The magazine of the Melbourne PC User Group
Using Your Router To Keep Your System Safe
and having a little fun at the same time
Roger Brown		  
 

Following his popular article in October, Roger Brown presents for new ADSL users a guide to some of the security and other features of your new ADSL router

My last article explained the basics of what your router does and how it enables convenient, safe use of your ADSL connection. But that safety and convenience does depend on an under- standing of the various security and other features built into even a simple router like the default Netcomm NB1300 supplied with your Melb PC/Westnet connection.

This article will explain both how to keep your router fully secure and the purpose of some of the advanced features. The screen shots and examples are based on the NB1300 but the concepts are equally applicable to most other routers.

Keeping it Secure

As I explained last time your router is a potentially very secure device which can't easily be hacked or infected. But that will be so only if the router is correctly and securely configured.

Critical matters include:

  • having passwords correctly set
  • ensuring that the Web interface and other potential 'backdoors' can't be seen from the Internet
  • strengthening the built-in "NAT" firewall as much as possible
Getting Started

To begin securing the router, first bring up the Web interface. In the URL bar of your browser, type http://192.168.1.1 (which is the Netcomm default). That should result in a page as shown in Figure 1.
 



Figure 1. The initial configuration page

[ Note: For enlarged view, click on images. ]



Figure 2. Advanced Settings

Click on show Advanced Settings in the left margin to display a page like Figure 2.

If you have not already done so, click on Admin Password (left hand column under "Security") to change your Admin password from the Netcomm default (See Figure 3)

Repeat the procedure for User Password. In each case click the Submit button when done or your changes will be lost. If you don't remember passwords readily, record these somewhere safe or you will be unable to get to your router's Web interface.

Next click on - Misc Configuration. This will bring up a more complicated page covering a number of different settings which we will take in stages.



Figure 3. Password change



Figure 4 The Web interface

Figure 4 shows the first section covering the Web interface by which all other settings can be changed. Obviously it is important to ensure that this interface cannot be seen from the Internet. Make sure the "HTTP server access" setting is configured as shown in Figure 4 - restricted to LAN visibility only.

You might also consider switching the server port to something other than port 80 - not only will this assist security but it will make things easier should you wish to use port 80 for your own Web server (discussed later in this article).

Note, however, should you do that, in future you would need to specify the port number when accessing the router Web interface.

For the settings shown in Figure 4, the Web interface URL would now be http://192.168.1.1:4400 (another detail to record somewhere if remembering such details is not your strongest point!).

Now let's turn to the next section of the Miscellaneous Configuration page as shown in Figure 5.

The FTP and TFTP server setting should generally be set to disabled unless you have as specific reason to do otherwise. These settings don't affect the use of FTP on your computer but relate to internal servers which could be used in troubleshooting your router. You can leave the FTP setting enabled but have its use restricted to within your LAN and that's what is shown above and in some later settings.

Normally DMZ (which I will explain in more detail later in this article) is set to disabled. But the special setting I have shown in Figure 5 will have cause your router's NAT firewall to operate in full stealth mode. For an explanation of stealth mode see my last article. (Thanks to Dennis Parsons for this suggestion)



Figure 5 FTP and DMZ



Figure 6. The remaining "Miscellaneous Configuration" settings

Remaining Settings

Now for the remaining settings on this page as shown in Figure 6.

PPP Half Bridge mode is a special mode for use when only one computer is connected to your router. It directly connects the computer to the Internet in almost the same manner as the "Modem only" setup described in my earlier article. As this would mean that the router would no longer act as a firewall, its use is not recommended.
 
IGMP is an advanced multi router protocol that you're highly unlikely to require and it should be disabled.
Once you have completed all changes to this page click Submit to save your changes.

Now return to the left column, find and click on Port Forwarding (under "Administration") to display a page similar to Figure 7.

Netcomm users - you must ensure that your port forwarding page shows entries exactly as displayed in items 1-6 in Figure 7 - for ports 21, 23, 254 and 161. These entries are security fix entries recommended by Netcomm which have the effect of completely stealthing four otherwise vulnerable ports.

Users of other routers may require similar entries but check with your documentation or your manufacturer's Web site.
 
If necessary, make the required entries by entering the details in the form at the foot of the page and pressing the Add This Setting button. Each entry is made individually. Ignore the last two entries shown in Figure 7
(for ports 80 and 25) - the purpose of these will be covered later in this article.



Figure 7. Port Forwarding



Figure 8. A successful grc.com test

That's all for the security settings -reboot your router by clicking Save Settings and Reboot at the foot of the left column. All that needs to be done now is test the new settings.

Go to http://grc.com and follow the Shields Up links. Do the "Common Ports" test which will provide an initial assessment of the security of your router settings. You should get a Pass result with all ports as shown in Figure 8 - full stealth mode

Port Forwarding - Why Is It Needed?

In my earlier article I explained that when your PC is connected via a router it does not have direct Internet access, Instead it uses the router as an Internet Gateway - the router fetches whatever Internet data the PC requires. The PC is not visible from the Internet and is therefore shielded from intrusion.

However, there are some cases where a PC may be running software which needs to be visible from the Internet and to accept inward connections. Software of this type (server software) will not work under the router settings so far described.

Examples of commonly run server software are:

  • ADSL users often wish to host their own web site using server software such as Apache (runs
    under Windows and Linux).
    Although Melb PC/Westnet users have Web space available from both Melb PC and Westnet, self hosting allows the use of server facilities not available with ISP hosting - such as the use of PHP, MySQL and Perl. Developing such facilities can be most instructive as well as enjoyable - see my self hosted site at http://rogerbrown.no-ip.org for examples of database lookup and search facilities which could not have been achieved using ISP hosting.

  • Users of file sharing programs such as Kazaa or BitTorrent must have their computers visible from the Internet so that proper file sharing can take place. Similarly gaming programs commonly require inward connections, often with several ports needing to be opened.

  • Users may even wish to experiment with sending and receiving mail direct, though if you do this, beware; you need to have a thorough understanding of all security aspects first. But again, this can be an interesting and instructive exercise and can provide a level of accountability not available when mail is simply handed off to an ISP.
To enable these server programs to run the router needs to be instructed that traffic on the relevant port or ports should be directed through to the appropriate PC rather than dropped, as would otherwise occur. That's exactly the purpose of the port forwarding facility.

The last two items of Figure 7 show how port forwards are entered - they allow my Web server (port 80) and mail server (port 25) to operate correctly. The first six security fix entries are dummy port forwards -they block (and 'stealth') vulnerable ports by forwarding any traffic to a non-existent IP which results in the traffic being totally ignored.

If you are considering running server software requiring port forwards, keep the following in mind:
  1. Westnet ADSL has no restrictions on running server software (other than you are required to follow normal security practices) but some ISPs do. Check your ISP's acceptable use policy first.

  2. Any port forward reduces your overall security. Make sure you have a properly configured firewall on any PC running server software. And regularly check for updates or security fixes for the server software.
DMZ (Demilitarized Zone)
The term DMZ has begun to assume a somewhat different meaning in home networking than its original use in commercial networking where it referred to a neutral computer, which stood between a trusted (and sensitive) network and an untrusted (and dangerous) network such as the Internet. The DMZ computer would act as a kind of buffer, handling as much of the inward and potentially untrustworthy traffic as possible.
 
In routers such as the NB1300 that are designed for home networking, the DMZ setting enables all inward traffic that has not been dealt with by port forwarding rules, to be directed to a specific network computer. That computer is therefore effectively fully opened to the Internet as if it were directly connected.

Generally DMZ is used for server applications that need to open a large number of ports - possibly at random. Such applications may be difficult or impossible to run using conventional port forwards but can readily be run if a computer is fully opened to the Internet using DMZ.

As the use of this facility very seriously weakens security, the following must be stressed:
  • Any computer opened by DMZ must be fully firewall protected

  • DMZ should be seen as an absolute last resort - if at all possible normal port forwards should be used. The NB1300 is not especially suitable for instances where ranges of ports need to be opened. If this becomes an issue, purchase a different router rather than using DMZ

  • Ideally DMZ should be disabled when not actually being used.
Readers may now understand the reason for the suggested DMZ entry shown in Figure 5. Here DMZ traffic is being directed to a non existent IP - and will be effectively ignored (stealthed). With the NB1300 and other similar entry level routers I strongly recommend that DMZ be used for this purpose and no other.

For further information on this topic see http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp.

Summing Up

Understanding the security aspects of your router is important - get the settings right and you have excellent protection against many current threats, irrespective of your operating system.

Understanding how port forwarding can enable the safe use of server software can add lots of enjoyment to the use of your ADSL or other broadband connection.

Have fun!

Reprinted from the December 2004 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]