Maximum security from a consumer router?

[MustacheSwe]

I am today running a consumer-grade ASUS RT-AC68U router.

Getting very tired of:

1. Constant security issues (that may or may not be fixed via Firmware upgrades after weeks or months), for example due to old, not updated, underlying packages/software
2. Lack of automatic updates (at least critical security flaws should just be auto-fixed without requiring me to manually find out that there is even an issue, and then fixing it myself)
3. Total lack of security and privacy consciousness among the router manufacturers, for example: (a) Asus Router iPhone App that suddenly Enabled Remote (WAN) Acess without informing me about it; (b) 16-char max length of password, (c) no multi-factor-authentication for admin account, (d) AI Micro harvesting personal information without that clearly beeing communicated [https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/] etc etc (examples from my current Asus router, but had very similar experience with my previous Netgear consumer router).

Questions: Aside from using/configuring best-practice settings for a consumer router, is there anything more i can do?

• If I were to install a firmware such as DD-WRT, Tomato or Merlin, would that really help? I am not really interested in tweaking or getting more fancy features. I am only (well, mainly) interested in highest possible security and privacy
• If I were to invest in a SOHO- or enterprise-grade router, would that really help? Or would that still rely on myself identifying all upcoming secirity issues, and taking measures?

 

[coxhaus]

Router hacks happen, who knows when. But things should not be changing without you knowing.

Tomato was good in it's day. But it is starting to get old. Their kernel is falling behind.

A enterprise router will give you reliable service 100% of the time if you can afford one. They still have hacks and they are harder to upgrade. Plus a lot of upgrades cost money.

I have been running the same router for a while without too many updates. I stopped and ran pfsense for a while maybe 2 years. pfsense does require a lot of upgrades and attention. Some where along the way my pfsense stopped painting web page screens very fast. I went back to my old Cisco RV320 router and started running it again. I realized how much less attention I had to deal with on my RV320 router vs the pfsense I just quit using. pfsense requires much more attention.

NAT is the main security feature for firewalls at home. The less holes you poke through it the more secure you are.

Merlin seems easy to try since you already own an Asus router. I have never run either.

 

[CrystalLattice]

I am today running a consumer-grade ASUS RT-AC68U router.

Getting very tired of:

1. Constant security issues (that may or may not be fixed via Firmware upgrades after weeks or months), for example due to old, not updated, underlying packages/software
2. Lack of automatic updates (at least critical security flaws should just be auto-fixed without requiring me to manually find out that there is even an issue, and then fixing it myself)
3. Total lack of security and privacy consciousness among the router manufacturers, for example: (a) Asus Router iPhone App that suddenly Enabled Remote (WAN) Acess without informing me about it; (b) 16-char max length of password, (c) no multi-factor-authentication for admin account, (d) AI Micro harvesting personal information without that clearly beeing communicated [https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/] etc etc (examples from my current Asus router, but had very similar experience with my previous Netgear consumer router).

Questions: Aside from using/configuring best-practice settings for a consumer router, is there anything more i can do?

• If I were to install a firmware such as DD-WRT, Tomato or Merlin, would that really help? I am not really interested in tweaking or getting more fancy features. I am only (well, mainly) interested in highest possible security and privacy
• If I were to invest in a SOHO- or enterprise-grade router, would that really help? Or would that still rely on myself identifying all upcoming secirity issues, and taking measures?

Best bet is openwrt flashed onto a cheap router with wifi turned off. Study up and add minor changes to increase security changes to openwrt router. Use asus 68 as AP for a while, then replace with more expensive one flashed with openwrt. Fun project, maximum security possible at this time.

 

[microchip]

use something like pfsense with wifi APs

truth is, consumer router manufacturers mostly focus on BIG NUMBERS to attract many customers and security is usually an afterthought. You'd scare your pants off seeing how outdated some of the internal programs are. NETGEAR still uses wide-dhcpv6 that has not seen active development for years and their dnsmasq is also many years behind

 

[sfx2000]

Best security with a consumer grade router - Airport Extreme/Extreme AC

They're BSD based, expose limited services, and they generally just work.

 

[coxhaus]

Best security with a consumer grade router - Airport Extreme/Extreme AC

They're BSD based, expose limited services, and they generally just work.

I think the Cisco small business routers are pretty good. Cisco keeps up with router issues when it comes to security. They break stuff because it is not secure any more. Even before they have fixes for stuff they broke.

 

[CrystalLattice]

Best security with a consumer grade router - Airport Extreme/Extreme AC

They're BSD based, expose limited services, and they generally just work.

No further updates for airports, apple walked away from unprofitable line, sorry for us airport owners. Updated for krack attack, airports good for another year, tho

 

[WiFiNemesis]

I am today running a consumer-grade ASUS RT-AC68U router...

On consumer routers, I found the following useful:

https://www.routersecurity.org/index.php

Insignary's report​

I went with Synology: 3rd party verified core software, transparent security reports, frequent updates, declared support lifetime, decent support. With everything running thru VPN client and Intrusion Protection enabled, performance is good, CPU rarely exceeds 50% utilization. Everything is set to update automatically, so far no problems.

​

 

[CrystalLattice]

Blockchain based routers are coming! : https://www.prnewswire.com/news-rel...ideas-to-blockchain-technology-300624927.html

 

[CrystalLattice]

OpenWrt security page: https://openwrt.org/docs/guide-user/security/lede_security

 

[MustacheSwe]

Thanks so much, everyone, for all your great advice! Much appreciated!

Based on your comments (and some further research), I have concluded that I will probably start with trying the OpenWRT (or possibly DD-WRT or Merlin) firmwares.

I think the Synology routers may be interesting to keep an eye on. I have a DS918+ four bay NAS from Synology, which I am very happy with. But I have been using Synology NASes since 2010, and in my experience Synology's OS tends to have to many 'cool' features in the beginning, meaning that there will also be far too many bugs and other problems. But once their intrusion detection module is more stable, I think it could become interesting.

 

[joegreat]

Blockchain based routers are coming! : https://www.prnewswire.com/news-rel...ideas-to-blockchain-technology-300624927.html

Ha, ha, ha! That's a good April hoax: "fog calculation" and "gold mining" gave me a good laugh!

 

[CrystalLattice]

Thanks so much, everyone, for all your great advice! Much appreciated!

Based on your comments (and some further research), I have concluded that I will probably start with trying the OpenWRT (or possibly DD-WRT or Merlin) firmwares.

I think the Synology routers may be interesting to keep an eye on. I have a DS918+ four bay NAS from Synology, which I am very happy with. But I have been using Synology NASes since 2010, and in my experience Synology's OS tends to have to many 'cool' features in the beginning, meaning that there will also be far too many bugs and other problems. But once their intrusion detection module is more stable, I think it could become interesting.

take a look at the arstechnica series on building a router; only openwrt, home-built, and an expensive ubiquity have smooth waveforms! Jim Slater assumed his home built had great security. after you get started, run a security checker that is not grc.com. will dig out for you. you can see by reading this blog how many problems people have with alt. firmware. I am not affiliated with openwrt. it is the base firmware for many manufacturers, but they freeze it in place & don't properly update. every 6 months you can refresh OpenWrt, which is why you don't want to make too many changes

 

[CrystalLattice]

Ha, ha, ha! That's a good April hoax: "fog calculation" and "gold mining" gave me a good laugh!

I guess the main idea is that routing will change over time in unpredictable ways we can only grasp at now: more ai, possibly blockchain, who knows?

 

[RMerlin]

take a look at the arstechnica series on building a router; only openwrt, home-built, and an expensive ubiquity have smooth waveforms! Jim Slater assumed his home built had great security. after you get started, run a security checker that is not grc.com. will dig out for you. you can see by reading this blog how many problems people have with ddwrt & merlin. I am not affiliated with openwrt. it is the base firmware for many manufacturers, but they freeze it in place & don't properly update. every 6 months you can refresh openwork, which is why you don't want to make too many changes

If manufacturers would stop about being paranoid regarding "protecting their IP" and provided open sourced driver, things would be much more simple. The price OpenWRT users have to pay is that they can't have working wireless on many of the popular hardware platforms due to this.

And since SoC manufacturers have little interest in keeping their official SDK up-to-date, preferring instead to push new hardware to their own customers, we end up with hardware running obsolete software from nearly day 1. And by obsolete I don't mean "a few months behind", but "a few years behind".

Router manufacturers share their part of the blame too - there's no reason why they can't keep critical components such as openssl or dnsmasq up-to-date. Quite often, updates are even direct drop-in replacements. For example, anyone using OpenSSL 1.0.0 can directly move to 1.0.2 without having to do any change to their code, and a few very minor tweaks to their makefile recipes.

I've been saying it for years: it's time router manufacturers stop treating routers as gadgets, and start treating them as the security devices they really are. These things are everyone's frontline defense on their network. That they also provide wifi is just a by-the-way, not the other way around.

 

[sfx2000]

If manufacturers would stop about being paranoid regarding "protecting their IP" and provided open sourced driver, things would be much more simple. The price OpenWRT users have to pay is that they can't have working wireless on many of the popular hardware platforms due to this.

And since SoC manufacturers have little interest in keeping their official SDK up-to-date, preferring instead to push new hardware to their own customers, we end up with hardware running obsolete software from nearly day 1. And by obsolete I don't mean "a few months behind", but "a few years behind".

Router manufacturers share their part of the blame too - there's no reason why they can't keep critical components such as openssl or dnsmasq up-to-date. Quite often, updates are even direct drop-in replacements. For example, anyone using OpenSSL 1.0.0 can directly move to 1.0.2 without having to do any change to their code, and a few very minor tweaks to their makefile recipes.

I've been saying it for years: it's time router manufacturers stop treating routers as gadgets, and start treating them as the security devices they really are. These things are everyone's frontline defense on their network. That they also provide wifi is just a by-the-way, not the other way around.

It's more complicated than that - yes, the OEM's have a part to play perhaps - but some of them are fairly free and open - and they publish GPL code - some enough so that the entire factory build can be reproduced. Many just push the changes to GPL and call it done.

AsusWRT is a bit complicated because of that - but to their credit, they've found a fine line within constraints - but even there - there's a lot of blobs and restrictions to make something anyone can use on the same chipset.

Speaking from experience - the real issue goes back to the SoC vendors directly - thru them, to get access to useable code, one has to sign NDA's, and even then, sometimes it's just binary blobs, not useful code to take things forward. And yes - SoC vendors SDK's move forward - and the challenge there is integration with the current OEM code bases - esp. if one has other third party code - e.g. file system drivers, anti-virus, etc, and that can cause additional issues.

I'd love to provide a free and open BSP - but I can't legally - I'm stuck there - the code that my old Science Project built, it works great, but one would have to sign a list of NDA's to make it really work - and there, the legal issues were greater than the business issues - the engineering issues were all sorted, but my group was eventually stopped by the legal side with proprietary code and restrictions.

 

[RMerlin]

the real issue goes back to the SoC vendors directly

They're definitely the biggest road blocks there. Lot of bad decisions taken by corporate ties with zero understanding of the technical bits involved, who believe that their competitor will suddenly steal all of their customers if they could see the source code showing how values are pushed to their SoC, and how results are being read back. As if their competitor aren't already able to figure that out anyway by reverse engineering the code. Those guys probably have no idea that compiled code can be decompiled, then analyzed - it's more work required than looking at the source code, but it's still very possible, and is being done already.

Microsoft kept the SMB protocol hidden for years, that didn't stop the Samba team from coming up with a working product. Ultimately, someone at Microsoft woke up, and realized it was an opportunity, and started collaborating with Samba devs.

If Lineage/Cyanogen and OpenWRT weren't held back by some of these SoC manufacturers, end-users and customers would benefit thee most from it. And I'd be willing to bet my shirt that Broadcom/Qualcomm wouldn't lose business because their driver code isn't hidden in a secret safe behind an NDA requiring you to put your first born on the table as collateral.

How many additional sales would companies like Netgear get if the SoC they use could be fully supported by OpenWRT (p. Which would translate into more sales for Broadcom/Qualcomm. But that's a line of thought that completely escapes the corporate head honchos who are calling the shots at these companies.

Netgear (not picking on them in particular, just that it's the only manufacturer beside Asus whose firmware code I've taken a look at) also has their share of paranoia there. Their firewall configuration code is closed source for example. Ya, there's some major corporate trade secret to hide behind how you set up a bunch of iptables rules, which anyone can view ANYWAY... It only means it's next to impossible for anyone to fine tune those rules.

So meanwhile, customers end up with great hardware, but mediocre software - and very little alternative.

The cynical in me thinks that some of this code is possibly kept closed because they have something to hide. Sometimes it's that they actually stole some of that code and don't want people to find out. Other times it's to avoid embarassing themselves by showing how piss-poor some of that code is.