WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
I was both impressed and surprised recently with the security features in a low-end Netgear WGR614 Wi-Fi router. For whatever reason, Netgear does a poor job of touting these features. They are not mentioned on the retail box, not mentioned on the Web page for the router and not mentioned in the product descriptions I saw at a number of online retailers.
I was setting up a new broadband Internet connection for someone, and that required a trip to a local retailer for a plain vanilla, cheap, Wi-Fi G router. I wasn't looking for advanced features, just a bottom-of-line router. The two cheapest routers, one of which was the WGR614, were both $40. I opted for Netgear because of some features that I liked in a prior Netgear router.
Simple But Nice Fatures
The first was simply the capability to log out of the internal Web site. It's a simple thing, but one missing, for example, from the Linksys routers I've worked on.
The other handy feature offered by Netgear is the capability to display all attached devices. While every router I've worked with has the capability to display attached devices, some do not display a full list. Thus, a computer can be on the network and go undetected (unless more sophisticated techniques are used).
Every computer on a network has to have a unique number (IP address) and it can get this number two ways. The more common approach is for the computer to ask for a number when it starts up. The router is typically in charge of handing out these dynamically assigned IP addresses. But, a computer can also be configured with an IP address that it will always use (referred to as a static IP address), and thus it doesn't have to ask the router for one.
Poorly designed routers, when asked to display attached devices, report only on devices that they gave out IP addresses to. Better routers, such as the Netgear models I've used, report on all devices on the network, regardless of how they got their IP address.
In addition, Netgear puts the "attached devices" option on the main menu, in left side column. The computer I'm writing this on is attached to a Linksys WRT54GL. To see the incomplete list of attached devices on this router, you need to click on Status, then Local Network, then a DHCP Clients Table button.
The one thing Netgear left out, however, is whether the IP address of an attached device was assigned statically or dynamically. You should be able to figure this out by looking at the range of IP addresses the router assigns (DHCP). However, mistakes happen, and reporting how a device got its IP address, would highlight any mistakes.
But these features are the appetizer, now for the main course.
Two Networks for the Price of One
Perhaps the biggest security feature in the WGR614 router is the guest network. Other consumer-grade routers I've worked with all supported a single wireless network. This router supports two, with each network getting its own security profile.
Wi-Fi networks can be very secure, all you need is to use WPA2 with AES and choose a very long password. The problem is the password. While large companies can run additional server software to provide a unique password to each user of a wireless network, consumers and small businesses are limited to a single password that everyone on the wireless network shares.
If everyone is trusted, fine. But a visitor or guest, given the password temporarily, knows it forever. I doubt that many people in charge of a wireless network, change the password every time they give it out to a guest.
Netgear says that having two wireless networks allows "visitors to use internet access at your home if you don't want to let them know your wireless security key." But having a second network offers many configuration options, such as the following:
- A small business can leave the guest network unprotected, so that people can use it without a password.
- There can be a long secure password on the private network and a short, easy to type password on the guest network.
- The private network can use the more secure WPA2-AES, while the guest network uses the more compatible WPA-TKIP.
- Old devices, that only support the easily crackable WEP, instead of being discarded, can be confined to the guest network.
- In a family, the parents can use one Wi-Fi network and the children another.
- The private network can be configured not to broadcast its SSID, while the guest network does broadcast it.
It's an impressive list of options for a $40 router.
But there are some compromises. Wi-Fi G runs in the 2.4GHz band, which allows for only three non-overlapping channels: 1, 6 and 11. Both networks share the same Wi-Fi channel.
For the best security, it occurred to me to leave the guest network off, and just enable it when needed. However, when the guest network is either turned on or off, users get booted off the private network. And the "attached devices" feature of the router that I mentioned earlier, does not indicate which wireless network a device is connected to. On the other hand, each SSID does get its own MAC address.
Sharing and Security a Bad Marriage
The purpose of a Local Area Network is to share things, be they files, printers or Internet access. But sharing can be a security risk, especially if you use the guest network for non-trusted devices.
When it comes to sharing, you can think of the router as a fish bowl and the computer as a fish. No matter what the computer wants to do, it can only go within in the boundaries set by the fish bowl.
The WGR614 offers an option on the Guest network called "Allow Guest to access my Local Network." Rather than explain the meaning of this option simply and clearly, Netgear has, unfortunately, made a reading comprehension test out of their documentation:
OFF: any user connects to this SSID can only access internet directly and other clients in the same SSID network. All clients in this SSID are not allowed to access router web GUI, clients of other SSIDs, Ethernet network and any other service of this Wireless Router.
ON: any user who connects to this SSID can access not only internet but also local networks of this wireless router like users in primary SSID.
My take on this is that when the option is set to OFF, guest network users cannot see any of the computers on the private wireless network, nor any computers that are connected to the router via Ethernet cables. Also, they are prevented from accessing the internal website in the router to make configuration changes to it. However, all users of the guest network can see each other. If the option is ON, then I think it means that guest network users can see all other computers connected to the router. It's not clear if they can also access the routers internal Web site.
In addition to the sharing restrictions on the guest network, the WGR614 offers another sharing restriction called Wireless Isolation (under Advanced -> Wireless settings) which applies to the non-guest network. As Netgear describes it
"If checked, the wireless client under this SSID can only access internet and it can't access other wireless clients even under the same SSID, Ethernet clients or this device. Other clients can't access the wireless client, either."
In other words, wireless users can get to the Internet and nothing else. They can't see any other computers connected to the router, and other computers can't see them either (by "other" computers, I mean all computers connected to the router, be they wired, using the main WiFi network or using the guest WiFi network). It also prevents wireless access the router itself (a feature I've seen in other routers). What great security!
Time and resources prevented me from verifying this completely, but I did confirm that with this option turned on, a wireless user of the non-guest network could not access the website in the router. Interestingly, PINGing the router worked fine, it was just HTTP access that was cut off.
Easy Firmware Updates
Another nice thing about Netgear routers is that they search for upgraded firmware on their own. All you need to do is click a button. Some other routers send you off to the manufacturers Web site, where you have to manually hunt down the availability of upgraded firmware, a process that can be confusing, especially on routers where multiple hardware versions share the same model number.
When it comes to picking a Wi-Fi channel, some routers require you to manually select one, while others, such as the WGR614 have an option to dynamically select the channel with the least local interference. I was able to test the channel selection in the WGR614 because I used it in an area with only one other strong WiFi signal.
Although the 2.4GHz band offers 11 channels, only three (1, 6 and 11 don't overlap). The other wireless network near the WGR614 seemed to consistently use channel 11, so the best choice (the one offering the least interference) for the WGR614 would have been channel 1. Indeed, most days that's what it used. One day it was using channel 6, but by the next day it was back to channel 1. All in all, I felt it did well.
I've run across many computer systems that validate based on userid/password but let a single user log in twice concurrently. The WGR614 does not make this mistake. At one point, while logged into the router, I changed the IP address on the computer I was using and then couldn't get back into the router. Because I hadn't logged off with the old IP address, it wouldn't let me (using the same userid/password) in from the new IP address. Yet another nice feature, one that you won't find on the list of features.
My biggest gripe with the WGR614 concerned DNS servers. Regardless of the DNS servers it was configured to use, the router always told the connected computers to use itself as the sole DNS server. I prefer a router that provides connected clients with a pair of public DNS servers, be they the ones from the ISP or servers manually entered into the router. For one thing, having two DNS servers is always better than one, as they are critical to Internet access. Also, having the router merely pass DNS requests out the Internet rather than get in the middle and try to answer the requests itself, removes it as a possible choke point.
That said, for a $40 router, the WGR614 seems like a bargain.