Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
SMC Barricade N Wireless Broadband Router
Author: Aaron Weiss Review Date: 3/1/2007
Technological progress continues its relentless march forward, seemingly blessing every new generation of hardware with faster speeds and lower costs. The next "big thing" in wireless networking is the upcoming 802.11n standard, expected to be ratified in 2008 and published in 2009. Considering that that it's 2007, it would be natural wonder how 802.11n helps us now. And how did SMC already bring an 802.11n wireless router to market?
The formal process by which the IEEE develops new standards is a long and winding road. Along the way, a standard embodies several draft proposals, which set down specifications, lead to feedback, debate, and later drafts. The first draft of the 802.11n standard was completed in 2006. Even though its final form was years away and subject to revision, networking vendors wanted an early jump on the market. With promises of increased range and significantly faster speeds than 802.11g, "N" devices have already hit the market.
The SMCWBR14-N Barricade Draft N wireless broadband router is, like most early N devices, based on the Draft 1.0 specification. There are questions as to whether Draft N devices can perform at the level that the final 802.11n specification will support, as well as whether they will be compatible with future 802.11n devices.
To the chagrin of some, networking vendors have tried to influence the IEEE process to maintain compatibility with today's draft devices when the specification finalized. Whether that reality will prove true, and/or whether today's draft devices like the SMCWBR14-N will be firmware upgradeable to the final standard remain to be seen.
Promises of range and speed
Ultimately, 802.11n promises more range and speed than the popular 802.11b and 802.11g wireless standards. Using MIMO ("multiple in, multiple out") antenna technology, 11n devices rely on multiple antennas and smart algorithms to construct data streams from reflected signals, formerly a liability in 11b/g devices.
The result of this and other improvements to 11n promise to offer indoor range up to 165 feet (versus 100 feet for 11b/g) and speeds up to a whopping 540Mbit/s, or ten times that of 11g.
But, there is always a "but." Right now, the but is that 802.11n is not finalized, and may or may not reflect the real world performance of today's Draft N devices.
SMC Joins Draft N
The SMCWBR14-N is the Draft N addition to SMC's Barricade range of broadband routers. At a current street price of around $100, it promises speeds "up to 5x faster than 802.11g" or 300Mbit/s as advertised on the box.
The most obvious departure point from other wireless routers is the SMC's three external antennas, used to support MIMO. Two of the 4dBi antennas are permanently attached and one (the middle) is detachable.
A row of slim, green status LED's on the front housing indicate the presence of power, LAN connections 1-4, WAN, and WLAN.
On its rear you will find an AC transformer plug, factory reset button, WLAN on/off switch, WAN port, and four switched, auto-sensing 10/100Mbps LAN ports.
In the future, SMC should consider upgrading the LAN ports to gigabit speeds. Remember that the router is marketed as offering wireless speeds faster than 100Mbit/s. If a wireless client is sharing data with a wired client connected to this router, the wired client will bottleneck at 100Mbps maximum.
Besides the router itself, you'll also find in the box one Ethernet cable, a printed quick start guide, and a complete electronic manual on CD.
If you've ever set up a wireless broadband router before, the SMC will throw no new curveballs your way. As with most routers, connect the unit to a wired PC, retrieve a DHCP IP address, and connect to the router's administration page as detailed in the quick start guide.
In fact, SMC's administration interface is strikingly similar to that of some D-Link, Zyxel, and other routers using Atheros (XSPAN) chipsets. After logging into the router you can choose between two wizards, one for settings up your Internet connection, the other for setting up wireless security. Alternatively, you can ignore both wizards and setup the router manually.
Despite supporting Draft N, very little has changed in setting up a wireless network on the SMC compared to 11b/g routers.
You can set an SSID and choose a broadcast channel from 1 to 11, or let the router choose a channel automatically. The SMC supports five wireless operation modes: mixed support for 11b/g/n, 11n only, mixed 11b/g, 11g only, and 11b only. For maximum performance you should choose 11n only, assuming your wireless client(s) include draft N receivers. Because Draft N is new, most situations will require mixed mode to support 11n and 11b/g clients.
A new feature of 802.11n is support for 40Mhz channel widths, essentially occupying double the bandwidth of b/g channels. You can restrict the SMC to 20Mhz channels only or allow it to automatically select 20 or 40Mhz channels. Users of some Draft N products report interference problems with nearby 11b/g networks - disabling 40Mhz channels on the SMC may help.
You can also limit the maximum transmission rate of the SMC to something below 300Mbit/s, but most users will leave this setting on automatic.
The SMC supports three wireless security protocols: WEP, WPA, and WPA2. Both WPA and WPA2 can be used in Personal or Enterprise modes. Enterprise users can point the SMC at a RADIUS authentication server. Most home users will stick with WPA Personal mode.
Note that because WEP has proven highly vulnerable to compromise, the 802.11n specification no longer supports this legacy security. You cannot use WEP in conjunction with Draft N speeds.
In both WPA modes, you can restrict clients to WPA or WPA2 support, or set the SMC to auto which will support all WPA clients.
Although not directly related to being a Draft N router, the SMC supports a wide range of custom application routing options. The good news is that you can probably configure nearly any server or application to properly route from the Internet to your LAN. The catch is that you'll need to know what you're doing or at least rely on the detailed on-line help or electronic manual.
The SMC's Advanced configurations are broken down into several key subsections. Under the Virtual Server settings you can remap ports from the Internet to your LAN. For example, suppose there is a mail server on your LAN but your broadband provider blocks incoming port 25. You can configure the SMC to listen for SMTP traffic on public port 2525 and to remap this traffic to port 25 inside your LAN.
The "Gaming" settings, more commonly known as port forwarding, let you define individual or ranges of TCP or UDP ports which should be mapped to an individual LAN client. Despite the name, these configurations can be used to support not only games, but also telephony, video conferencing, and other applications which on their own do not work through NAT. The SMC includes a pre-configured list of games and P2P applications with the necessary port ranges already defined.
While the "Gaming" configuration forwards port-bound packets to a single LAN IP, you can define port triggering rules in the "Special Applications" settings. Here, any machine on your LAN can convince the router to temporarily open a specified port when data is sent over a defined trigger port. For example, if you select the pre-defined "ICQ" application, the necessary ports will be opened and forwarded to whichever LAN machine has initiated an ICQ session.
All of the above application routing rules can be applied to specified schedules. For example, a particular Gaming rule could be set to take effect only during afternoon hours on weekdays. Schedules are defined independently and can be applied to many rules and filters throughout the SMC configuration.
SMC has also included support for StreamEngine, a QoS engine to ensure application performance. Operating in automatic mode by default, the StreamEngine identifies types of traffic and prioritizes that which benefits most from real-time performance such as gaming and VoIP. Alternatively, you can add custom StreamEngine rules and manually tune QoS for individual types of traffic.
The SMC also includes WMM, or wi-fi multimedia, another traffic shaping technology that automatically identifies and prioritizes multimedia content streaming across your wireless LAN. The only configuration for WMM is whether to enable or disable it.
Self Censorship through Access Controls
If you need to limit a client's access to the Web, the "Web Filter" access control lets you define a whitelist of allowed Web sites. Once defined and enabled in the Access Controls, the Web filter blocks any attempts for a defined client to access any web site not explicitly listed as allowed.
The SMC does not offer a corresponding Web site blacklist, which would be useful if you wish to block access to only a few specific sites.
Likewise, using Access Controls you can define complex rules disallowing traffic from defined ports to specified clients at defined schedules.
The SMC's stateful (SPI) firewall identifies not just individual data packets but patterns of data that reveal the fingerprints of malicious intent. To manage false positives, you can customize the firewall's attentiveness when data originates from a local client. The "Endpoint Independent" setting calls off the guard dogs when a local machine has initiated the connection to an outside host. More restrictive options let you specify which outside hosts get special hands-off treatment from the firewall, or at the maximum security level, all hosts are treated as suspicious and equal.
For the hands-on administrator, the SMC maintains multiple logs of activity including firewall/security incidents, warnings, and general information (such as client associations).
Logs and other alerts can be sent to a specified e-mail address or to a syslog server.
The router's firmware is flash upgradeable via the administration interface.
How you look at the SMC's Draft N performance depends on whether you are the kind of person who sees the glass as half empty or half full.
In numerous tests using Ixia Qcheck network performance tool, the maximum speeds we measured between the SMCWBR14-N and SMC's own Draft N PC card topped out at 70Mbit/s. More often, a strong wireless signal would produce throughput in the low to mid 60Mbps.
Enabling WPA2 Personal security did not exact a significant toll on performance. On average, throughput remained about the same with security enabled.
Range for this Draft N router proved impressive, but about on par with 11g routers enhanced with MIMO. We had no trouble maintaining a reliable connection from the furthest points of a large two-story house. But note that while the connection with the SMC remained intact, throughput dropped off considerably when connection strength dropped to near 50 percent. At this point, speed tests revealed readings in the mid to high 20Mbps, similar to 11g performance.
If you've bought wireless routers in the past, you know that real-world performance runs at best half that touted in marketing hype. In practice, communications between client and router are full duplex, resulting in seemingly "reduced" speeds.
In the case of this SMC Draft N router, though, we could at best achieve speeds nearing one-quarter of the advertised maximum. It would be accurate to say that the SMCWBR14-N, when associated with SMC's own Draft N wireless client card, can achieve throughput over two times faster than most 11g routers and 15-20 percent faster than those 11g routers with 108Mbps turbo enhancements.
Looked at this way, rather than compared against the vendor's claims, the glass will indeed appear half full.