Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
ZyXEL NWA-3160, Premium Service at Economical Price
Author: Eric Geier Review Date: 10/30/2008
Open ZyXEL NWA-3160
Don't let the low price fool you. The ZyXEL NWA-3160 is business-class access point that offers all the usual enterprise features in addition to being a hybrid wireless controller and RADIUS server.
The ZyXEL NWA-3160, an 802.11a/g business-class access point (AP), isn't a player in the hot Draft N market. Nevertheless, it caught our eye. For as low $140 online, this AP offers all the usual enterprise features in addition to being a hybrid wireless controller, managed AP, and standard AP. To top it off, it has a built-in RADIUS server, which it and other APs can use to implement 802.1x authentication for use with enterprise-level WPA/WPA2 or WEP encryption. We got our hands on this ZyXEL AP and decided to put it through the ropes.
Glancing Over the Features
The brains of the NWA-3160 are housed inside a plenum-rated casing, making the AP appropriate for placement in open plenum areas above acoustical drop ceiling. A set of standard 2 dBi dual-band omni-directional detachable antennas protrude from the sides. The status lights are sported on the top surface, while the usual power, network and PS/2 console ports are on the back end with the reset button.
What's That Term?
Not sure what a particular networking term means? Check out our searchable glossary.
The NWA-3160 has three different main modes of operation: AP Controller, Managed AP, and Standalone AP. To centrally manage up to eight other supported APs on the same or different network, the AP Controller mode can be enabled. On the other hand, it can be set to act as one of the managed APs. If a managed wireless network isn't desired, it can serve as a stand-alone AP, which offers the following wireless modes: AP and bridge, bridge/repeater, multiple BSSID and a plain AP.
Although the ZyXEL AP supports all of the current completed standards (802.11a/b/g), the 5GHz and 2.4GHz bands cannot be used simultaneously. It can operate as an 802.11b/g AP or an 802.11a AP. It can also be set to do only wireless g and wireless b.
The ZyXEL AP supports both multiple Basic Service Set Identifiers (or BSSIDs) and virtual LAN (or VLAN) tagging. When in MBSSID mode, up to eight other separate BSSIDs can be broadcast and used simultaneously. This lets administrators better customize the network access for different groups with varying network privileges or for different types of wireless applications using its Quality-of-Service (QoS) settings. In fact, the AP comes with two predefined virtual BSSIDs; one for guests that has Layer 2 isolation and intra-BSS traffic blocking enabled to allow only Internet access and another SSID with QoS enabled to offer better VoIP connections. The use of VLAN tagging lets the administrator match the BSSIDs to the desired virtual LANs or Ethernet ports that may be elsewhere on the network.
The NWA-3160 doesn't stop short at its remote management capabilities; it supports telnet, SSH, FTP, Web and SNMP. The AP also supports Power-over-Ethernet (PoE), so running power wires to outlets isn't necessary; a PoE injector can be purchased and used to run the power for the AP through the network cable. The AP also features rouge AP detection, which logs any unauthorized APs operating within the coverage area. If an administrator specifies an e-mail server in the Log Settings section, rouge AP alerts, along with other types of alerts and logs, are e-mailed to the administrator. We'll discuss the AP's internal RADIUS server in a moment.
Installation and Configuration
We found the NWA-3160 to have a standard installation procedure; no problems there. The first time the AP's Web interface is accessed, the administrator is prompted about replacing the AP's default digital certificate (mainly used for its internal RADIUS server) with one it can create that is unique and tied to its MAC address.
Configuring the ZyXEL AP went smoothly for us; no surprises. We found a profile-based configuration scheme for the chief settings. Although this may be overwhelming for some newbies, it provides for better configuring in the long run. Each attribute category (security, RADIUS, layer-2 isolation and MAC filter) has its own set of configurable profiles where the appropriate settings are located. Then there are SSID profiles, where basic wireless settings are located, and the desired profiles for each attribute is applied.
Setting Up the Internal RADIUS Server
The NWA-3160 has an internal RADIUS server that helps provide the function required for implementing WPA/WPA2-Enterprise or WEP encryption with 802.1x authentication. A traditional RADIUS server can cost hundreds or thousands of dollars or require an expert to setup. However, the ZyXEL AP can be picked up for only $140.
Configuring the internal RADIUS server was painless. First, we marked the checkbox to enable the internal RADIUS server. Next, we inputted the IP addresses and created shared secrets for each AP and created usernames and passwords using the Web interface. Then, we created a self-signed digital certificate on the server, requiring just a click of a button. To prepare the wireless clients with the AP's self-signed certificate, we exported the certificate and ran a short and simple install wizard on all the computers.
Then, it was time to configure the APs (the wireless router and the NWA-3160 in the office) and computers (three desktops and a laptop) with the appropriate encryption and 802.1x authentication settings. After the 15-minute or so configuration, we successfully connected to the network through the WPA-Enterprise-enabled wireless router and NWA-3160 using the usernames and passwords we created.
In the end, we found this internal RADIUS server is great for small businesses or households that don't require a highly customized solution and require less than 130 user accounts for wireless access. Some administrators may purchase and use just one NWA-3160 for the sole purpose of the RADIUS server, while some may use this ZyXEL model for all the APs on the network, with one hosting its internal server.
If 802.11n (or Draft N) gear isn't desired, put the ZyXEL NWA-3160 at the top of your consideration list when choosing an AP for a wireless network or when searching for a RADIUS server for 802.1x authentication. Its RADIUS server function, wireless controller feature and managed AP capabilities surpasses the feature-set of even much higher priced APs.
Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference for Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft Windows Vista (Que 2007).