ZIFFPAGE TITLED

 
 
By Loyd Case  |  Posted 2003-01-03 Email Print this article Print
 
 
 
 
 
 
 


-Link DI-764">
Product: D-Link DI-764
Web Site: www.dlink.com
Pro: Easy setup; 802.11a/b; Good spread of security features
Con: Pricey (because of the 802.11 radios); Naming conventions for security features can be somewhat confusing; no stateful packet inspection; 802.11a requires D-Link client hardware; wall-wart power supply.
Summary:       No SPI means use this only if you need wireless support.
Score:
Street Price: $240, check prices
Without a doubt the most feature-laden (and most expensive) of the four routers we looked at, D-Links DI-764 has nearly all the admin tools you could want, four 10/100 switched Ethernet LAN ports, one 10/100 WAN port, and 802.11a and b support. The DI-764 uses a TI 802.11b chipset which has a turbo mode called 802.11B+, as well as a higher-speed mode for 802.11a (using Atheros silicon), called Turbo.
As it turns out from our NetPerf testing for streaming media over different kinds of networks, these enhanced operation modes provide small performance improvements in throughput, but nowhere near the claimed speeds. However, both 802.11a and b have sufficient bandwidth and low enough ping times to facilitate multiplayer gaming, which for the purposes of this story are what were most interested in. If you want to use these features, though, youll need to buy all D-Link hardware to get the best results. Plus, in the case of 802.11a, youll need to have D-Link hardware to talk to this routers access point. Despite these issues however, the DI-764 has a full spread of configuration options to let you lock your LAN down tight. No SPI: One feature missing from the DI-764 is Stateful Packet Inspection (SPI), which at this price-point, should be a standard item. In brief, SPI looks not only at individual packets origins, destinations and protocol type, but also looks at groups of traffic to have a better idea whats happing both on your LAN and on your incoming and outgoing network traffic. For more on this topic, head over to our Home LAN Security story.
Getting the DI-764 running was very straightforward, and the Web-based admin interface has an initial setup wizard that allows you to configure the most vital settings. We had the DI-764 configured and ready to roll in about five minutes. One of the 764s more interesting features is its ability to be configured for specific applications that require multiple connections. And these applications have difficulty working in NAT configurations. For instance, Unreal Tournament uses ports 7777-7779, but communicates with the Master Server at Epic Games on port 27900. Using Port Forwarding, you would have to open ports 7777-27900, which is one-third of all the ports available in TCP/IP. But using the DI-764s Special Applications feature, we were able to open ports 7777-7779 and 27900, allowing UT the necessary open ports to get a server going on the Net. The DI-764 comes pre-configured for Battle.net, Dialpad, ICU II, MSN Gaming Zone, PC-to-Phone, and QuickTime 4. This feature is essentially Port Triggering by another name, since the opening of the specified ports happens only when a request is made from behind the LAN. In the panel, youll see both private and public trigger ports listed, but in the DI-764s menus, the feature is called "Applications", and lives under the "Advanced" menu header. Whats cool about this is that ports get opened only when a machine from behind the firewall requests it, and once that session is terminated, the port is then closed off again. While there may be some vulnerability while the session is open, the needed port doesnt sit in an open state 24/7. However, one limitation of this feature is that only one app can use the Special Application Tunnel at a time. So if Junior has a server going for a grip-it-and-rip-session of UT 2003 and dad wants to fire up an Age of Mythology server, hell have to send Junior out to wash the car. We then scanned the DI-764 using Nmap, and looked at the port addresses used by Unreal Tournament. On TCP, Nmap reported these ports as being filtered, whereas on UDP, it reported them being open. Nmaps method of determining whether a given UDP port is open however seems a bit suspect to us. It sends 0 byte UDP packets to the specified port of the target machine. If Nmap receives an "ICMP port unreachable," the port is assumed to be closed. However, if no response is received, Nmap assumes the port to be open. While we like Nmap as a testing tool-- we believe this particular method of port state determination is flawed, since a UDP port isnt obliged to answer a scan, whether its open or closed. Our concern is that the routers we tested here may be ignoring the port scan and discarding the probe packets, meaning that the ports are not open, and therefore do not pose a security risk. The reason we have some doubt about Nmaps findings is that we tested a wide variety of UDP port address ranges, and Nmap reported all of them as being opened, which we seriously doubted. Our suspicions were confirmed first by the DI-764s log, which registers attacks and has the option to log dropped packets, and it reported events like the following. As it turns out, we were correct in our suspicions. A look at the DI-764s log file revealed that it was discarding the packets from the packet scan, and not responding to it, which yielded the false report that the ports were open.
Dec/20/2002
15:40:02 Drop TCP packet from WAN 204.1.226.228:10025 65.241.156.5:25
Rule: Default deny
We also ran another port scan using a tool from Gibson Research called NanoProbe, which you can run on your system here. It scans ports for FTP (21), Telnet (23), SMTP (25), Finger(79), HTTP (80), POP3 (110), IDENT (113), RPC (135), NETBIOS (139), IMAP (143), HTTPS (443), MSFT DS (445) and UPnP (5000). This scan showed no vulnerabilities on the router. Next, we tried to see a shared folder on a Windows machine that was behind the routers firewall. Windows file sharing uses ports 139 and 445, and TCP port scans of both of these ports showed them to be filtered, and both of these ports are locked out by default. We were unable to see either the machine itself, or the shared folder on the target machine. Looking at its wireless configuration, the DI-764 has most of the admin features weve come to expect in access points. Missing, however, is the ability to explicitly disable ESSID broadcasting, which announces the APs presence (whether WEP is enabled or not). When this feature is disabled, the ESSID would have to be known by the client in order to connect to the AP. Disabling ESSID broadcasting offers one more layer of security, along with WEP, to try and keep unwanted guests out of your wireless network. Neither is bulletproof of course, but D-Link should add this feature to the next firmware revision. We checked D-Links site to verify that the test unit we looked at was up to date with its firmware, and it was. The DI-764 is the priciest router we looked at among the four, but for good reasons. Its dual-band 802.11 support, coupled with its relatively full compliment of admin features actually makes it a good value for its $240 street price. However, it lacks Stateful Packet Inspection, which for a router in this price range wed like to see it included. If youre keen on using 802.11a, youll need to invest in additional D-Link hardware to be able to talk to the DI-764. The only reason to consider this router over either the D-Link DI-604 or the LinkSys BEFSR81 is if you really need wireless networking in addition to a broadband router. However, even then, you may wish to consider a separate access point in lieu of the DI-764, as it increases your number of options.


 
 
 
 
Loyd Case came to computing by way of physical chemistry. He began modestly on a DEC PDP-11 by learning the intricacies of the TROFF text formatter while working on his master's thesis. After a brief, painful stint as an analytical chemist, he took over a laboratory network at Lockheed in the early 80's and never looked back. His first 'real' computer was an HP 1000 RTE-6/VM system.

In 1988, he figured out that building his own PC was vastly more interesting than buying off-the-shelf systems ad he ditched his aging Compaq portable. The Sony 3.5-inch floppy drive from his first homebrew rig is still running today. Since then, he's done some programming, been a systems engineer for Hewlett-Packard, worked in technical marketing in the workstation biz, and even dabbled in 3-D modeling and Web design during the Web's early years.

Loyd was also bitten by the writing bug at a very early age, and even has dim memories of reading his creative efforts to his third grade class. Later, he wrote for various user group magazines, culminating in a near-career ending incident at his employer when a humor-impaired senior manager took exception at one of his more flippant efforts. In 1994, Loyd took on the task of writing the first roundup of PC graphics cards for Computer Gaming World -- the first ever written specifically for computer gamers. A year later, Mike Weksler, then tech editor at Computer Gaming World, twisted his arm and forced him to start writing CGW's tech column. The gaming world -- and Loyd -- has never quite recovered despite repeated efforts to find a normal job. Now he's busy with the whole fatherhood thing, working hard to turn his two daughters into avid gamers. When he doesn't have his head buried inside a PC, he dabbles in downhill skiing, military history and home theater.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel