Router Security Introduction to Routers Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
See my Oct 11th blog: Using a router to defend against Xiongmai video devices
 

What is a router?

In a nutshell: A router is a networking device (a box) that allows multiple computers/phones/tablets/etc. to share a single Internet connection. In the old days the sharing was only via wired Ethernet cables, now, every consumer router offers both Ethernet and wireless Wi-Fi access.

A router does not talk to an Internet Service Provider (ISP), that job is handled by a modem. Different types of Internet connections (DSL, cable, optical (such as FIOS), dial-up and Satellite for example) require different types of modems. While the (logical) front end of these different types of modems varies drastically, they all offer an Ethernet connection on the (logical) back end. This Ethernet port serves as the input to a router. Thus any router can work with any type of Internet connection.

None of your computing devices (tablet, smartphone, desktop computer, laptop, Chromebook, thermostat, Apple TV, Roku) know anything about the modem. They all talk to the router. For more about modems, see the modems page.

While you can plug a computer into the Ethernet port of a modem, it's a waste. A high speed connection wants to be shared :-). The only time we would do this is when there is a problem with the Internet connection and we are trying to figure out if the problem is with the modem or the router. It is also a bit dangerous.

My favorite router - Pepwave Surf SOHO
My favorite router

A router also provides a firewall to prevent computers on the Internet from making unsolicited connections in to any of your computing devices. With a good router this firewall will offer full protection. On a bad router there will be some holes poked in the firewall. The Test Your Router page offers many ways to kick the tires on the firewall in your router.

A typical router will offer four Ethernet ports for your computers. As Wi-Fi has become more popular, some consumer routers have only one Ethernet port. High end routers offer more than four ports. The number of Ethernet ports can be expanded with a device called a switch. A switch does for computer networks what a power strip does for electricity. Just as you plug a power strip into an electric wall socket, you plug a switch into an Ethernet port of the router. The smallest, cheapest switches have four Ethernet ports, more expensive units offer many more ports.

All routers sold to consumers offer Wi-Fi, the only models without Wi-Fi are for business use. A router can create a varying number of wireless networks, each with its own name (SSID) and security profile. Pretty much every router can create at least two wireless networks, one for private use and one for Guests. Asus routers can create eight wireless networks. My favorite router can create three networks. If need be, the wireless feature can be disabled in a router.

I talk about routers and modems being separate and independent devices. Sometimes they are, sometimes they are not. ISPs often ship their customers a single box which functions as both the modem and the router. The official term for this is a "gateway" but, very often, a gateway is incorrectly called a router or a modem. Even techies make this mistake in terminology. Sometimes they are referred to as "Modem Routers".

Some gateways do even more. If your ISP offers VOIP telephone service, their gateway is likely to also include telephone jacks, making it a 3-in-1 device.

From a Defensive Computing standpoint, you are better off with separate devices for a number of reasons. For one, having two devices lets you update or replace either one without impacting the other. And, it lets you chose the best of breed for each device. If nothing else, it lets you opt for a more up-to-date device, or, a more secure one. It also makes debugging easier when things go wrong. Finally, buying your own modem and/or router can save you money in the long run.

The term modem derives from modulating and demodulating, something that modems don't actually do. When the Internet first became popular, computers dialed the telephone to get online. The hardware that handled this communication was called a modem. Modulating refers to translating digital ones and zeros into tones that a telephone line can transmit. Demodulating is the reverse. When newer technology, offering faster connections, came out, we needed a term for the box in your home/office that handled these newer types of communication. Thus "modem" came to mean the device that talks to your ISP, regardless of the technology it uses.

You may also hear the term access point. This refers to a box that does Wi-Fi and nothing but Wi-Fi. An access point has to be connected to a router, usually by Ethernet. High end networking equipment allows for many access points to connect to a single router. The term is often abbreviated to just AP. They are also known as Wireless Access Points or WAPs.

Starting in early 2016 we saw new devices - mesh router systems. These were routers sold as a set of three boxes. One box connects to the modem via Ethernet and the other two offer a much expanded Wi-Fi range. The two satellite Wi-Fi devices connect to the base station either by Wi-Fi or Ethernet. Some of the mesh systems are designed to replace a router, others are more flexible, and will work with an existing router to expand its Wi-Fi range. While the first wave of mesh router systems were all three-packs, some now are two devices and others support four or more devices.

Also worth reading: HTG Explains: Understanding Routers, Switches, and Network Hardware by Jason Fitzpatrick (last updated September 2016).

About the router hardware

A router is roughly the size of a paperback book. It may lie horizontal or stand vertically. It may or may not have WiFi antennas. Routers without visible antennas have internal ones. There are routers with one, two, three and four external antennas. Some routers announced at CES in January 2015 have six or eight antennas. On some routers, the antennas are removable, on others they are not.

Wireless WiFi networks can use two different range of frequencies, referred to as "bands". The older frequency band is 2.4GHz, the newer one is 5GHz. Old or low end routers can only transmit in the 2.4GHz band. Many current routers transmit in both frequency bands at the same time, a condition known as dual band. A few routers (such as the Pepwave Surf SOHO) can transmit in both 2.4GHz and 5GHz but only one band at a time. High end routers support two separate 5GHz radios along with 2.4GHz. The term for this is Tri-Band as in three concurrent frequency bands.

Of the two frequency bands the 2.4GHz band is much more crowded and thus prone to interference. However, a 2.4GHz signal goes through walls better so it has a longer range.

Each wireless network is given a name, often referred to as an SSID.

There are different flavors of WiFi. The oldest flavors were a and b. No one uses them any more. Then came G which is now the bottom of the line. After G came N which is now middle class. The latest and greatest is AC. WiFi G only works in the 2.4GHz band. WiFi N works in either frequency band. WiFi AC only works in the 5GHz band.

A consumer router, such as the D-Link DIR-830L is marketed as an AC1200 class router. The AC refers to the type of WiFi it supports. The number after that has a technical and mostly irrelevant meaning, but the higher the better. At least up to a point. Likewise the Netgear WNDR4500 router is sold as an N900 thingy. It does WiFi N. Tim Higgins delved into the techie details of router speed numbers in February 2015 and January 2014 (for nerds only).

WiFi flavors are backward compatible, so you really can't go wrong here. A router offering WiFi type N will talk to older G devices. A router offering WiFi type AC will talk to devices that are only capable of N and/or G. But, to get the fastest speeds from a router offering the AC flavor of WiFi, the computing devices have to also support the AC flavor of WiFi. Turning things around, a computing device capable of WiFi AC, will also be able to talk WiFi N to a router that only supports N.

Routers vary in the number of wireless networks they create.

  1. There are private and guest networks. Guest networks are a great security feature, they can use a different password and be isolated from the private network. They can also be disabled when not needed.
  2. The number of networks vary. A dual band router will, at the least, create one wireless network on each frequency band. They may also offer a guest network on each frequency band, for a total of 4 networks. I have seen dual band Asus routers that can create six guest networks, for a grand total of 8 wireless networks coming out of one router.
  3. The names vary. While most routers let you chose any name you want for guest networks, I have seen a Linksys router that forced you to use the name Linksys prefers. Also, most routers let you give each network its own unique name, but a few routers force the private networks on each frequency band to use the same name. There are pros and cons to this, but it is not a security issue.

Wired computer networks use a technology called Ethernet. The wires are referred to as Ethernet cables and the jacks they plug into are called Ethernet ports. There are two popular speeds for Ethernet: Gigabit and Fast. Fast Ethernet is the slower option running at 100mbps (megabits per second). Gigabit Ethernet is ten times faster (1,000mbps). For most people, most of the time, the 100mbps speed of Fast Ethernet is fast enough. Pretty much all routers manufactured in the last few years come with gigabit speed Ethernet.

There are typically five Ethernet ports on a router. Four are LAN ports -- LAN means Local Area Network. In English, LAN refers to the network in the same location as the router. If the router is in your home, the LAN refers to the network in your home. The other Ethernet port is the WAN port. WAN means Internet, although it stands for Wide Area Network. If you have a separate modem and router, the (one and only) Ethernet port from the modem is connected to the WAN port on the router.

The LAN ports are normally numbered 1 through 4 and they are all the same. That is, it makes no difference which LAN port anything is plugged into. There may be an exception to this rule, if you use QOS (Quality of Service) to give one port a higher priority than the others. But that's not a security issue. The Netgear R8500 has six LAN ports. The Google OnHub routers have only one. The Asus RT-AC88U has eight.

If all your computing devices are wireless, then the LAN ports go unused. If you have 5 or more Ethernet devices, then you can buy a switch with multiple Ethernet ports. One of those plugs into a LAN port, the others are for your overflow Ethernet devices.

Most routers do not have an on/off switch. Many of those that do, position it such that its just as easy to pull the electric plug as it is to hit the button. Almost all have lots of pretty blinking lights, but the number of lights and what they indicate vary greatly. Some routers let you disable the blinking lights.

As a rule, routers do not have microphones or speakers. One exception is the Starry Station router which has both. The Google OnHub routers have speakers, but no microphones.

Speaking of the Starry Station router, it is, as far as I know, unique in other ways too. It is the only router I know of that runs Android. It is also the only router that has a fan for cooling.

The price for consumer routers varied from roughly $30 to $300, until late 2015 when we started to see some priced over $300. The Starry Station router was the most expensive, at $350 as of early May 2016. Then the Linksys EA9500 was released in late May 2016 at $400 (its tri-band, 5.3Gbps MU-MIMO). The Netgear Nighthawk X10, a single router, was released in October 2016 for $500. The Eero mesh network system of three devices was released in early 2016 for $500 and remains (as of Oct. 2016) the most expensive mesh routing system. The price for business class routers can be much higher but they typically start at around $200.

Input to a router

If you are reading this page, your router will have a single Ethernet WAN port. Higher end routers have multiple WAN ports which allows them to be connected to two different ISPs. For example, one WAN port could be plugged into a cable modem and another into a DSL modem. This is for locations where Internet access is very important. The devices connected to the router to remain on-line even if one ISP fails.

Not all multi-WAN routers are the same. For example, there are smart and dumb models. The dumb ones use ISP1 all the time, until it fails, and then switch over to ISP2. Smart multi-WAN routers use both ISP1 and ISP2 all the time and balance the load/traffic between them. The smart ones can also tolerate the failure of a single ISP without anything connected to the router being aware of the problem. Also, some have more than two WAN ports. The Peplink Balance line of routers all have multiple WAN ports with high end models featuring 12 or 13.

There are also three different ways to feed the Internet into a router.

  1. The most popular is Ethernet. Whether an ISP uses cable, DSL, satellite or fiber, its modem should be able to feed into any router via Ethernet.
  2. Some routers, such as models by Peplink and Cradlepoint, can be fed by a 3G/4G/LTE modem plugged into a USB port.
  3. Finally, Peplink routers (and probably some others) also support Wi-Fi as input. That is, if you are in a hotel that only offers Wi-Fi, you can feed that Wi-Fi into a Peplink router which then produces both Ethernet LAN as output and Wi-Fi as output. I have used this at home when my cable Internet failed. A smartphone took in the LTE Internet access and created a hotspot as output. The Wi-Fi out from the phone was then fed into a Peplink/Pepwave Surf SOHO router. It worked great. All the devices that normally connect to the router via both Ethernet and WiFi continued to work without change. Way cool :-)

And, if you were wondering, both of these two issues can be combined. That is, a multi-WAN router can have one input via Ethernet and another via a 3G/4G/LTE modem.

Talking to a router

There are MANY ways to talk to a router, it is, after all, a computer.

The communication medium can be wired Ethernet, wireless WiFi, and/or Bluetooth. Some high end models have a serial console port.

In the old days, we used desktop software to talk to a router, then most of the industry migrated to a web interface. Apple still uses software, their AirPort utility. Netgears Genie software still comes in flavors for Windows and OS X. Linksys still offers Linksys Connect software that runs on Windows and OS X.

The most common way to interact with a router is via its web interface. That is, we communicate with a website that exists inside the router. Mostly this is done via the routers internal IP address. That is, you make a request such as

       http://192.168.1.1
from any web browser. If you don't know the internal IP address of your router, see my blog Find the IP address of your home router. Some routers also respond to pre-configured names. According to RouterCheck.com using a name rather than a numeric IP address is a security weakness. For more on the security issue, see the checklist page.

Apple routers can only be configured from an Apple device (iOS or OS X) running the Apple AirPort utility. Technically, Apple does support Windows, in that there is an edition of the AirPort utility that runs on Windows, but it has not been updated for a very long time. In the old days Apple routers could talk to network software via SNMP (Simple Network Management Protocol), but no more.

Apple was the only company making routers without a web interface, but in September 2015, Google introduced their first router (OnHub) and it too had no web interface, relying solely on a smartphone app for configuration. Since then many other routers have followed suit, discarding a web interface for a mobile app. In fact, since then, Apple has discarded their routers altogether. They never admitted it, and they continued to sell them, but it was reported that all the employees who had been working on their routers were transferred to other jobs.

After the web interface came the cloud. Hardware manufacturers created websites that could talk to and control your router. You need to register with the manufacturer website and get a userid/password. Then, you can talk to your router from anywhere in the world. The cloud service for Peplink is called InControl2. Cisco called their Connect Cloud back when they owned Linksys. D-Link calls theirs mydlink cloud services and some of their routers are marketed as "Cloud Routers". Ruckus calls theirs CloudManager, eWON calls theirs Talk2M. According to this article, the only way to configure a Meraki router is via the cloud.

I am not a fan of this method. As I see it, it requires me to trust every employee of the router manufacturer. I am not that trusting. And, with Dynamic DNS (DDNS) it has always been possible to communicate with a router from anywhere.

A touch screen Ubiquiti AmpliFi router
A touch screen AmipliFi router

Some routers have a touch screen interface. Amped Wireless was, I believe, the first to market with this. Their TAP-R2, TAP-R3 and Securifi Almond+ all feature touch screens. So too, does the Starry station router and the Ubiquiti AmpliFi series, shown here at the right. The AmpliFi has been adding new features to its touch screen. You can even use it to upgrade the firmware.

No doubt, smarphone apps are the wave of the future when it comes to communicating with a router. As noted above, Google exclusively uses a smartphone app to communicate with its router, as do Eero and others. The aforementioned Netgear Genie software, also runs on iOS and Android. Peplink has smartphone apps for iOS and Android, but they are not nearly as full featured as the web interface of their routers.

Eero routers, after plugging them into a modem, pair up with a smartphone over Bluetooth for the initial setup procedure. This is becoming more common. Luma does it too and the upcoming Portal router (expected later in 2016) will also work this way.

In August 2018 the first two routers were announced that you could talk to. Huawei’s AI Cube and the Netgear Orbi Voice are expected to embed Amazon Alexa functionality.

Nerds may talk to a router using SSH or Telnet. Monitoring software may talk to it using SNMP. Some software communicates using UPnP. Netgear Genie software uses the SOAP protocol to talk to its routers, and a bug with this was disclosed in Feb. 2015. I probably left something out.

There are no standards for communicating with a router. Even limiting ourselves to just the web interface, they are all different. Even a single vendor will have different web interfaces for different router models. And, the web interface for a single router may drastically change over time. Worse still, there are also no naming standards. Thus, the same feature may well have six different names from six different companies.

New router setup

In the old days, a new router included setup software on a CD. Now, if a CD is included, it probably contains setup instructions and a manual. Any software on a CD is likely to be old.

New routers are configured either by logging in to a web interface, or, with a smartphone app. Apple routers are their own category, they are configured using Apple software included in iOS and OS X.

I wrote up instructions on setting up a new router. In brief, let me say here that all router instructions say to connect a new router to the Internet first thing. I disagree with this advice, as I think there are a few security changes you should make beforehand, while the router is still offline. The Google OnHub routers are the only ones I know of that can not be configured off-line. After making these few changes, then the first thing to do when the new router goes online is to check for bug fixes, a.k.a. firmware updates.


Top 
This page was last updated: August 31, 2018 7PM CT     
Created: February 2, 2015
Viewed 30,173 times since February 2, 2015
(22/day over 1,357 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2018