Router Security | Introduction to Routers |
Website by Michael Horowitz |
In a nutshell: A router is a networking device (a box) that allows multiple computers/phones/tablets/etc. to share a single Internet connection. In the old days the sharing was only via wired Ethernet cables, now, every consumer router offers both Ethernet and wireless Wi-Fi access.
A router does not talk to an Internet Service Provider (ISP), that job is handled by a modem. Different types of Internet connections (DSL, cable, optical (such as FIOS), dial-up and Satellite for example) require different types of modems. While the (logical) front end of these different types of modems varies drastically, they all offer an Ethernet connection on the (logical) back end. This Ethernet port serves as the input to a router. Thus any router can work with any type of Internet connection.
The term modem derives from modulating and demodulating, something that modems don't actually do. When the Internet first became popular, computers dialed the telephone to get online. The hardware that handled this communication was called a modem. Modulating refers to translating digital ones and zeros into tones that a telephone line can transmit. Demodulating is the reverse. When newer technology, offering faster connections, came out, we needed a term for the box in your home/office that handled these newer types of communication. Thus "modem" came to mean the device that talks to your ISP, regardless of the technology it uses.
None of your computing devices (tablet, smartphone, desktop computer, laptop, Chromebook, thermostat, Apple TV, Roku) know anything about the modem. They all talk to the router. For more about modems, see the modems page.
While you can plug a computer into the Ethernet port of a modem, it's a waste. A high speed connection wants to be shared :-). The only time we would do this is when there is a problem with the Internet connection and we are trying to figure out if the problem is with the modem or the router.
The term router comes from the fact that it sits between two different networks and routes data between them. Normally, one network is the public Internet and the other is the network in your home, referred to as the Local Area Network or LAN. All devices on any network need to have a unique number and the network in your home uses different numbers than the Internet. Keeping track of the different numbering schemes as data is transferred from one network to another is the job of the router.
A router also provides a firewall to prevent computers on the Internet from making unsolicited connections in to any of your computing devices. With a good router this firewall will offer full protection. On a bad router there will be some holes poked in the firewall. The Test Your Router page offers many ways to kick the tires on the firewall in your router.
A typical router has four Ethernet ports for wired connections. As wireless devices using Wi-Fi have become more popular, the need for Ethernet ports has decreased. Some consumer routers now have only one Ethernet port. At the other extreme, high end routers offer more than four Ethernet ports.
The number of Ethernet ports can be expanded with a device called a switch. A switch does for computer networks what a power strip does for electricity. Just as you plug a power strip into an electric wall socket, you plug a switch into a LAN side Ethernet port of the router. The smallest, cheapest switches have four Ethernet ports, more expensive units offer many more ports.
All routers sold to consumers offer Wi-Fi, the only models without Wi-Fi are for business use. A router can create a varying number of wireless networks, each with its own name (SSID) and security profile. Pretty much every router can create at least two wireless networks, one for private use and one for Guests. Asus routers can create eight wireless networks. My favorite router originally created three Wi-Fi networks. At some point a software/firmware update expanded this to eight networks. If need be, the wireless feature can be disabled in a router.
When it was first created, Wi-Fi used a range of frequencies near 2.4 GHz. Later, Wi-Fi could also use frequencies near 5GHz. Each range of frequencies is called a "band". For a long time, routers had to use different SSIDs (names) for each frequency band. Now many routers are smarter and a single name/SSID can use both frequency bands at the same time.
You may also hear the term access point. This refers to a box that does Wi-Fi and nothing but Wi-Fi. An access point has to be connected to a router, usually by Ethernet. Typically an Access Point is added to a router that does not do Wi-Fi on its own. The Access Point and the router may be from the same or different companies. High end networking equipment allows for many access points to connect to a single router. The term is often abbreviated to just AP. They are also known as Wireless Access Points or WAPs.
For times when the Wi-Fi range was insufficient, but running an Ethernet cable was not an option, there are Wi-fi extenders. They differ differ from Access Points mostly in the fact that they connect back to the router wirelessly. Cheaper models suffer a severe performance penalty. Better models also offer slower performance than directly talking to the router, but not much slower.
Starting in early 2016 we saw new devices - mesh router systems. These were routers sold as a set of three boxes. One box connects to the modem via Ethernet and the other two offer a greatly expanded Wi-Fi range. The two satellite Wi-Fi devices connect to the base station either by Wi-Fi or Ethernet. Their big advantage is that all the devices are from the same company and are designed to work together. Most mesh systems are designed to replace a router, but some will also work with an existing router to expand its Wi-Fi range. The first wave of mesh router systems were all three-packs, now some are sold as two devices, which technically is not a mesh. Many mesh systems can support more than three devices.
I talk about routers and modems being separate and independent devices. Sometimes they are, sometimes they are not. ISPs often ship their customers a single box which functions as both the modem and the router. The official term for this is a "gateway" but, very often, a gateway is incorrectly called a router or a modem. Even techies make this mistake in terminology. Sometimes they are referred to as "Modem Routers".
Some gateways do even more. If your ISP offers VOIP telephone service, their gateway is likely to also include telephone jacks, making it a 3-in-1 device.
From a Defensive Computing standpoint, you are better off with separate devices for a number of reasons. For one, having two devices lets you update or replace either one without impacting the other. And, it lets you chose the best of breed for each device. If nothing else, it lets you opt for a more up-to-date device, or, a more secure one. It also makes debugging easier when things go wrong. Finally, buying your own modem and/or router can save you money in the long run.
Also worth reading: HTG Explains: Understanding Routers, Switches, and Network Hardware by Jason Fitzpatrick (last updated September 2016).
A router is roughly the size of a paperback book. It may lie horizontal or stand vertically. It may or may not have WiFi antennas. Routers without visible antennas have internal ones. There are routers with one, two, three and four external antennas. Some routers announced at CES in January 2015 have six or eight antennas. On some routers, the antennas are removable, on others they are not.
Wireless WiFi networks can use two different range of frequencies, referred to as "bands". The older frequency band is 2.4GHz, the newer one is 5GHz. Old or low end routers can only transmit in the 2.4GHz band. Many current routers transmit in both frequency bands at the same time, a condition known as dual band. A few routers (such as the Pepwave Surf SOHO) can transmit in both 2.4GHz and 5GHz but only one band at a time. High end routers support two separate 5GHz radios along with 2.4GHz. The term for this is Tri-Band as in three concurrent frequency bands.
Of the two frequency bands the 2.4GHz band is much more crowded and thus prone to interference. However, a 2.4GHz signal goes through walls better so it has a longer range.
Each wireless network is given a name, often referred to as an SSID.
There are different flavors of WiFi. The oldest flavors were a and b. No one uses them any more. Then came G which is now the bottom of the line. After G came N which is now middle class. The latest and greatest is AC. WiFi G only works in the 2.4GHz band. WiFi N works in either frequency band. WiFi AC only works in the 5GHz band.
A consumer router, such as the D-Link DIR-830L is marketed as an AC1200 class router. The AC refers to the type of WiFi it supports. The number after that has a technical and mostly irrelevant meaning, but the higher the better. At least up to a point. Likewise the Netgear WNDR4500 router is sold as an N900 thingy. It does WiFi N. Tim Higgins delved into the techie details of router speed numbers in February 2015 and January 2014 (for nerds only).
WiFi flavors are backward compatible, so you really can't go wrong here. A router offering WiFi type N will talk to older G devices. A router offering WiFi type AC will talk to devices that are only capable of N and/or G. But, to get the fastest speeds from a router offering the AC flavor of WiFi, the computing devices have to also support the AC flavor of WiFi. Turning things around, a computing device capable of WiFi AC, will also be able to talk WiFi N to a router that only supports N.
Routers vary in the number of wireless networks they create.
Wired computer networks use a technology called Ethernet. The wires are referred to as Ethernet cables and the jacks they plug into are called Ethernet ports. There are two popular speeds for Ethernet: Gigabit and Fast. Fast Ethernet is the slower option running at 100mbps (megabits per second). Gigabit Ethernet is ten times faster (1,000mbps). For most people, most of the time, the 100mbps speed of Fast Ethernet is fast enough. Pretty much all routers manufactured in the last few years come with gigabit speed Ethernet.
There are typically five Ethernet ports on a router. Four are LAN ports -- LAN means Local Area Network. In English, LAN refers to the network in the same location as the router. If the router is in your home, the LAN refers to the network in your home. The other Ethernet port is the WAN port. WAN means Internet, although it stands for Wide Area Network. If you have a separate modem and router, the (one and only) Ethernet port from the modem is connected to the WAN port on the router.
The LAN ports are normally numbered 1 through 4 and they are all the same. That is, it makes no difference which LAN port anything is plugged into. There may be an exception to this rule, if you use QOS (Quality of Service) to give one port a higher priority than the others. But that's not a security issue. The Netgear R8500 has six LAN ports. The Google OnHub routers have only one. The Asus RT-AC88U has eight.
If all your computing devices are wireless, then the LAN ports go unused. If you have 5 or more Ethernet devices, then you can buy a switch with multiple Ethernet ports. One of those plugs into a LAN port, the others are for your overflow Ethernet devices.
Most routers do not have an on/off switch. Many of those that do, position it such that its just as easy to pull the electric plug as it is to hit the button. Almost all have lots of pretty blinking lights, but the number of lights and what they indicate vary greatly. Some routers let you disable the blinking lights.
As a rule, routers do not have microphones or speakers. One exception is the Starry Station router which has both. The Google OnHub routers have speakers, but no microphones.
Speaking of the Starry Station router, it is, as far as I know, unique in other ways too. It is the only router I know of that runs Android. It is also the only router that has a fan for cooling.
The price for consumer routers varied from roughly $30 to $300, until late 2015 when we started to see some priced over $300. The Starry Station router was the most expensive, at $350 as of early May 2016. Then the Linksys EA9500 was released in late May 2016 at $400 (its tri-band, 5.3Gbps MU-MIMO). The Netgear Nighthawk X10, a single router, was released in October 2016 for $500. The Eero mesh network system of three devices was released in early 2016 for $500 and remains (as of Oct. 2016) the most expensive mesh routing system. The price for business class routers can be much higher but they typically start at around $200.
If you are reading this page, your router will have a single Ethernet WAN port. Higher end routers have multiple WAN ports which allows them to be connected to two different ISPs. For example, one WAN port could be plugged into a cable modem and another into a DSL modem. This is for locations where Internet access is very important. The devices connected to the router to remain on-line even if one ISP fails.
Not all multi-WAN routers are the same. For example, there are smart and dumb models. The dumb ones use ISP1 all the time, until it fails, and then switch over to ISP2. Smart multi-WAN routers use both ISP1 and ISP2 all the time and balance the load/traffic between them. The smart ones can also tolerate the failure of a single ISP without anything connected to the router being aware of the problem. Also, some have more than two WAN ports. The Peplink Balance line of routers all have multiple WAN ports with high end models featuring 12 or 13.
There are also three different ways to feed the Internet into a router.
These inputs can also be combined. That is, a multi-WAN router can have, for example, one input via Ethernet and another via a 3G/4G/LTE modem.
On the horizon, perhaps by the end of 2019, there will be a fourth option, 5G routers such as this one from D-Link.
There are MANY ways to talk to a router, it is, after all, a computer.
The communication medium can be wired Ethernet, wireless WiFi, and/or Bluetooth. Some high end models have a serial console port.
In the old days, we used desktop software to talk to a router, then most of the industry migrated to a web interface. Apple still uses software, their AirPort utility. Netgears Genie software still comes in flavors for Windows and OS X. Linksys still offers Linksys Connect software that runs on Windows and OS X.
The most common way to interact with a router is via its web interface. That is, we communicate with a website that exists inside the router. Mostly
this is done via the routers internal IP address. That is, you make a request such as
http://192.168.1.1from any web browser. If you don't know the internal IP address of your router, see my blog Find the IP address of your home router.
Some routers also respond to pre-configured names. Note that referring to the router by name will likely fail when using a web browser configured for secure DNS.
Apple routers can only be configured from an Apple device (iOS or OS X) running the Apple AirPort utility. Technically, Apple does support Windows, in that there is an edition of the AirPort utility that runs on Windows, but it has not been updated for a very long time. In the old days Apple routers could talk to network software via SNMP (Simple Network Management Protocol), but no more.
Apple was the only company making routers without a web interface, but in September 2015, Google introduced their first router (OnHub) and it too had no web interface, relying solely on a smartphone app for configuration. Since then many other routers have followed suit, discarding a web interface for a mobile app. In fact, since then, Apple has discarded their routers altogether. They never admitted it, and they continued to sell them, but it was reported that all the employees who had been working on their routers were transferred to other jobs.
After the web interface came the cloud. Hardware manufacturers created websites that could talk to and control your router. You need to register with the manufacturer website and get a userid/password. Then, you can talk to your router from anywhere in the world. The cloud service for Peplink is called InControl2. Cisco called their Connect Cloud back when they owned Linksys. D-Link calls theirs mydlink cloud services and some of their routers are marketed as "Cloud Routers". Ruckus calls theirs CloudManager, eWON calls theirs Talk2M. According to this article, the only way to configure a Meraki router is via the cloud.
I am not a fan of this method. As I see it, it requires me to trust every employee of the router manufacturer. I am not that trusting. And, with Dynamic DNS (DDNS) it has always been possible to communicate with a router from anywhere.
Some routers have a touch screen interface. Amped Wireless was, I believe, the first to market with this. Their TAP-R2, TAP-R3 and Securifi Almond+ all feature touch screens. So too, does the Starry station router and the Ubiquiti AmpliFi series, shown here at the right. The AmpliFi has been adding new features to its touch screen. You can even use it to upgrade the firmware.
No doubt, smarphone apps are the wave of the future when it comes to communicating with a router. As noted above, Google exclusively uses a smartphone app to communicate with its router, as do Eero and others. The aforementioned Netgear Genie software, also runs on iOS and Android. Peplink has smartphone apps for iOS and Android, but they are not nearly as full featured as the web interface of their routers.
Eero routers, after plugging them into a modem, pair up with a smartphone over Bluetooth for the initial setup procedure. This is becoming more common. Luma does it too and the upcoming Portal router (expected later in 2016) will also work this way.
In August 2018 the first two routers were announced that you could talk to. Huawei’s AI Cube and the Netgear Orbi Voice are expected to embed Amazon Alexa functionality.
Nerds may talk to a router using SSH or Telnet. Monitoring software may talk to it using SNMP. Some software communicates using UPnP. Netgear Genie software uses the SOAP protocol to talk to its routers, and a bug with this was disclosed in Feb. 2015. I probably left something out.
There are no standards for communicating with a router. Even limiting ourselves to just the web interface, they are all different. Even a single vendor will have different web interfaces for different router models. And, the web interface for a single router may drastically change over time. Worse still, there are also no naming standards. Thus, the same feature may well have six different names from six different companies.
In the old days, a new router included setup software on a CD. Now, if a CD is included, it probably contains setup instructions and a manual. Any software on a CD is likely to be old.
New routers are configured either by logging in to a web interface, or, with a smartphone app. Apple routers are their own category, they are configured using Apple software included in iOS and OS X.
I wrote up instructions on setting up a new router. In brief, let me say here that all router instructions say to connect a new router to the Internet first thing. I disagree with this advice, as I think there are a few security changes you should make beforehand, while the router is still offline. The Google OnHub routers are the only ones I know of that can not be configured off-line. After making these few changes, then the first thing to do when the new router goes online is to check for bug fixes, a.k.a. firmware updates.
Home networking: Everything you need to know by Dong Ngo of CNET February 15, 2017.