Requesting suggestions for security settings beyond the defaults for a home router

I recently purchased an entry level router/firewall. The default firewall rules are to:

1) deny all incoming traffic on any port, etc.
2) allow all outgoing traffic to any location, on any port, etc.

There is a very limited number of rules allowed (13).

I disabled the optional features such as remote administration, UPNP, gaming mode, ping, etc.

Would anybody have suggestions that could make the router more secure?

 

Who made it and what model is it?

 

dlink DI-604

 

You could run Shields Up. The DI-604 will show all ports stealthed except one, which will show closed (port 113). In the D-link websites support section you can find info to stealth the port. You might also want to check for a firmware upgrade also, but I don't know if you really need that or not, sorry. If you do a firmware upgrade make sure it's for your version of the DI-604 as there are a few variations. Hopefully someone more knowlegeable can advise you further if it's needed.
http://grc.com/default.htm
http://www.dlink.ca/

 

Yes, I've done both those things already.

Sorry to bother you with this, but I thought there might be something else I could do to increase security (that I missed). I checked the Sticky Posts for this section and didn't see anything that I thought would apply.

I looks as though these settings are about as secure as this router can be.

 

If you mean for outbound, there are various options, go through search, trype outbound protection for routers and you will get myriads of threads.

 

Rules ability in some home routers can be a little quirky at best. Does it allow for you to use these as outbound rules? If so, you would first need to determine all the types of outbound connections you normally use. Keep in mind that of those 13, one may have to be a final "deny all other" = 12 to work with. If you can define all your outbound needs in 12 rules, then you could try that.

Regards,

CrazyM

 

How would I determine the types of connections needed?

For instance, in Ewido's Connections-module window I see 13 connections listed, 2 TCP (listening), 11 UDP. Would each one of these need to have an outbound rule?

 

What do you do online? Browsing, e-mail, chat programs, etc.
Some of the common things that you may use and need rules for:

• permit udp any eq 53 (DNS) - domain name look-up
• permit tcp any eq 80 (HTTP) - web browsing
• permit tcp any eq 443 (HTTPS) - secure web sites
• permit tcp any eq 110 (POP3) - receive e-mail
• permit tcp any eq 25 (SMTP) - send e-mail
• permit tcp any eq 21 (FTP) - file transfer/download
• permit tcp any eq 119 (NNTP) - news servers
• permit tcp any eq 1863 (MSN) - chat
• permit tcp any eq 5050 (Yahoo) - chat
• permit tcp any eq 5190 (AOL) - chat
• permit udp any eq 123 (NTP) - time servers/update system clock
• deny all other (log)

You would need to determine a list (like above) unique to your use of the system(s) behind the router. If the router has logging, enable it to monitor you outbound connection types and build your list. You can see how 13 rules may not go very far depending on what you do. What also may impact the number of rules is how stateful the firewall is in handling some protocols as that could be a factor in the number and scope of some rules.

Some of the services you see listed would likely make use of a couple of the rules listed above (DNS, NTP). What you need to focus on first is the applications you use online to see how large it is and if this is something that is doable with the limited number of rules.

Regards,

CrazyM

 

Thanks. This is very helpful.

 

I will make a suggestion . You can always use a free firewall on your computer , in conjunction with your router . The DI-604 is setup very well right out of the box . A software firewall is just added protection . Really , I only added 3 rules to my router and have been in great shape . Good luck to you my friend . Have fun

 

Re: Requesting suggestions for security settings beyond the defaults for a home route

The DI-604 had served me well for quite a while before going wireless. From what I've read, you've configured the router as well as it can be for inbound protection. I'd have to second hollywoodpc and say acquire a software firewall to deal with outbound traffic. Do some research (this forum!) and see which firewall is dealing best with things like leak tests. It will also add another layer of inbound protection, and that's not a bad thing!