ZIFFPAGE TITLEHome LAN Security
Irrespective of what piece of networking gear you have or are looking to buy, there are some standard rules of the road that you should follow to avoid having one, or possibly all of the machines on your home network get trashed by some no-account script kiddie. For starters, all the routers tested here support the DMZ feature, which essentially makes one machine on your network completely open to the Internet. Game servers left unprotected in DMZs are usually brought crashing down by gamer/crackers with more time than sense. So unless you like to watch a carcass get picked over by scavengers, dont ever put an unprotected game server box into the DMZ. Even so, some games simply require DMZ to operate.Another solid software firewall app is BlackIce, which is shareware, and a registered version goes for about $40. Note that the reviewed routers have basic firewall filtering built-in, but the software firewalls tend to fill in some important gaps. For an in-depth discussion on software versus hardware firewalls, check out PC Magazines recent story. Features like port-triggering and port-forwarding are much better ways to put a multiplayer game server up on the Net, while at the same time minimize the threat to your server and other machines. Even so, you should run ZoneAlarm on any server box you let outsiders access. This requires some initial tweaking and permission giving to get working, but its a minimal fuss compared to a potentially massive calamity. ZoneAlarm uses two simple sliders to set internal and external security levels. We played with ZoneAlarms settings for UT, and wound up having to dial down the external security setting from High to Medium, since the High setting essentially makes your machine invisible on the Net. We liked these sliders so much, we think they would make a great addition to the broadband routers we tested. While the routers Web-based interfaces provide very granular control, they can be intimidating to network newbies. A simple slider would be a helpful addition. Three of the four of the reviewed routers lack Stateful Packet Inspection (SPI), also referred to as dynamic packet filtering. In an
opinion piece penned a while back, Bill Machrone explained SPI:
Software firewalls like ZoneAlarm can protect a DMZed system well, and you can setup specific settings to ensure that most ports are locked down to prevent unwelcome visitors from making a mess of things. ZoneAlarm is still free after all these years, although the Pro version will run you $50 bucks. The free version gives you a very good working set of features, while the Pro version adds more enhanced email attachment threat quarantine and protection. The free version only quarantines VB scripts.
[With Stateful Packet Inspection,] the router is trying to be intelligent about correlating behavior over time. It rejects packets that dont conform to expected behavior. SPI also knows about common exploits, broken and incomplete packets, and a bunch of other hacks. It rejects these packets, too. The downside of SPI is that the routers are more expensive and they tend to be slower, too. The dinky little microcontrollers that run inexpensive routers are hard-pressed to keep up with the data stream, much less examine every packet heuristically and logically.While SPI, despite the somewhat ironic acronym, would be a good added feature to the routers weve looked at here, for many it would seem to be overkill. The combination of a NAT router, good firewall policies, and software firewall apps like ZoneAlarm, you can have your network secure enough to keep out all but the most determined crackers, and your game servers should be protected as well.