How to choose a router for your business
- — 16 February, 2012 01:41
Buying a router for a business isn't as simple as picking a consumer product with the best ratings from an online merchant or the best price on the shelf at a local electronics superstore. Your company has serious needs, such as supporting scores of users (including guests) on the network, and locking down company data to guard against snoops.
Before shopping for networking gear, you need to understand the types of equipment available, as well as their typical uses and features. Read on for an introduction to router equipment, along with an explanation of the features to watch for.
Types of Routers
If you need to support only a dozen computers and Wi-Fi devices at the most, a simple consumer or small-business wireless router should suffice. These routers typically provide enough Wi-Fi coverage for a 1500- to 2000-square-foot, two-story office space. They'll provide four ethernet ports for hard-wiring computers into the network or for adding other components, such as network-capable printers, network storage, or additional wireless access points for more Wi-Fi coverage.
If you need to support more than a dozen computers and devices, or if security is crucial to your operations, you need something more than a simple wireless router. You have two main types to consider.
VPN router/firewall: These products, a step up from a basic wireless router, can be wireless or ethernet-only; the latter type requires that you add access points for Wi-Fi coverage. These routers have an integrated virtual private network server, and sometimes offer advanced features (more on those later) such as VLAN support and multiple SSIDs (if wireless).
UTM (unified threat management) gateway or firewall: These routers include advanced features and usually are ethernet-only with four to eight ports, thus requiring separate access points for Wi-Fi connectivity. In addition to serving as your router and Internet gateway, as well as providing a VPN server and firewall, these units typically also include virus and malware protection, content filtering, antispam functions, and intrusion detection and prevention.
The additional security features usually require monthly or yearly subscription fees. You’ll still want virus and malware protection on each user computer due to the limitations of network-based products, though, since they can’t monitor local behavior on PCs or inspect SSL-encrypted traffic.
As you shop, you'll probably encounter other buzzwords referring to devices that are similar to UTM products, including unified security gateways and Internet security appliances.
Expanding Ethernet Ports or Wi-Fi Coverage
If you require more ethernet ports than what a router, gateway, or firewall provides (regardless of the type), you'll need to purchase an ethernet switch. This device is basically a smart hub that expands the amount of ethernet ports you have, similar in concept to a USB hub or even an electrical power strip. You’ll find a few different types.
An unmanaged switch is the simplest; it doesn’t require any configuration, but lacks advanced features and is best for small and uncomplicated networks. A smart or web-managed switch allows configuration of the switch ports--supporting popular advanced features such as VLAN, bandwidth control, 802.1X authentication, and SNMP--and is suitable for most small to midsize businesses.
If you need more Wi-Fi coverage than a wireless router can give, or if you choose an ethernet-only router/gateway/firewall, you can add wireless access points to your network. Access points are, in essence, wireless routers that lack the routing capability. You connect an access point by running ethernet cabling from its single ethernet port to a port on your router/gateway/firewall or switch. The most basic access points broadcast a single SSID (network name), whereas most business-class access points support VLANs and allow you to broadcast multiple SSIDs.
Standards and Features for Wi-Fi
When shopping for a wireless router or access points, note that the different wireless standards each have varying maximum speeds. At the least, you’ll want to go with 802.11n (which some vendors call Wireless-N). If you have close neighbors, consider a dual-band router or access point that also works in the 5GHz frequency band, which provides more channels and is less congested than the common 2.4GHz band.
Starting in late 2012, keep your eyes open for routers and access points supporting the newer 802.11ac standard, which will offer even higher speeds. However, the earliest 802.11ac products likely will be based on the draft specification, and may not be upgradable to the full, completely finalized standard.
Remember, your Wi-Fi-equipped computers and devices will achieve the highest possible speeds with newer 802.11n and 802.11ac routers or access points only when they too support the same standard. All of the wireless standards are backward-compatible with one another; but computers or devices using an older wireless standard won’t perform as well, and they can even negatively affect the performance of your entire wireless network.
If you have laptops, netbooks, or desktops that support a wireless standard that's older than that of your wireless router or access points, you can upgrade them with a PCI card, PCIe card, PCMCIA card, or USB wireless adapter. Wi-Fi smartphones and tablets, however, aren’t usually upgradable.
When buying any networking gear that has ethernet ports, consider the following related features and specs.
Ethernet speed: For routers, gateways, firewalls, and switches, focus on those models that support gigabit ethernet (1000 mbps) for higher speeds on your hard-wired computers. Keep in mind the speed that each of your computers supports, which you can upgrade with a PCI or PCIe ethernet card.
Switching capacity: If you do require a network switch, assess competing models' switching capacity to compare the total maximum simultaneous bandwidth supported.
Dual or backup WAN: If Internet access is crucial to your operations, consider routers, gateways, or firewalls that have a second WAN port or that support a 3G/4G card for failover or load balancing in case your main Internet connection goes down.
PoE support: If you plan on running wireless access points throughout, consider routers, gateways, firewalls, switches, and access points that support Power over Ethernet so that the power can run through the ethernet cabling with the data. This feature can save time and money, in contrast to the effort it might take for you to place access points near electrical outlets or to run new electrical lines.
DMZ port: If you have a server or another device that needs direct access to the Internet, consider a router, gateway, or firewall that has a dedicated DMZ port. Remember, though, that most models allow you to assign certain computers to the DMZ via the settings, without a dedicated port.
VPN Server for Secure Remote Connections
A router, gateway, or firewall with a VPN server supports remote connections so that users out of the office can securely access the network, or so that multiple offices can link together in a site-to-site arrangement. A few different VPN types are available.
PPTP: Nearly all operating systems and mobile devices support Point-to-Point Tunneling Protocol with a built-in VPN client, but it doesn’t have the best security. Connectivity issues can arise when users remotely connect from networks that don’t allow VPN pass-through.
L2TP/IPsec: Also widely supported among operating systems and popular mobile devices, Layer 2 Tunneling Protocol has better security than PPTP. However, it's usually more complicated to configure, and it too can produce connectivity issues when users remotely connect from networks that don’t allow VPN pass-through.
SSL: The Secure Sockets Layer protocol allows remote users to connect via a Web browser--eliminating the VPN pass-through issue--and doesn’t require full client software. You can install a small plug-in via the browser to facilitate tunneling of a user’s Web browsing and email traffic. Additionally, some SSL VPN methods offer a Web portal in which users can access applications and email without any VPN client; such a setup would be convenient when they need to connect from home or on another noncorporate computer rather than on a work laptop.
OpenVPN: This protocol is usually included only on routers preloaded with the open-source DD-WRT firmware, and most built-in clients on computers or mobile devices don't support it. As a result, you’ll have to install third-party VPN client software on the computers or devices for remote user connections. But OpenVPN offers greater security and more reliable connections from networks that don’t allow VPN pass-through.
VLAN Support to Separate Traffic
Most business-class networking gear supports virtual LANs, which allow you to create multiple separate virtual networks inside a single network. You can, for example, create one VLAN for your private network (or more to support different departments) and another for public access by visitors; this arrangement prevents the guests from connecting to your computers or snooping on your traffic.
You can create VLANs on your router, gateway, or firewall, and then you can assign each ethernet port to a VLAN (and one to the SSID, if it’s wireless too). If you’re also using a separate switch that supports VLAN, you can assign each of its ports to a VLAN.
Multiple SSIDs to separate Wi-Fi traffic: Business-class wireless access points and wireless routers typically support multiple SSIDs, in what is basically a wireless variant of a VLAN. You can create multiple network names to broadcast from a single access point or wireless router, each with its own wireless and security configuration. Then you can assign each SSID to a VLAN.
Wireless guest access to secure private traffic: Some of the more advanced consumer-level wireless routers have a guest feature, which uses VLANs and multiple SSIDs to create a separate Wi-Fi network for visitors. This is a great way to quickly and easily create a secondary wireless network, but typically it doesn’t allow configuration such as adding custom VLANs or assigning ethernet ports to the guest VLAN.
USB Port to Share Files or Printers
Some premium consumer-level wireless routers have a USB port so that you can plug in a USB flash drive or hard drive to share files on the network. Though you can always share folders to the network in Windows, sharing at the router provides a central storage location and doesn’t require a certain PC to remain powered on. But keep in mind that most routers offering USB port sharing require you to install software on the PCs in order to access the shared drive.
Business-class routers, gateways, and firewalls usually don’t have USB ports. To compensate for that, you can buy or create a separate component called a network-attached storage device. Your NAS can provide many more sharing features, including native sharing, in which no software is required on PCs for you to access the storage, as well as the ability to control who has access to the shares.
Quality of Service Support to Prioritize Traffic
Most routers, gateways, and firewalls provide a Quality of Service feature that lets you prioritize network traffic. You can, for example, give voice and video traffic (from VoIP phones or Skype, for instance) higher priority since they’re much more sensitive to lags than Web browsing and other traffic. Another example is giving a certain computer or device more priority than others, or less priority for guest access.
Even the majority of advanced consumer-level wireless routers have QoS settings, but business-class equipment may allow more customization and more sophisticated functionality.
RADIUS Server to Run Enterprise Wi-Fi Security
If your business has more than a dozen or so wireless computers and devices (including smartphones and tablets), consider using enterprise-class Wi-Fi security (WPA or WPA2 with 802.1X), which lets you create a unique username and password for each user that connects via Wi-Fi.
The personal or pre-shared key (PSK) mode of WPA or WPA2 is easier to set up than the enterprise mode, but it isn’t ideal for business networks. It lets you create only a single password for the Wi-Fi network, which becomes an issue if a laptop, tablet, or smartphone is lost or stolen: If a computer or mobile device were to go missing, you would want to change the Wi-Fi password so that the thief couldn’t come to your location and connect, but that would mean changing the password on all of your other Wi-Fi computers and devices as well.
To use the enterprise mode of WPA or WPA2 security, however, you must have a RADIUS server, which handles the 802.1X authentication. You can set up your own with the open-source FreeRADIUS server if you’re a Linux administrator or if you purchase a Windows program such as Elektron. If you don’t want to run your own server, consider buying an access point with a built-in RADIUS server, such as from ZyXel. Alternatively, use a hosted RADIUS service if you don’t want to run one at all.
Content Filtering to Block Inappropriate Sites
Many consumer-level routers have a built-in feature to block specific sites, while more-advanced models and UTM gateways may have a more comprehensive filter to block adult sites, malware, and other inappropriate material automatically. However, don’t worry too much about this feature when choosing your router: You can always use the free OpenDNS service to provide filtering for your entire network on any router.
Routers on the Market
Smaller businesses can usually get away with using a consumer-level router. But if you require more functionality or security, consider a VPN router/firewall or a UTM gateway. Here's what several current router and gateway models offer.
- D-Link Xtreme N Gigabit Router (DIR-655): This advanced consumer-level wireless router supports gigabit ethernet and sports a wireless guest feature, QoS settings, and a USB port for sharing a drive or printer.
- Cisco Wireless Network Security Firewall Router (RV220W): In this business-class wireless router, you'll find dual-band Wi-Fi and gigabit ethernet. Additionally, it provides several VPN-server options, VLANs, and multiple SSIDs.
- Netgear ProSecure UTM Firewall with Wireless N (UTM9S): A UTM firewall/gateway offering dual-band Wi-Fi and gigabit ethernet, this product provides antimalware and antispam functions, content filtering, and intrusion protection. It supplies dual WAN support, several VPN-server options, VLANs, and multiple SSIDs, too.
Finally, consider buying a consumer-level wireless router and uploading aftermarket open-source firmware such as DD-WRT to give it business-class features and to add customization. Or, purchase preloaded routers at a site such as Flash Routers.
Eric Geier is a freelance tech writer. Become a Twitter follower to keep up with his writings. He’s also the founder of NoWiresSecurity, which helps homes and businesses easily protect their Wi-Fi network with Enterprise (802.1X) security.