Are ASUS remote connetions Secure

[Col8eral]

I have an ASUS RT-AC88U router. Ive been exploring some of the remote connect features and wondered how secure they are. I really like some of these features but before exposing my home network to the big bad world i wondered if people could share their thoughts on how secure they are.

Here's the features I'm referring to:

SSH Connection

Under admin>system there is an ability to switch on SSH as well as select LAN or WAN connectivity. Once enabled I can connection the router and the USB attached storage using sftp . Is this secure?

AiCloid 2.0

Cloud disk lets me access files on USB attached storage is a DDNS https link. Is this secure?
Smart access lets me connect to other devices on my network via the same DDNS https link.

USB Application

SAMBA. I assume this is LAN only so protected from the outside world?
ftp Share. if enabled this lets me access my USB attached storage via ftp link through the DDNS service. Is this secure?

looking forward to your thoughts and experinces

 

[ColinTaylor]

How secure are they? I suppose the answer would be, "as secure as the time it takes to find the next vulnerability".

SSH Connection

The SSH server is dropbear. As far as I know it's pretty secure.

AiCloid 2.0

No idea.

USB Application

SAMBA. I assume this is LAN only so protected from the outside world?

Samba should never be exposed to the internet (I don't believe that's an option), unless it's tunnelled through a VPN, etc. It is inherently a LAN protocol.

ftp Share. if enabled this lets me access my USB attached storage via ftp link through the DDNS service. Is this secure?

Whilst the ftp server (vsftpd) is pretty robust, the normal FTP protocol is totally insecure. All data including user names and passwords are sent over the wire in plain text. Man in the middle attacks are trivial. Merlin added support for TLS encryption, so that should be fairly secure.

 

[Col8eral]

How secure are they? I suppose the answer would be, "as secure as the time it takes to find the next vulnerability".

The SSH server is dropbear. As far as I know it's pretty secure.
No idea.

USB Application
Samba should never be exposed to the internet (I don't believe that's an option), unless it's tunnelled through a VPN, etc. It is inherently a LAN protocol.
Whilst the ftp server (vsftpd) is pretty robust, the normal FTP protocol is totally insecure. All data including user names and passwords are sent over the wire in plain text. Man in the middle attacks are trivial. Merlin added support for TLS encryption, so that should be fairly secure.

Thank you colin. In regard to ftp I notice that TLS is switched off by default. I dont know anything about network security. Would enabling TLS for ftp meaan it is as secure as sftp?

 

[ColinTaylor]

Would enabling TLS for ftp mean it is as secure as sftp?

In terms of encryption I think they'd be about the same (although I'm not an encryption expert). But it should be secure enough for the average home user. I don't think the NSA/FSB are interested in you enough for them to dedicate their resources to hacking your traffic.

The actual problem is vulnerabilities in how it is implemented. On the face of it opening up HTTPS to the router should be secure. But as we have seen time and again it isn't. That's not a problem with HTTPS, it's a problem with the code that implements it. Likewise, OpenSSL was regarded as the gold standard for encryption and then the Heartbleed bug was discovered. Again, a bug in the implementation of TLS not the protocol itself.

What protocol you use is usually dictated by what you want to do at the client end. There's no point setting up an FTP server if you actually want command line access to the router (FTP doesn't support that). Likewise, there's no point setting up a VPN server if the person that needs access doesn't have a VPN client (or the ability to install and configure it).

 

[RMerlin]

SSH, OpenVPN and IPSec (on supported models) are the only remote access methods I would trust enough to use. No idea how secure AiCloud is since it's proprietary closed source code, and the FTP server is old (and under Asus stock firmware it doesn't even support TLS, so everything is unencrypted).

Samba support is limited to LAN-side.

 

[Col8eral]

In terms of encryption I think they'd be about the same (although I'm not an encryption expert). But it should be secure enough for the average home user. I don't think the NSA/FSB are interested in you enough for them to dedicate their resources to hacking your traffic.

Haha. You never know my holiday snaps might be important to national security!

the FTP server is old (and under Asus stock firmware it doesn't even support TLS, so everything is unencrypted).

Im not using the stock firmware and their is an option to enable TLS.

My main requirements are quite simple:

1. allow me to upload and retrieve files remotely. Looks like I'll be best using the SSH for sftp and use a client like WinCP. An open question - am i better off using username and password or using a private key?

2. all me and family to auto sync pictures from their android phones to keep back up. I assume I can use the same method as 1. above. Just need to find a good android app to do the job. I'd prefer it to sync automatically, to make it a fire and forget feature

3. I'd like to be able to provide my children with remote access for backup storage for school and university work. The problem I face here is they wont use WinCP. I need to find a way to make it simple for them but maintain some sort of security.

 

[RMerlin]

allow me to upload and retrieve files remotely. Looks like I'll be best using the SSH for sftp and use a client like WinCP. An open question - am i better off using username and password or using a private key?

Private keys are always much more secure.

 

[LukeH]

For #1 and #3 you could try https://hqt.ro/owncloud-through-lighttpd-entware-ng/ (if you put chrooted debian from the same site guides it can be installed with apt-get) and use it trough it's web interface. For #2 possibly it's android client would be useful but as far as I remember that piece is not free.
Can't give an educated advice on it's security as myself I always used it with VPN only - which probably won't work with your #3 but ok for the others.