The Internet is a dangerous place these days, with identity theft scams and zombie networks among other dangers. The average lifetime of an unprotected computer on the Internet is about 20 minutes before it gets discovered, compromised and exploited. The response to these dangers is the network firewall. There are two types of these devices:

• software firewalls -- software built into your computers which attempt to protect it, and
• hardware firewalls -- a separate devices that can potentially protect an entire network behind it.

This note is about hardware firewalls, specifically the ones built into the very popular all-in-one DSL router/firewall devices. Some models include a built-in wireless access point and a 4 to 6 port network hub/switch.

The firewall function in these routers are only a rudimentary firewall, it is not a suitable firewall for protecting a corporate network or a sensitive home network. However these devices are popular because they cost well under $100, whereas more industrial strength firewalls cost $700 and more. Even though these firewalls are very basic and a skilled attacker has several approaches they can use to defeat their defenses nevertheless there are things one can do in order to improve what security they can provide for you.

Here are some things that you can do in order to enhance their security:

• Never use remote administration. This feature is supposed to allow someone outside your network to administer your firewall. The connection is password protected but this can be defeated, so keep it disabled.


• Always change the administrative password from the factory default. The default passwords to many devices are widely known. The password that you use for this purpose should not be used elsewhere.


• Never use DHCP from the router. Running DHCP on your firewall makes you vulnerabile to a DOS (Denial Of Service) attack where an attacker can crash your firewall and consequently crash your entire LAN even if they cannot directly gain access to your internal network. It also gives an intruder easy control of your internal network once they have gained access to your firewall.


• Do not use the default internal network address range. The Linksys uses the default internal network range of 192.168.1.1 to 192.168.1.254 (where the last .1 designates the router and .255 is the broadcast for the network). There are many exploits that take advantage of knowing this and that it was probably not changed from the default. The Internet standards specify that the following range of addresses can be safely used for private internal addresses (they will never be assigned to any public servers). 10.Z.X.Y, 172.16.X.Y to 172.31.X.Y, and 192.168.X.Y (where Z and X can be from 0 to 255 and Y can be from 1 to 254 -- 0 is the 'network name' and 255 is the broadcast for the network).


• If you do any administration on the firewall, when you are finished FLUSH YOUR CACHE AND EXIT YOUR BROWSER BEFORE going out to the Internet to do any normal browsing. There are ways to take advantage of your earlier session with the firewall in order to compromise your router.


• Regularly review your firewall logs by logging into the firewall and clicking to the "View Logs" button in the Log section. Better yet, configure the device to remotely log to one of your internal machines that you frequently use. For some routers, such as the Linksys router, this will require installing special software, which Linksys provides, on the internal machine.

A Note about the DMZ/Game Port. These routers frequently have a special LAN port which is known variously as a DMZ or game port. When this port is configured in a special mode, it is treated as directly connected to the Internet with the firewall functions off, even if the firewall is enabled. The motivation for this configuration option is that supposedly Internet games cannot be placed behind a firewall. This is not actually true, but most Internet games have complicated port connection requirements which are too complicated for these simple firewalls to handle. If you are not doing Internet gaming, make sure that this port is configured as a normal port.

There are no absolutes when it comes to Internet security, but by taking the steps outlined above you will have 'raised the bar' to make it harder for an intruder to gain access to your home network.