Router Security Introduction to Routers Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
 

What is a router?

In a nutshell: A router is a networking device (a box) that shares a single Internet connection (via both Wi-Fi and Ethernet cables) and provides a firewall to prevent computers on the Internet from making unsolicited connections to any of your computing devices.

My favorite router - Pepwave Surf SOHO
My favorite router

When the Internet first became popular, computers dialed the telephone to get online. The hardware that handled this communication was called a modem, short for modulating and demodulating. Modulating refers to translating digital ones and zeros into tones that a telephone line understands and transmits.

The introduction of faster Internet access (a.k.a. broadband) with DSL changed more than just the speed. While DSL still relied on a phone line, it required an external dedicated device, also known as a modem, in your home/office. Earlier modems could be built into computers, this was not true with DSL modems. And, DSL modems did not do any modulating, the meaning of the term "modem" changed over time. It came to mean the box that talks to your Internet Serivce Provider (ISP) regardless of the technology it uses internally.

DSL modems connected to the phone line on one end (to talk to the ISP) and a computer, via Ethernet, on the other end. When cable Internet access came along, the cable modems connected to a coaxial cable on one end (again to talk to the ISP) and a computer, via Ethernet, on the other end. Likewise, with fiber optic connections to the Internet, the box that talks to the ISP (still called a modem) has a fiber optic connection on one end and an Ethernet connection on the other. The modems page here has more on modems and a warning about some buggy models.

You can plug a computer into the Ethernet port of any modem, but it's a waste. A high speed connection wants to be shared and that's what routers do.

A router plugs into the Ethernet port of a modem for Internet access. Then, all of your computing devices (tablet, smartphone, desktop computer, laptop, Chromebook, thermostat, Apple TV, Roku) talk to the router.

A typical router will offer four Ethernet ports for your computers, but some offer only one. High end routers offer more. A device called a switch can expand the number of Ethernet ports should you outgrow your router over time.

When routers first came out, they just did Ethernet, but now they all do Wi-Fi too. A router can create a varying number of wireless networks, each with its own name (SSID). Almost all routers can create at least two wireless networks, one for private use and one for Guests. Asus routers can create eight wireless networks. All the wireless networks end up feeding back into the modem for their Internet access. If need be, the wireless feature can be disabled in a router.

As more and more people connected to the Internet, ISPs did not want to deal with two devices for each customer, so they started using a single box that combined the functions of a modem and a router. This single device is often called a gateway, but I have also seen it referred to as a "Modem Router". Then, when ISPs started to offer VOIP telephone service (a telephone line that uses the Internet) they also included a standard telephone jack (or two) in the boxes they gave to customers.

From a Defensive Computing standpoint, you are better off with separate devices for a number of reasons. For one, having two devices lets you update or replace either one without impacting the other. And, it lets you chose the best of breed for each device. Even if not the best, it lets you chose a more up-to-date device, and, a more secure one. Buying your own modem and/or router can also save you money in the long run.

That said, things get more complicated when the ISP is also providing VOIP telephone service from their gateway, and I am no expert on the options in this case.

Consumer Reports also has an introduction to routers. See their Wireless router buying guide. As of Oct. 2015, it was last updated December 2014. Also worth reading: HTG Explains: Understanding Routers, Switches, and Network Hardware by Jason Fitzpatrick, July 2014.

About the router hardware

A router is roughly the size of a paperback book. It may lie horizontal or stand vertically. It may or may not have WiFi antennas. Routers without visible antennas have internal ones. There are routers with one, two, three and four external antennas. Some routers announced at CES in January 2015 have six or eight antennas. On some routers, the antennas are removable, on others they are not.

Wireless WiFi networks can use two different range of frequencies, referred to as "bands". The older frequency band is 2.4GHz, the newer one is 5GHz. Old or low end routers can only transmit in the 2.4GHz band. Many current routers transmit in both frequency bands at the same time, a condition known as dual band. A few routers (such as the Pepwave Surf SOHO) can transmit in both 2.4GHz and 5GHz but only one band at a time. High end routers support two separate 5GHz radios along with 2.4GHz. The term for this is Tri-Band as in three concurrent frequency bands.

Of the two frequency bands the 2.4GHz band is much more crowded and thus prone to interference. However, a 2.4GHz signal goes through walls better so it has a longer range.

Each wireless network is given a name, often referred to as an SSID.

There are different flavors of WiFi. The oldest flavors were a and b. No one uses them any more. Then came G which is now the bottom of the line. After G came N which is now middle class. The latest and greatest is AC. WiFi G only works in the 2.4GHz band. WiFi N works in either frequency band. WiFi AC only works in the 5GHz band.

A consumer router, such as the D-Link DIR-830L is marketed as an AC1200 class router. The AC refers to the type of WiFi it supports. The number after that has a technical and mostly irrelevant meaning, but the higher the better. At least up to a point. Likewise the Netgear WNDR4500 router is sold as an N900 thingy. It does WiFi N. Tim Higgins delved into the techie details of router speed numbers in February 2015 and January 2014 (for nerds only).

WiFi flavors are backward compatible, so you really can't go wrong here. A router offering WiFi type N will talk to older G devices. A router offering WiFi type AC will talk to devices that are only capable of N and/or G. But, to get the fastest speeds from a router offering the AC flavor of WiFi, the computing devices have to also support the AC flavor of WiFi. Turning things around, a computing device capable of WiFi AC, will also be able to talk WiFi N to a router that only supports N.

Routers vary in the number of wireless networks they create.

  1. There are private and guest networks. Guest networks are a great security feature, they can use a different password and be isolated from the private network. They can also be disabled when not needed.
  2. The number of networks vary. A dual band router will, at the least, create one wireless network on each frequency band. They may also offer a guest network on each frequency band, for a total of 4 networks. I have seen dual band Asus routers that can create six guest networks, for a grand total of 8 wireless networks coming out of one router.
  3. The names vary. While most routers let you chose any name you want for guest networks, I have seen a Linksys router that forced you to use the name Linksys prefers. Also, most routers let you give each network its own unique name, but a few routers force the private networks on each frequency band to use the same name. There are pros and cons to this, but it is not a security issue.

Wired computer networks use a technology called Ethernet. The wires are referred to as Ethernet cables and the jacks they plug into are called Ethernet ports. There are two popular speeds for Ethernet: Gigabit and Fast. Fast Ethernet is the slower option running at 100mbps (megabits per second). Gigabit Ethernet is ten times faster (1,000mbps). For most people, most of the time, the 100mbps speed of Fast Ethernet is fast enough. Pretty much all routers manufactured in the last few years come with gigabit speed Ethernet.

There are typically five Ethernet ports on a router. Four are LAN ports -- LAN means Local Area Network. In English, LAN refers to the network in the same location as the router. If the router is in your home, the LAN refers to the network in your home. The other Ethernet port is the WAN port. WAN means Internet, although it stands for Wide Area Network. If you have a separate modem and router, the (one and only) Ethernet port from the modem is connected to the WAN port on the router.

The LAN ports are normally numbered 1 through 4 and they are all the same. That is, it makes no difference which LAN port anything is plugged into. There may be an exception to this rule, if you use QOS (Quality of Service) to give one port a higher priority than the others. But that's not a security issue. The Netgear R8500 has six LAN ports. The Google OnHub routers have only one. The Asus RT-AC88U has eight.

If all your computing devices are wireless, then the LAN ports go unused. If you have 5 or more Ethernet devices, then you can buy a switch with multiple Ethernet ports. One of those plugs into a LAN port, the others are for your overflow Ethernet devices.

Most routers do not have an on/off switch. Many of those that do, position it such that its just as easy to pull the electric plug as it is to hit the button. Almost all have lots of pretty blinking lights, but the number of lights and what they indicate vary greatly. Some routers let you disable the blinking lights.

As a rule, routers do not have microphones or speakers. One exception is the Starry Station router which has both. The Google OnHub routers have speakers, but no microphones.

Speaking of the Starry Station router, it is, as far as I know, unique in other ways too. It is the only router I know of that runs Android. It is also the only router that has a fan for cooling.

The price for consumer routers varied from roughly $30 to $300, until late 2015 when we started to see some priced over $300. The Starry Station router was the most expensive, at $350 as of early May 2016. Then the Linksys EA9500 was released in late May 2016 at $400 (its tri-band, 5.3Gbps MU-MIMO). The Netgear Nighthawk X10, a single router, was released in October 2016 for $500. The Eero mesh network system of three devices was released in early 2016 for $500 and remains (as of Oct. 2016) the most expensive mesh routing system. The price for business class routers can be much higher but they typically start at around $200.

Input to a router

If you are reading this page, your router will have a single Ethernet WAN port. Higher end routers have multiple WAN ports which allows them to be connected to two different ISPs. For example, one WAN port could be plugged into a cable modem and another into a DSL modem. This is for locations where Internet access is very important. The devices connected to the router to remain on-line even if one ISP fails.

Not all multi-WAN routers are the same. For example, there are smart and dumb models. The dumb ones use ISP1 all the time, until it fails, and then switch over to ISP2. Smart multi-WAN routers use both ISP1 and ISP2 all the time and balance the load/traffic between them. The smart ones can also tolerate the failure of a single ISP without anything connected to the router being aware of the problem. Also, some have more than two WAN ports. The Peplink Balance line of routers all have multiple WAN ports with high end models featuring 12 or 13.

There are also three different ways to feed the Internet into a router.

  1. The most popular is Ethernet. Whether an ISP uses cable, DSL, satellite or fiber, its modem should be able to feed into any router via Ethernet.
  2. Some routers, such as models by Peplink and Cradlepoint, can be fed by a 3G/4G/LTE modem plugged into a USB port.
  3. Finally, Peplink routers (and probably some others) also support Wi-Fi as input. That is, if you are in a hotel that only offers Wi-Fi, you can feed that Wi-Fi into a Peplink router which then produces both Ethernet LAN as output and Wi-Fi as output. I have used this at home when my cable Internet failed. A smartphone took in the LTE Internet access and created a hotspot as output. The Wi-Fi out from the phone was then fed into a Peplink/Pepwave Surf SOHO router. It worked great. All the devices that normally connect to the router via both Ethernet and WiFi continued to work without change. Way cool :-)

And, if you were wondering, both of these two issues can be combined. That is, a multi-WAN router can have one input via Ethernet and another via a 3G/4G/LTE modem.

Talking to a router

There are MANY ways to talk to a router, it is, after all, a computer.

The communication medium can be wired Ethernet, wireless WiFi, and/or Bluetooth. Some high end models have a serial console port.

In the old days, we used desktop software to talk to a router, then most of the industry migrated to a web interface. Apple still uses software, their AirPort utility. Netgears Genie software still comes in flavors for Windows and OS X. Linksys still offers Linksys Connect software that runs on Windows and OS X.

The most common way to interact with a router is via its web interface. That is, we communicate with a website that exists inside the router. Mostly this is done via the routers internal IP address. That is, you make a request such as

       http://192.168.1.1
from any web browser. If you don't know the internal IP address of your router, see my blog Find the IP address of your home router. Some routers also respond to pre-configured names. According to RouterCheck.com using a name rather than a numeric IP address is a security weakness. For more on the security issue, see the checklist page.

Apple routers can only be configured from an Apple device (iOS or OS X) running the Apple AirPort utility. Technically, Apple does support Windows, in that there is an edition of the AirPort utility that runs on Windows, but it has not been updated for a very long time. In the old days Apple routers could talk to network software via SNMP (Simple Network Management Protocol), but no more.

Apple was the only company making routers without a web interface, but in September 2015, Google introduced their first router (OnHub) and it too had no web interface, relying solely on a smartphone app for configuration. Since then many other routers have followed suit, discarding a web interface for a mobile app. In fact, since then, Apple has discarded their routers altogether. They never admitted it, and they continued to sell them, but it was reported that all the employees who had been working on their routers were transferred to other jobs.

After the web interface came the cloud. Hardware manufacturers created websites that could talk to and control your router. You need to register with the manufacturer website and get a userid/password. Then, you can talk to your router from anywhere in the world. The cloud service for Peplink is called InControl2. Cisco called their Connect Cloud back when they owned Linksys. D-Link calls theirs mydlink cloud services and some of their routers are marketed as "Cloud Routers". Ruckus calls theirs CloudManager, eWON calls theirs Talk2M. According to this article, the only way to configure a Meraki router is via the cloud.

I am not a fan of this method. As I see it, it requires me to trust every employee of the router manufacturer. I am not that trusting. And, with Dynamic DNS (DDNS) it has always been possible to communicate with a router from anywhere.

A touch screen Ubiquiti AmpliFi router
A touch screen AmipliFi router

Some routers have a touch screen interface. Amped Wireless was, I believe, the first to market with this. Their TAP-R2, TAP-R3 and Securifi Almond+ all feature touch screens. So too, does the Starry station router and the Ubiquiti AmpliFi series, shown here at the right. The AmpliFi has been adding new features to its touch screen. You can even use it to upgrade the firmware.

No doubt, smarphone apps are the wave of the future when it comes to communicating with a router. As noted above, Google exclusively uses a smartphone app to communicate with its router, as do Eero and others. The aforementioned Netgear Genie software, also runs on iOS and Android. Peplink has smartphone apps for iOS and Android, but they are not nearly as full featured as the web interface of their routers.

Eero routers, after plugging them into a modem, pair up with a smartphone over Bluetooth for the initial setup procedure. This is becoming more common. Luma does it too and the upcoming Portal router (expected later in 2016) will also work this way.

Nerds may talk to a router using SSH or Telnet. Monitoring software may talk to it using SNMP. Some software communicates using UPnP. Netgear Genie software uses the SOAP protocol to talk to its routers, and a bug with this was disclosed in Feb. 2015. I probably left something out.

There are no standards for communicating with a router. Even limiting ourselves to just the web interface, they are all different. Even a single vendor will have different web interfaces for different router models. And, the web interface for a single router may drastically change over time. Worse still, there are also no naming standards. Thus, the same feature may well have six different names from six different companies.

New router setup

In the old days, a new router included setup software on a CD. Now, if a CD is included, it probably contains setup instructions and a manual. Any software on a CD is likely to be old.

New routers are configured either by logging in to a web interface, or, with a smartphone app. Apple routers are their own category, they are configured using Apple software included in iOS and OS X.

I wrote up instructions on setting up a new router. In brief, let me say here that all router instructions say to connect a new router to the Internet first thing. I disagree with this advice, as I think there are a few security changes you should make beforehand, while the router is still offline. The Google OnHub routers are the only ones I know of that can not be configured off-line. After making these few changes, then the first thing to do when the new router goes online is to check for bug fixes, a.k.a. firmware updates.


Top 
This page was last updated: March 21, 2018 5PM CT     
Created: February 2, 2015
Viewed 27,725 times since February 2, 2015
(24/day over 1,176 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2018