1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Maximum security from a consumer router?

Discussion in 'General Network Security' started by MustacheSwe, Apr 6, 2018.

  1. MustacheSwe

    MustacheSwe Occasional Visitor

    Joined:
    Apr 6, 2018
    Messages:
    14
    I am today running a consumer-grade ASUS RT-AC68U router.

    Getting very tired of:
    1. Constant security issues (that may or may not be fixed via Firmware upgrades after weeks or months), for example due to old, not updated, underlying packages/software
    2. Lack of automatic updates (at least critical security flaws should just be auto-fixed without requiring me to manually find out that there is even an issue, and then fixing it myself)
    3. Total lack of security and privacy consciousness among the router manufacturers, for example: (a) Asus Router iPhone App that suddenly Enabled Remote (WAN) Acess without informing me about it; (b) 16-char max length of password, (c) no multi-factor-authentication for admin account, (d) AI Micro harvesting personal information without that clearly beeing communicated [https://www.reddit.com/r/privacy/comments/3vxg07/does_trend_micro_steal_web_browsing_history/] etc etc (examples from my current Asus router, but had very similar experience with my previous Netgear consumer router).
    Questions: Aside from using/configuring best-practice settings for a consumer router, is there anything more i can do?
    • If I were to install a firmware such as DD-WRT, Tomato or Merlin, would that really help? I am not really interested in tweaking or getting more fancy features. I am only (well, mainly) interested in highest possible security and privacy
    • If I were to invest in a SOHO- or enterprise-grade router, would that really help? Or would that still rely on myself identifying all upcoming secirity issues, and taking measures?
     
  2. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    Router hacks happen, who knows when. But things should not be changing without you knowing.

    Tomato was good in it's day. But it is starting to get old. Their kernel is falling behind.

    A enterprise router will give you reliable service 100% of the time if you can afford one. They still have hacks and they are harder to upgrade. Plus a lot of upgrades cost money.

    I have been running the same router for a while without too many updates. I stopped and ran pfsense for a while maybe 2 years. pfsense does require a lot of upgrades and attention. Some where along the way my pfsense stopped painting web page screens very fast. I went back to my old Cisco RV320 router and started running it again. I realized how much less attention I had to deal with on my RV320 router vs the pfsense I just quit using. pfsense requires much more attention.

    NAT is the main security feature for firewalls at home. The less holes you poke through it the more secure you are.

    Merlin seems easy to try since you already own an Asus router. I have never run either.
     
  3. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
    Best bet is openwrt flashed onto a cheap router with wifi turned off. Study up and add minor changes to increase security changes to openwrt router. Use asus 68 as AP for a while, then replace with more expensive one flashed with openwrt. Fun project, maximum security possible at this time.
     
  4. microchip

    microchip Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    539
    Location:
    Belgium
    use something like pfsense with wifi APs

    truth is, consumer router manufacturers mostly focus on BIG NUMBERS to attract many customers and security is usually an afterthought. You'd scare your pants off seeing how outdated some of the internal programs are. NETGEAR still uses wide-dhcpv6 that has not seen active development for years and their dnsmasq is also many years behind
     
  5. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    Best security with a consumer grade router - Airport Extreme/Extreme AC

    They're BSD based, expose limited services, and they generally just work.
     
  6. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,748
    Location:
    texas
    I think the Cisco small business routers are pretty good. Cisco keeps up with router issues when it comes to security. They break stuff because it is not secure any more. Even before they have fixes for stuff they broke.
     
  7. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
    No further updates for airports, apple walked away from unprofitable line, sorry for us airport owners. Updated for krack attack, airports good for another year, tho
     
    Last edited: Apr 10, 2018
  8. WiFiNemesis

    WiFiNemesis Occasional Visitor

    Joined:
    Aug 10, 2017
    Messages:
    48
    On consumer routers, I found the following useful:


    I went with Synology: 3rd party verified core software, transparent security reports, frequent updates, declared support lifetime, decent support. With everything running thru VPN client and Intrusion Protection enabled, performance is good, CPU rarely exceeds 50% utilization. Everything is set to update automatically, so far no problems.

     
  9. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
  10. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
    rbird2 and MustacheSwe like this.
  11. MustacheSwe

    MustacheSwe Occasional Visitor

    Joined:
    Apr 6, 2018
    Messages:
    14
    Thanks so much, everyone, for all your great advice! Much appreciated!

    Based on your comments (and some further research), I have concluded that I will probably start with trying the OpenWRT (or possibly DD-WRT or Merlin) firmwares.

    I think the Synology routers may be interesting to keep an eye on. I have a DS918+ four bay NAS from Synology, which I am very happy with. But I have been using Synology NASes since 2010, and in my experience Synology's OS tends to have to many 'cool' features in the beginning, meaning that there will also be far too many bugs and other problems. But once their intrusion detection module is more stable, I think it could become interesting.
     
    CrystalLattice likes this.
  12. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,690
    Location:
    Vienna, Austria
    CrystalLattice likes this.
  13. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
    take a look at the arstechnica series on building a router; only openwrt, home-built, and an expensive ubiquity have smooth waveforms! Jim Slater assumed his home built had great security. after you get started, run a security checker that is not grc.com. will dig out for you. you can see by reading this blog how many problems people have with alt. firmware. I am not affiliated with openwrt. it is the base firmware for many manufacturers, but they freeze it in place & don't properly update. every 6 months you can refresh OpenWrt, which is why you don't want to make too many changes
     
    Last edited: Apr 13, 2018
  14. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    140
    Location:
    Vero Beach, FL
    I guess the main idea is that routing will change over time in unpredictable ways we can only grasp at now: more ai, possibly blockchain, who knows?
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,847
    Location:
    Canada
    If manufacturers would stop about being paranoid regarding "protecting their IP" and provided open sourced driver, things would be much more simple. The price OpenWRT users have to pay is that they can't have working wireless on many of the popular hardware platforms due to this.

    And since SoC manufacturers have little interest in keeping their official SDK up-to-date, preferring instead to push new hardware to their own customers, we end up with hardware running obsolete software from nearly day 1. And by obsolete I don't mean "a few months behind", but "a few years behind".

    Router manufacturers share their part of the blame too - there's no reason why they can't keep critical components such as openssl or dnsmasq up-to-date. Quite often, updates are even direct drop-in replacements. For example, anyone using OpenSSL 1.0.0 can directly move to 1.0.2 without having to do any change to their code, and a few very minor tweaks to their makefile recipes.

    I've been saying it for years: it's time router manufacturers stop treating routers as gadgets, and start treating them as the security devices they really are. These things are everyone's frontline defense on their network. That they also provide wifi is just a by-the-way, not the other way around.
     
  16. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    It's more complicated than that - yes, the OEM's have a part to play perhaps - but some of them are fairly free and open - and they publish GPL code - some enough so that the entire factory build can be reproduced. Many just push the changes to GPL and call it done.

    AsusWRT is a bit complicated because of that - but to their credit, they've found a fine line within constraints - but even there - there's a lot of blobs and restrictions to make something anyone can use on the same chipset.

    Speaking from experience - the real issue goes back to the SoC vendors directly - thru them, to get access to useable code, one has to sign NDA's, and even then, sometimes it's just binary blobs, not useful code to take things forward. And yes - SoC vendors SDK's move forward - and the challenge there is integration with the current OEM code bases - esp. if one has other third party code - e.g. file system drivers, anti-virus, etc, and that can cause additional issues.

    I'd love to provide a free and open BSP - but I can't legally - I'm stuck there - the code that my old Science Project built, it works great, but one would have to sign a list of NDA's to make it really work - and there, the legal issues were greater than the business issues - the engineering issues were all sorted, but my group was eventually stopped by the legal side with proprietary code and restrictions.
     
    daviworld and CrystalLattice like this.
  17. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,847
    Location:
    Canada
    They're definitely the biggest road blocks there. Lot of bad decisions taken by corporate ties with zero understanding of the technical bits involved, who believe that their competitor will suddenly steal all of their customers if they could see the source code showing how values are pushed to their SoC, and how results are being read back. As if their competitor aren't already able to figure that out anyway by reverse engineering the code. Those guys probably have no idea that compiled code can be decompiled, then analyzed - it's more work required than looking at the source code, but it's still very possible, and is being done already.

    Microsoft kept the SMB protocol hidden for years, that didn't stop the Samba team from coming up with a working product. Ultimately, someone at Microsoft woke up, and realized it was an opportunity, and started collaborating with Samba devs.

    If Lineage/Cyanogen and OpenWRT weren't held back by some of these SoC manufacturers, end-users and customers would benefit thee most from it. And I'd be willing to bet my shirt that Broadcom/Qualcomm wouldn't lose business because their driver code isn't hidden in a secret safe behind an NDA requiring you to put your first born on the table as collateral.

    How many additional sales would companies like Netgear get if the SoC they use could be fully supported by OpenWRT (p. Which would translate into more sales for Broadcom/Qualcomm. But that's a line of thought that completely escapes the corporate head honchos who are calling the shots at these companies.

    Netgear (not picking on them in particular, just that it's the only manufacturer beside Asus whose firmware code I've taken a look at) also has their share of paranoia there. Their firewall configuration code is closed source for example. Ya, there's some major corporate trade secret to hide behind how you set up a bunch of iptables rules, which anyone can view ANYWAY... It only means it's next to impossible for anyone to fine tune those rules.

    So meanwhile, customers end up with great hardware, but mediocre software - and very little alternative.

    The cynical in me thinks that some of this code is possibly kept closed because they have something to hide. Sometimes it's that they actually stole some of that code and don't want people to find out. Other times it's to avoid embarassing themselves by showing how piss-poor some of that code is.
     
    Last edited: Apr 11, 2018
    daviworld, CrystalLattice and cjake like this.