Traveling? Pack a router

If you are traveling with a laptop or netbook, you'll be better defended if you also pack a travel router. Routers perform multiple functions, the defensive computing aspect comes from the firewall.

But, you may be thinking, your operating system has a firewall. True, but the firewall in a router is better defended* and better configured. So much so, that even households with a single computer should consider purchasing a router, just for the firewall.

A firewall sounds like a strong thing, but it's merely a set of IF tests. If condition A, do action B. Yada yada yada. One wrong IF test and there's a hole in your defenses.

The router in a firewall starts with a single IF test: if a data packet arrives from the outside world that wasn't requested by a computer on the LAN, the packet is discarded. In other words, it denies all incoming unsolicited attempts at communication. To put it in Star Trek terms, the router does not respond to hailing frequencies from unknown ships.

This default mode of operation should serve non-techies very well. Only nerds dealing with DMZs and virtual servers should need to define exceptions.

To illustrate the blocking that a router firewall does, below is a screen shot of the log maintained by a Belkin router. A look at the timestamp shows that every few seconds, a computer at IP address 10.34.0.1 contacts the router, trying to establish communications.

routerfirewalllog.png

The Windows firewall supports exceptions to the simple deny-if-not-first-requested rule and turns on a number of exceptions by default. You can configure the XP firewall to not allow any exceptions with the simple checkbox shown below. You get to this from the Control Panel, by selecting Network Connections, then clicking on "Change Windows Firewall settings".

windowsfirewallonoff.jpg

If exceptions are allowed, then software can define an exception for itself without your being notified. The exceptions on the Windows XP machine I'm writing this on are shown below.

windowsfirewallexceptions.png

When you consider firewall exceptions, the Windows Security Center in XP is a sham. If it reports that all is well, and the firewall is running, that tells you nothing about the exceptions which may make the firewall as porous as Swiss cheese. 

I'm not a Mac person, but when Leopard first shipped, the firewall was turned off. In fact, if the firewall was on from the previous version of OS X, then upgrading to Leopard on the same machine, turned it off. Oops.

Despite the firewall in a router, you should still run a firewall program on your computer. Two levels of protection are better than one.

The subject of travel routers came up in the May 14th episode of Steve Gibson's Security Now! podcast. He told of someone who travels with a small router and uses it both for the firewall and for converting an Ethernet connection to Wi-Fi.

Travel routers, as they are known, vary widely.

The one discussed by Gibson had Ethernet input and Wi-Fi output which is, probably, the norm. My travel router is a CradlePoint CTR350, shown below next to an Asus Eee PC. In one mode, the CTR350 takes a 3G signal as input and offers both Ethernet and Wi-Fi G as output. In another mode, the single Ethernet port can function as input, while the router provides Wi-Fi output.   

travelrouter_and_asuseee.jpg

One down side to the CTR350, and the travel router Gibson discussed, is that they need electricity. The picture above shows that the AC adapter for the CTR350 is almost as big as the router itself.

CradlePoint also offers the battery powered PHS300, but it doesn't have an Ethernet port. The new MiFi 2200 travel router is also battery powered, has no Ethernet port and takes a 3G signal as input. However, it doesn't need a separate 3G modem. Whatever your needs, there should be a travel router to match them. 

ROUTER CONFIGURATION

Regardless of the size of your router, there are a few configuration changes you should make.

First, change the default password for accessing the internal administration website. I wrote about changing the password last year, see Defending your router, and your identity, with a password change. You may want to tape the IP address, userid and password to the router so they can't be forgotten.

Turn off Universal Plug and Play.

Turn off remote administration (especially on a travel router).

Chose a long WPA or WPA2 password. WPA passwords are vulnerable to offline brute force attacks, so the longer the password the better. Think of it as a pass sentence. A good password is one that you can't possibly remember, so tape this too to the router.

I suggest configuring the DNS in the router to always use OpenDNS rather than the default ISP DNS. Specifically, this means using these DNS servers: 208.67.222.222 and 208.67.220.220.

Update May 21, 2009: As a commenter below pointed out, there are times when OpenDNS can not be used while traveling. He referred to hotels that use their DNS to re-direct you to an initial log-in page. I have experienced problems using OpenDNS twice, while connecting to public networks, the last time was on Delta airlines

And, router or not, any time you are at a hotel you really should use a VPN.

*One reason router firewalls are better defended is that a password is needed to make any configuration changes. Then too, the only software that runs on the router is that which the vendor pre-installed. 

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies