents, and those considering the SecureSpot will be happy to know that it offers numerous ways to restrict when and how kids can access the Internet.
For starters, you can create an access schedule to define which days and times of day access will be allowed. There are dozens of content categories you can choose to filter, and you can supplement these category filters with lists of specific Web sites you want to block (or allow) access to. You can easily gain override access to blocked sites by entering the SecureSpot administrator username and password. To thwart concerted and repeated efforts to circumvent the content filter by trying to go to different sites with the same kind of content, the SecureSpot includes a safety lock option that can force a user to restart the system to regain Internet access after a specified number of blocked attempts.
The SecureSpot provides a wizard that lets you set up the parental control and firewall features at a basic functional level, but customizing certain aspects of the SecureSpot may prove confusing for some users (especially less technical ones) since the configuration interface groups settings technically rather than logically (i.e. to block Web content you use parental controls, but to block the use of applications you use the firewall). This would be less of a problem if the manual provided detailed explanations of the various features, but it offers only short descriptions and little in-depth information.
In the firewall category, you'll find additional settings designed to prevent the use of certain applications. You can block the traffic used by certain programs (like instant messaging or peer-to-peer [define] file sharing applications), prevent programs from even executing on a system or block the download of certain file types.
Depending on what they wish to restrict, parents may need to pay close attention to both the parental control and firewall configuration options and test systems after making changes. As an example, blocking Instant Messaging in the parental control settings will block access to something like aim.com, but it won't prevent someone from downloading the actual AIM client from another source or using it if it's already on the system. For that you need to block the application and/or its traffic in the firewall.
Since an overriding set of content or application restrictions is seldom appropriate for every member of a household, the SecureSpot lets you set up profiles for specific computers (defined by MAC address [define]) or individual users and specify custom rules to each. The latter approach requires the extra step of logging into the SecureSpot thin client before obtaining Internet access, but you can associate SecureSpot user accounts with specific Windows profile to eliminate the need to log in twice.
Anti-Virus, Spyware, and Spam Filter
The SecureSpot's anti-virus protection is handled by the thin client and is based on the McAfee VirusScan engine, which also scans for spyware (virus/spyware definitions are automatically kept updated on each system by the server).
Although D-Link calls the SecureSpot a spam blocker, filter is a better term since the SecureSpot doesn't actually block any incoming mail. Unlike most PC-based anti-spam software, the SecureSpot's offers no configurable options besides turning the spam filter on or off and customizing the tag that's appended to incoming suspect e-mails. You then configure the POP3 e-mail client of your choice (IMAP [define] and Webmail [define] accounts aren't supported) to delete all tagged mail or divert it to a specific folder for later review.
You probably wouldn't want a third-party deciding what mail to block anyway, and despite the inaccurate nomenclature the SecureSpot's filter did a good job at identifying unwanted e-mail. We didn't encounter any false positives, and only a handful of spam messages made it through unrecognized.
Reporting and Performance
You can the SecureSpot to log all Web requests, and when you want to find out who tried to access what, you can log into the SecureSpot administration page and access a daily activity report (including past reports). The reports are hosted on the server, which means they can't be edited or deleted by anyone hoping to hide their tracks. Although the SecureSpot's documentation cited an option to send reports to an e-mail address, this feature was not available on our test unit. (We were using the most recent device firmware available at the time, 1.03.)
You can use SecureSpot's reporting features to find out who tried to access what on the Internet.
Using the SecureSpot on our network did have a slight but noticable impact on our performance. Downloading e-mails did take longer as the spam filter worked its magic, but it still proceeded at an acceptable rate. There also seemed to be a discernible slowdown in browsing performance, but again it wasn't severe enough for most people to be bothered by it.
The Bottom Line
There's no question that the $99 SecureSpot DSD-150 is a less expensive means of protecting multiple systems compared to installing separate security software on each at $50-$70 a pop. (Although now that some security vendors are belatedly starting to offer three- or five-license bundles at significant discounts, the actual savings provided by the SecureSpot may not be profound as this simple pricing comparison might suggest.)
Configuring a single device like the SecureSpot should also be more efficient than doing it on on three or four individual systems, but tailoring the SecureSpot to your specific needs may not necessarily be any easier than customizing PC security software due mainly to an unintuitive organization of features and a manual that doesn't sufficiently describe them.
Pros: cost-effective security protection for multiple PCs; good parental controls and tamper-proof activity reporting, compatible with both with Windows and Mac
Cons: doesn't eliminate the need to software on individual PCs; some configuration options can be confusing; unhelpful manual
Joe Moran is a regular contributor to PracticallyNetworked.