Hands on: Lock down your router

I’m always being asked questions about network security, so I've decided to address some of the things you should and shouldn’t do to keep your network secure.

In particular, I’ll be looking at how you can lock down your network router, for which I’ll be using a Netgear DG834G and a Belkin N1 wireless router as examples, although the principles are the same, regardless of the hardware involved.

Where’s the firewall?
A firewall is an absolute must on any internet-connected PC and Windows XP comes with a pretty good desktop implementation as standard. But is a desktop firewall necessary when a router with a built-in firewall is used to connect to the internet? Strictly speaking, the answer ought to be no. You don’t need multiple firewalls all trying to do the same thing, but there are a couple of caveats.

The first is the need to be able to trust the software involved. Firewalls are complex applications and if you pay peanuts for a no-name or ancient second-hand router, the firewall it provides may not be all you would hope for. I would recommend, in those circumstances, to err on the side of caution and enable a desktop firewall as well.

On the positive side, most modern products, with their stateful packet inspection (SPI) firewalls, should be ok – but the firewall does need to be turned on to be effective. That may sound obvious, but I’ve received routers straight from the factory with the built-in firewall disabled. Even where the basic firewall has been turned on, other security measures, such as protection against Denial of Service (DoS) attacks, will often be left to the customer to enable.

You also need to think about how each PC on the network will be used. For example, you might have a notebook which you take out and about, possibly connecting to the internet at wireless hot spots, in which case additional desktop protection will definitely be required.

Furthermore, if you need to set up firewall rules to allow gaming, peer-to-peer file sharing and other traffic to particular PCs, you may want the added protection of a desktop firewall on those that are not used for such purposes.

Lastly, don’t run away with the idea that a firewall is all you need. Unless you’ve splashed out on a full-blown Unified Threat Management (UTM) appliance, your firewall will only block traffic based on its port number and, hopefully, identify and block common DoS and other attacks. Additional desktop and possibly server software will therefore be needed to screen out viruses, spam, spyware and other potential threats.