Router Security Introduction to Routers Website by     
Michael Horowitz 
Home | Introduction | Router Bugs | Security Checklist | Tests | Resources | Reviews | About | Search |
 

What is a router?

When the Internet first became popular, computers dialed the telephone to get online. The introduction of faster Internet access (a.k.a. broadband) changed more than just the speed. While DSL still relied on a phone line, it required a dedicated device, known as a modem, in your home/office. The modem connected to the phone line on one end and a computer on the other. Likewise, cable Internet access also requires a modem, one that plugs into a coaxial cable. Modems make Internet access fast enough that it can be shared among multiple computers.

A router does that sharing. A router plugs into a modem (and thus the Internet) on one end, and into all your computers on the other end. More specifically, a router talks to any and all computing devices (tablet, smartphone, desktop computer, laptop, Chromebook, thermostat, Apple TV, Roku) through either a wired connection (via Ethernet cables) or wirelessly (via Wi-Fi). The router is the source of the Wi-Fi network. Higher end routers can create multiple Wi-Fi networks, such as a private one and one for Guests. The router handles, or routes, the many concurrent connections that your computing devices have with the Internet. The modem just connects you with your Internet Service Provider (ISP).

In the beginning, routers were separate devices from modems, but over time, as everyone needed one of each, the functions were combined into a single box. This single device is often called a gateway, but I have also seen it referred to as a "Modem Router". From a Defensive Computing standpoint, you are better off with separate devices for a number of reasons. For one, having two devices lets you update either one without impacting the other. It also lets you chose the best of breed for each device. Buying your own modem and/or router is likely to save you money in the long run and it also lets chose a more up-to-date device and a more secure one.

The first step in transitioning from a single gateway device to a separate modem and router is to connect a router to the gateway. This requires asking the ISP (it may or may not be possible for you to do this on your own) to dumb down the gateway. That is, they should be able to convert the smart gateway device into a dumb modem. The term often used for this is "bridge mode". Thus, when you add your own router, you should also ask your ISP to convert the gateway device to run in bridge mode. For instructions, see the Router Resources page.

That said, things get more complicated when the ISP is also providing VOIP telephone service from their gateway, and I am no expert on the options in this case.

Consumer Reports also has an introduction to routers. See their Wireless router buying guide. As of Oct. 2015, it was last updated December 2014. Also worth reading: HTG Explains: Understanding Routers, Switches, and Network Hardware by Jason Fitzpatrick, July 2014.

About the router hardware

A router is roughly the size of a paperback book. It may or may not have WiFi antennas. Routers without visible antennas have internal ones. There are routers with one, two, three and four external antennas. Some routers announced at CES in January 2015 have six or eight antennas. On some routers, the antennas are removable, on others they are not.

Wireless WiFi networks can use two different range of frequencies, referred to as "bands". The older frequency band is 2.4GHz, the newer one is 5GHz. Old or low end routers can only transmit in the 2.4GHz band. Many current routers transmit in both frequency bands at the same time, a condition known as dual band. A few routers (such as the Pepwave Surf SOHO) can transmit in both 2.4GHz and 5GHz but only one band at a time. High end routers support two separate 5GHz radios along with 2.4GHz. The term for this is Tri-Band as in three concurrent frequency bands.

Of the two frequency bands the 2.4GHz band is much more crowded and thus prone to interference. However, a 2.4GHz signal goes through walls better so it has a longer range.

Each wireless network is given a name, often referred to as an SSID.

There are different flavors of WiFi. The oldest flavors were a and b. No one uses them any more. Then came G which is now the bottom of the line. After G came N which is now middle class. The latest and greatest is AC. WiFi G only works in the 2.4GHz band. WiFi N works in either frequency band. WiFi AC only works in the 5GHz band.

A consumer router, such as the D-Link DIR-830L is marketed as an AC1200 class router. The AC refers to the type of WiFi it supports. The number after that has a technical and mostly irrelevant meaning, but the higher the better. At least up to a point. Likewise the Netgear WNDR4500 router is sold as an N900 thingy. It does WiFi N. Tim Higgins delved into the techie details of router speed numbers in February 2015 and January 2014 (for nerds only).

WiFi flavors are backward compatible, so you really can't go wrong here. A router offering WiFi type N will talk to older G devices. A router offering WiFi type AC will talk to devices that are only capable of N and/or G. But, to get the fastest speeds from a router offering the AC flavor of WiFi, the computing devices have to also support the AC flavor of WiFi. Turning things around, a computing device capable of WiFi AC, will also be able to talk WiFi N to a router that only supports N.

Routers vary in the number of wireless networks they create.

  1. There are private and guest networks. Guest networks are a great security feature, they can use a different password and be isolated from the private network. They can also be disabled when not needed.
  2. The number of networks vary. A dual band router will, at the least, create one wireless network on each frequency band. They may also offer a guest network on each frequency band, for a total of 4 networks. I have seen dual band Asus routers that can create six guest networks, for a grand total of 8 wireless networks coming out of one router.
  3. The names vary. While most routers let you chose any name you want for guest networks, I have seen a Linksys router that forced you to use the name Linksys prefers. Also, most routers let you give each network its own unique name, but a few routers force the private networks on each frequency band to use the same name. There are pros and cons to this, but it is not a security issue.

Wired computer networks use a technology called Ethernet. The wires are referred to as Ethernet cables and the jacks they plug into are called Ethernet ports. There are two popular speeds for Ethernet: Gigabit and Fast. Fast Ethernet is the slower option running at 100mbps (megabits per second). Gigabit Ethernet is ten times faster (1,000mbps). For most people, most of the time, the 100mbps speed of Fast Ethernet is fast enough. Pretty much all routers manufactured in the last few years come with gigabit speed Ethernet.

There are typically five Ethernet ports on a router. Four are LAN ports -- LAN means Local Area Network. In English, LAN refers to the network in the same location as the router. If the router is in your home, the LAN refers to the network in your home. The other Ethernet port is the WAN port. WAN means Internet, although it stands for Wide Area Network. If you have a separate modem and router, the (one and only) Ethernet port from the modem is connected to the WAN port on the router.

The LAN ports are normally numbered 1 through 4 and they are all the same. That is, it makes no difference which LAN port anything is plugged into. There may be an exception to this rule, if you use QOS (Quality of Service) to give one port a higher priority than the others. But that's not a security issue. The Netgear R8500 has six LAN ports. The Google OnHub routers have only one. The Asus RT-AC88U has eight.

If all your computing devices are wireless, then the LAN ports go unused. If you have 5 or more Ethernet devices, then you can buy a switch with multiple Ethernet ports. One of those plugs into a LAN port, the others are for your overflow Ethernet devices.

Most routers do not have an on/off switch. Many of those that do position such that its just as easy to pull the electric plug as it is to hit the button. Almost all have lots of pretty blinking lights, but the number of lights and what they indicate vary greatly. Some routers let you disable the blinking lights.

As a rule, routers do not have microphones or speakers. One exception is the Starry Station router which has both. The Google OnHub routers have speakers, but no microphones.

Speaking of the Starry Station router, it is, as far as I know, unique in other ways too. It is the only router I know of that runs Android. It is also the only router that has a fan for cooling.

The price for consumer routers varied from roughly $30 to $300, until late 2015 when we started to see some priced over $300. The Starry Station router was the most expensive, at $350 as of early May 2016. Then the Linksys EA9500 was released in late May 2016 at $400 (its tri-band, 5.3Gbps MU-MIMO). The Netgear Nighthawk X10, a single router, was released in October 2016 for $500. The Eero mesh network system of three devices was released in early 2016 for $500 and remains (as of Oct. 2016) the most expensive mesh routing system. The price for business class routers can be much higher but they typically start at around $200.

Input to a router

If you are reading this page, your router will have a single Ethernet WAN port. Higher end routers have multiple WAN ports which allows them to be connected to two different ISPs. For example, one WAN port could be plugged into a cable modem and another into a DSL modem. This is for locations where Internet access is very important. The devices connected to the router to remain on-line even if one ISP fails.

Not all multi-WAN routers are the same. For example, there are smart and dumb models. The dumb ones use ISP1 all the time, until it fails, and then switch over to ISP2. Smart multi-WAN routers use both ISP1 and ISP2 all the time and balance the load/traffic between them. The smart ones can also tolerate the failure of a single ISP without anything connected to the router being aware of the problem. Also, some have more than two WAN ports. The Peplink Balance line of routers all have multiple WAN ports with high end models featuring 12 or 13.

There are also three different ways to feed the Internet into a router.

  1. The most popular is Ethernet. Whether an ISP uses cable, DSL, satellite or fiber, its modem should be able to feed into any router via Ethernet.
  2. Some routers, such as models by Peplink and Cradlepoint, can be fed by a 3G/4G/LTE modem plugged into a USB port.
  3. Finally, Peplink routers (and probably some others) also support Wi-Fi as input. That is, if you are in a hotel that only offers Wi-Fi, you can feed that Wi-Fi into a a Peplink router which then produces both Ethernet LAN as output and Wi-Fi as output. I have used this at home when my cable Internet failed. A smartphone took in the LTE Internet access and created a hotspot as output. The Wi-Fi out from the phone was then fed into a Peplink/Pepwave Surf SOHO router. It worked great. All the devices that normally connect to the router via both Ethernet and WiFi continued to work without change. Way cool :-)

And, if you were wondering, both of these two issues can be combined. That is, a multi-WAN router can have one input via Ethernet and another via a 3G/4G/LTE modem.

Talking to a router

There are MANY ways to talk to a router, it is, after all, a computer.

The communication medium can be wired Ethernet, wireless WiFi, and/or Bluetooth. Some high end models have a serial console port.

In the old days, we used desktop software to talk to a router, then most of the industry migrated to a web interface. Apple still uses software, their AirPort utility. Netgears Genie software still comes in flavors for Windows and OS X. Linksys still offers Linksys Connect software that runs on Windows and OS X.

The most common way to interact with a router is via its web interface. That is, we communicate with a website that exists inside the router. Mostly this is done via the routers internal IP address. That is, you make a request such as

       http://192.168.1.1
from any web browser. If you don't know the internal IP address of your router, see my blog Find the IP address of your home router. Some routers also respond to pre-configured names. According to RouterCheck.com using a name rather than a numeric IP address is a security weakness. For more on the security issue, see the checklist page.

Apple routers can only be configured from an Apple device (iOS or OS X) running the Apple AirPort utility. Apple was the only company making routers without a web interface, but in September 2015, Google introduced their first router (OnHub) and it too had no web interface, relying solely on a smartphone app for configuration. Since then others, such as Luma, have followed suit.

In the old days Apple supported SNMP, but no more. Technically, Apple does support Windows, in that there is an edition of the AirPort utility that runs on Windows, but it has not been updated for a very long time.

After the web interface came the cloud. Hardware manufacturers created websites that could talk to and control your router. You need to register with the manufacturer website and get a userid/password. Then, you can talk to your router from anywhere in the world. The cloud service for Peplink is called InControl2. Cisco called their Connect Cloud back when they owned Linksys. D-Link calls theirs mydlink cloud services and some of their routers are marketed as "Cloud Routers". Ruckus calls theirs CloudManager, eWON calls theirs Talk2M. According to this article, the only way to configure a Meraki router is via the cloud.

I am not a fan of this method. As I see it, it requires me to trust every employee of the router manufacturer. I am not that trusting. And, with Dynamic DNS (DDNS) it has always been possible to communicate with a router from anywhere.

Some routers have touch screen interface. Amped Wireless was, I believe, the first to market with this. Their TAP-R2, TAP-R3 and Securifi Almond+ all feature touch screens. So too, does the Starry station router and the Ubiquiti Amplifi series.

No doubt, smarphone apps are the wave of the future when it comes to communicating with a router. As noted above, Google exclusively uses a smartphone app to communicate with its router, as does Eero and others. The aforementioned Netgear Genie software, also runs on iOS and Android. Peplink has smartphone apps for iOS and Android, but they are not nearly as full featured as the web interface of their routers.

Eero routers, after plugging them into a modem, pair up with a smartphone over Bluetooth for the initial setup procedure. This is becoming more common. Luma does it too and the upcoming Portal router (expected later in 2016) will also work this way.

Nerds may talk to a router using SSH or Telnet. Monitoring software may talk to it using SNMP. Some software communicates using UPnP. Netgear Genie software uses the SOAP protocol to talk to its routers, and a bug with this was disclosed in Feb. 2015. I probably left something out.

There are no standards for communicating with a router. Even limiting ourselves to just the web interface, they are all different. Even a single vendor will have different web interfaces for different router models. And, the web interface for a single router may drastically change over time. Worse still, there are also no naming standards. Thus, the same feature may well have six different names from six different companies.

New router setup

In the old days, a new router included setup software on a CD. Now, if a CD is included, it probably contains setup instructions and a manual. Any software on a CD is likely to be old.

New routers are configured either by logging in to its web interface or with a smartphone app. Apple routers are their own category, they are configured using Apple software included in iOS and OS X.

I wrote up instructions on setting up a new router. In brief, let me say here that all router instructions say to connect a new router to the Internet first thing. I disagree with this advice, as I think there are a few security changes you should make beforehand, while the router is still offline. The Google OnHub routers are the only ones I know of that can not be configured off-line. After making these few changes, then the first thing to do when the new router goes online is to check for bug fixes, a.k.a. firmware updates.


Top 
This page was last updated: November 14, 2016 7PM CT     
Created: February 2, 2015
Viewed 17,983 times since February 2, 2015
(25/day over 717 days)     
Website by Michael Horowitz      
Feedback: routers_at_michaelhorowitz.com  
Changelog
Copyright 2015 - 2017