The D-Link DI-701 Residential Gateway
Broadband Firewalls Drop Below $100
By Trevor Marshall
June 12, 2000
Some of us are already using cable or DSL modems. We will all have them within the next few years. But this high-speed gateway onto the Internet also opens the door for crackers to gain access to our own computers.
I remember very clearly that when I first had my cable modem connected I was surprised to see the computers of other users pop up in my "Network Neighborhood." My cable provider has long since blocked the TCP/IP ports that transported the NETBIOS commands for Windows Networking, but many potential vulnerabilities are still exposed to anybody who takes the time to search for them.
But at last, somebody has produced a simple firewall, and backed it up with FREE technical support.
And at (just) less than $100!
[Editor's note: The sub-$100 price -- Manufacturer's Suggested Retail Price (MSRP) of $119, Estimated Street Price (ESP) of $99 -- came from both a recent press release from DLink, and interviews that Trevor Marshall conducted with Dlink management. As of June 6, 2000, the Dlink site was still showing a price of $159, offering a free Dlink five-port "Hubby" hub (selling normally in the mid-$30 range)]
The product is the D-Link DI-701 Internet Server/Firewall, a.k.a. variously on its website and in press releases as Residential Gateway, Home DSL/Cable Gateway, Home DSL/Cable Router/Gateway, and DSL/Cable Home Gateway.
As a bonus, not only does it provide security, it also lets more than one computer in a household be connected to the same modem line. I had my own computer, my wife's computer, and my daughter's computer all connected to a single cable modem. Each of the machines seemed to have equally fast access to the Internet, only slowing down when our daughter was running a dozen simultaneous Napster downloads :).
What's In The Box?
The D-Link DI-701 comes in a clear plastic enclosure, and you can see many of the components without even removing the covers. There is a 10-megabit RJ-45 Ethernet connection for your modem, and a dual-speed 10/100 BaseT interface to your computer or to your home network. A DB-9 female connector is provided for connection to a local serial console. You do not have to program the DI-701 using this serial console, but it provides a wealth of additional functionality including the 'Super-Admin' mode and a variety of supervisor commands.
At the heart of the DI-701 is a 40-MHz Am186 processor (middle right, just above the 40-MHz crystal). Three flash RAM chips make up the main memory, there is a Realtek 8019 clone for the networks, two unidentifiable glue ASICs, and a bunch of TTL to round out the design. Power is supplied from a 5Volt (2.4Amp) plugpack. There are 7 LED indicators provided to show network status.
The Am186 runs a Proprietary RTOS (Real Time Operating System). It includes a Network Address Translation (NAT) server, and a Dynamic Host Configuration Protocol (DHCP) server capable of handling up to 128 client IP addresses. DHCP is supported by many Operating Systems, and you should have no trouble configuring this gateway to work with Windows, Linux or Macintosh machines (but see "GUI" below).
How Many Computers Can Connect To The Modem?
D-Link's documentation says that only 32 users are supported, and that the recommended load is five users. But there seems no technical reason why, if you have 128 computers in your home, they should not all be able to happily share the single modem. This would be something I suspect your ISP would not be too happy about, and a 'Set User Limit' command has been provided in the 'Super-Admin' control mode (the range of valid users is 0-128). If you buy your DI-701 from an ISP make sure they offer you access to the 'Super-Admin' control password, as I suspect you might find this limit preset to a much lower value.
Why A 'Residential' Gateway With 128 Users?
D-Link explained that this device is precluded from being used as a gateway for a large, non-residential, network because it keeps no logs, and there is no way that a suspected intrusion could be traced. For most businesses this will not be a problem, and the DI-701 will function well even with 128 users, provided they are just collecting email and only occasionally accessing Web pages. If you need a low-cost gateway for your business, and you haven't been able to get my Linux Based LRP gateways working, then this could well be the answer for you
Most Controls Are GUI Based
D-Link has provided a GUI interface to control and configure most of the key parameters of the DI-701 from a Windows based computer. There is no GUI available for Mac-OS or Linux at this time, although the Telnet serial interface provides all of the GUI functionality if you don't have a Windows machine handy.
The Windows GUI interface controls the IP address of the DI-701 gateway (the default is 192.168.0.1). It also controls all the Global Port settings for your ISP and Local ethernet ports.
The Gateway is shipped with all incoming ports blocked. This is great for security, but if you want to run server software such as Napster, Gnutella, and some interactive games, you are going to have to unblock the ports that are specifically used by that application.
There is a GUI screen provided for that purpose. After you unblock ports, make sure you use a port scanner (such as Steve Gibson's Shields Up site) to check your security.
D-Link offers lifetime warranty and free support with the DI-701. This gateway offers many configuration options, and to offer free technical support for it is a daring marketing innovation. There are the online DI-701 FAQ's, of course, but calls to the technical support line were answered with only a remarkably short wait on hold. An excellent wall chart is supplied, detailing the connecting cables and other gateway-configuration issues.
Standardization Gives Vulnerability
As Microsoft found when Melissa and the Love virus attacked Outlook Express, having a standardized software product makes you an easier target for crackers. While a hostile attack on a Linux gateway would have to establish version-dependent vulnerabilities, once a vulnerability in a gateway such as D-Link's is uncovered, then attacks on other D-Link gateways could proceed very quickly, as all are identical. That is the rationale for the Flash memory chips. Software updates can be uploaded to the gateway in much the same way as you can update your computer's flash BIOS. Of course, there does not have to be a security vulnerability before software updates are released, and I noted that a new version, improving Point to Point Protocol over Ethernet (PPPoE) handling, has already been posted on the D-Link website.
I currently use my Linux LRP gateway to couple my home computers to my cable modem. The DI-701 does not have a caching Name Server, and this slows down name resolution a little. It is also less configurable, but a lot easier to configure and run. On balance, if I didn't have the Linux box already configured and running, I would install the D-Link gateway without hesitation. This is an excellent product. Its low price point, coupled with free technical support, could well make it a revolutionary product. I heartily recommend it as a firewall for all DSL and cable modem installations.