Routers For Beginners

posted by on 10th February 2009, at 8:48pm | 1 Comment

Networking was once something that would only be talked about by IT Professionals and Network Engineers. Today networking is something that every computer user with an internet connection should know about to some degree. Most households have more than one computer, this is often when a router is purchased. The reason is obvious, more computers that need internet access. A router should really be purchased even if there is only one computer on your network. This is becoming the norm as most ISPs now will sell you a modem that has a router built in. The benefits of using a router extend way beyond that of just sharing an internet connection. Routers also make it easier to share files, share a printer, and most importantly increase your security in a quick and easy way.

As I mentioned above routers are often overlooked for their benefits beyond connection sharing. It’s obvious that all of your computers are connected now so it’s a trivial matter to set up home network sharing in your operating system of choice. Network sharing can be used for backup, sharing a music or video library, and extra data storage. Printer sharing can also be done by either enabling it in your operating system or connecting your printer directly to the router (this is a feature that is available in higher-end consumer models). Finally comes security, by default all routers implement NAT (Network Address Translation). NAT in effect hides the computers on the network and makes your IP address look like a dumb box on the net. While this adds a significant layer of security to your network it can also cause problems which I’ll look at later on. The benefit of a router can be overwhelming to the point where the security of the network can be put in jeopardy.

Router security is the most important aspect of setting up the device and most often overlooked. Linksys routers now come with configuration disks that guide you in configuring security options. In the early days of consumer routers users were left to tend to their own security. This meant that often a router would sit with the same default password and access point name. Even with Linksys configuration disks it is still possible for this to happen. With this said it’s imperative to either run the configuration wizard or set up your security manually. If you have no choice or are forced to do the latter we are going to go over a few security related points:

  • Router Password: This is very important. The router password is the lock that prevents a stranger from accessing your router and making changes that could be disastrous to your network. This password can most likely be set on the routers setup page. This password should be a non-dictionary word and contain letters and numbers.
  • Wireless Encryption: If your router contains a wireless access point then this is just as important as the above point. There are various types of wireless encryption protocols the most common being WPA and WEP. Before I go any further DO NOT USE WEP. WEP is broken and can be cracked in a matter of minutes. The only time you should use WEP is if a device you use does not support WPA (we will talk about how to safely do this later). With this being said any version of WPA will work. In order to set up either WPA or WEP an encryption key is needed. Ideally this should be a strong password, greater than 20 characters in length, contain alphanumerics and symbols, and finally be as random as possible. This sounds like it would be very cumbersome to use as no one is going to remember 20 odd random characters. The best solution I find is to store the password on a USB thumb drive and hand it to any guests that want to access your network. If you want a good random passphrase generator you can visit grc.com and store it to your USB key. One final note, it is advisable to use the AES encryption scheme for the key if your router supports it. TKIP is crackable if the offender has a very powerful computer (on the order of a farm of PS3’s).
  • UPnP (Universal Plug and Play): Universal Plug and Play is a protocol that allows devices and computer programs to connect easily to the internet. The sole purpose of this is to make adding new devices easy for the user. An example of this might be an Xbox 360 or a new refrigerator that can call to Amazon to make orders for your groceries. While this seems like a great idea, it truly is a double edged sword. If someone were to write a malicious computer program it would have the ability to open whatever ports it deemed necessary. With this being said, more security conscious users may want to disable it. The only time it is advisable to disable UPnP is if you are willing to go hunt for ports that have to be manually opened. As a final word of warning, be careful with what applications are granted network access by the Windows Firewall or any other software firewall in service.

As mentioned before the very idea of NAT is what makes a network secure. This can also cause some problems in regards to specialized services. Applications such as remote desktop, web servers, game servers, and some games can need specific ports open. These applications may not utilize UPnP, so we have to manually open the flood gates to allow the packets through. Port forwarding essentially listens for packets directed at your IP address then forwards them to that IP address, thus making it so outside sources don’t know that you specifically exist behind the router. Consumer routers typically allow for between 10 and 20 ports to be forwarded. This can be increased by applying a custom firmware such as DD-WRT, though not recommended for beginners. The other choice for opening up the entire range of ports is by enabling DMZ (Demilitarized Zone) on a specific IP address. DMZ is not recommended for a computer, DMZ would be more suitable for a game console. I consider myself a sophisticated user and I only have 3 ports forwarded for our entire network of 4 computers, a Wii, and Xbox 360. I use DMZ on the Wii and Xbox 360 while only opening ports on the computers where necessary.

Tip: If your router only has support for one DMZ host simply forward all ports (1-65535) to the desired IP address.

This is considered to be the basics of basics in regards to networking and network security. There are many places we can go from here including:

  • Installing custom firmware on a Linksys WRT54G (or similar)
  • Adding a switch to increase the capacity of your wired network
  • Segmenting your network to create a “green zone” in which anything connected in that segment has no forwarding whatsoever
  • And finally, building your own router from an old forgotten computer

Send me a pm on the forums if you have any questions or if you want to suggest where you would like to see a possible networking series of articles go.