make sure to use a software firewall

Messages
613
Location
maple ridge, bc
Thread starter
as i have said before, most if not all home routers are not secure, this study is scary in many ways do not rely on your home router for firewall security https://www.fkie.fraunhofer.de/cont...uter/HomeRouterSecurity_2020_Bericht.pdf Executive Summary This report analyses 127 current routers for private use developed by seven different large vendors selling their products in Europe. An automated approach was used to check the router's most recent firmware versions for five security related aspects. We were able to extract completely 117 of the 127 firmware images. Four firmware images could be extracted partly and six firmware images could not be extracted at all. 116 of 127 (91%) devices are powered by Linux. One was powered by ThreadX and another one by eCos. The security aspects addressed in this report are:  When were the devices updated last time?  Which operating system versions are used and how many known critical vulnerabilities affect these operating system versions?  Which exploit mitigation techniques do the vendors use? How often do they activate these techniques?  Do the firmware images contain private cryptographic key material?  Are there any hard-coded login credentials? Our results are alarming. There is no router without flaws. 46 routers did not get any security update within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy crackable or even well known passwords that cannot be changed by the user. Most firmware images provide private cryptographic key material. This means, whatever they try to secure with a public-private crypto mechanism is not secure at all. Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job than the other vendors regarding most of the security aspects. However, AVM routers are not flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link and Zyxel. To sum it up, much more effort is needed to make home routers as secure as current desktop or server systems.
 
Messages
1,615
Location
Cincinnati, USA
Tired of paranoia. My now ancient router running DD-WRT, has had no problems. Practice secure computing. I haven't been hacked in a very, very long time, doing very, very dubious things. the article is some geek trying to pretend a mole hill is a mountain. I've seen this countless times before, and never any issue. Software firewalls are for idiots or those who want a lazy redundant solution, OR those who pirate software and want to selectively control which files are allowed to phone home to the mothership. Okay to be fair, if you have no hardware firewall, then software it is!
 
Last edited:
Messages
42,547
Location
Ontario, Canada
I've covered this before in several threads. You aren't getting Enterprise security and support on hardware costing $40-100. These devices are produced on the cheap and firmware updates, if there are any in the first place, stop shortly after release and a replacement product is on the market. This whole situation works just fine for probably 99% of the buyers, so there's no incentive to change it either. I've suggested that for folks wanting a more robust firewall solution they either build a PFSense box, Sophos box or buy a used SonicWall, Watchguard appliance....etc. Something with a decent GUI that doesn't involve knowing IOS or Junos. A software firewall is like having a lock on your office door. That's great, but if the folks you want to keep out are already in the building and your wife and kids aren't in the office with you, keeping them out of the building in the first place should probably have been a higher priority.
 
Messages
92
Location
Ontario, Canada
We use SonicWALL appliances at work. I would take one of the decommissioned ones home, but they are usually trash specs wise by the time they are taken out of service and since I have gigabit internet I want to be able to use it all. But even unregistered with no support it is better than your garden variety consumer router. I have been using DD-WRT on my home router for years and haven't had an issue (I even host a server at home), but have been tinkering with PFSense.
 
Messages
1,081
Location
Colorado
If my Mac FW accepts valid certificates without question, I am not sure that turning it on really gives me much more protection than my router if the private key has been compromised. [Linked Image]
 
Last edited:
Messages
615
Location
Utah, USA
Untangle works very well also and is extremely customizable. I run Untangle UTM (firewall, WAF, IDS, AV, Web Filter, Ad Blocker, etc..), Advanced Tomato on my WiFi router, route all traffic to OpenDNS.com, and a few other things on the hosts on my home network. Overkill? Not from what I see with my job. For those that say things like "I've never been hacked and all I do is not click on stupid stuff!". Well, the point of most hacks is to not alert the victim that they've been hacked. They want you to think everything is normal so they can go about their nefarious ways. Defense in depth is worth a little extra expense.
 
Messages
613
Location
maple ridge, bc
Thread starter
the MAC OS firewall is pretty effective, I suggest you turn it on https://support.apple.com/en-us/HT201642 About the application firewall OS X includes an application firewall you can use to control connections made to your computer from other computers on your network. OS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.
 

JHZR2

Staff member
Messages
44,255
Location
New Jersey
I've covered this before in several threads. You aren't getting Enterprise security and support on hardware costing $40-100. These devices are produced on the cheap and firmware updates, if there are any in the first place, stop shortly after release and a replacement product is on the market. This whole situation works just fine for probably 99% of the buyers, so there's no incentive to change it either. I've suggested that for folks wanting a more robust firewall solution they either build a PFSense box, Sophos box or buy a used SonicWall, Watchguard appliance....etc. Something with a decent GUI that doesn't involve knowing IOS or Junos. A software firewall is like having a lock on your office door. That's great, but if the folks you want to keep out are already in the building and your wife and kids aren't in the office with you, keeping them out of the building in the first place should probably have been a higher priority.
This is interesting to read relative to the Fraunhofer report and the other thread about this. Where the report falls short is in the analysis of any sort of “higher end” unit. In the other thread, you recommended a Cisco Z3 router. How would it fare in the analyses that Fraunhofer did? Flawless, or just a bit better?

It’s also interesting to see that (at least my interpretation) to get good firewall capability, you need yet another computer system to run that, in addition to the router and anything else. That’s clunky. Does that requirement go away with an “enterprise” unit?
 
Messages
42,547
Location
Ontario, Canada
This is interesting to read relative to the Fraunhofer report and the other thread about this. Where the report falls short is in the analysis of any sort of “higher end” unit. In the other thread, you recommended a Cisco Z3 router. How would it fare in the analyses that Fraunhofer did? Flawless, or just a bit better?

It’s also interesting to see that (at least my interpretation) to get good firewall capability, you need yet another computer system to run that, in addition to the router and anything else. That’s clunky. Does that requirement go away with an “enterprise” unit?
Yeah, you don't need a separate box if you buy something from Watchguard, Sophos, CheckPoint, SonicWall, Cisco Meraki...etc as they all are available with integrated WiFi. Where a separate box comes in handy is if you are working on a budget and don't mind the extra hardware. Most of these (very high quality) firewall distros are free, or free for home use (Sophos UTM).

I suggested the Z3 because it's the cheapest of the products offered under the Cisco Meraki umbrella. It's cloud-managed, gets regular firmware updates, but lacks UTM and a few other features that you get with an MX, but the MX costs a fair bit more.

The MX64W is the least expensive SD-WAN offering with integrated WiFi: https://meraki.cisco.com/product/security-sd-wan/small-branch/mx64w/
Paired with the Advanced Security licence you get a pretty good setup.

On how these devices would fair in the report? I'd expect them to do extremely well if not flawless in the report, given that firmware updates are regular, firmware testing extensive and of course the focus on security. The Z3 for example, I have several in the wild, most are running the "stable" track, which puts them on a 14.xx series firmware, I have another on the Beta track for testing. The Z3 runs the same MX software as the MX-series, you just lack many of the options in the cloud UI that you get with the MX's. So in my case, they are all running 14.42, which was released on May 7th, 2020.
 
Last edited:

JHZR2

Staff member
Messages
44,255
Location
New Jersey
Yeah, you don't need a separate box if you buy something from Watchguard, Sophos, CheckPoint, SonicWall, Cisco Meraki...etc as they all are available with integrated WiFi. Where a separate box comes in handy is if you are working on a budget and don't mind the extra hardware. Most of these (very high quality) firewall distros are free, or free for home use (Sophos UTM).

I suggested the Z3 because it's the cheapest of the products offered under the Cisco Meraki umbrella. It's cloud-managed, gets regular firmware updates, but lacks UTM and a few other features that you get with an MX, but the MX costs a fair bit more.

The MX64W is the least expensive SD-WAN offering with integrated WiFi: https://meraki.cisco.com/product/security-sd-wan/small-branch/mx64w/
Paired with the Advanced Security licence you get a pretty good setup.

On how these devices would fair in the report? I'd expect them to do extremely well if not flawless in the report, given that firmware updates are regular, firmware testing extensive and of course the focus on security. The Z3 for example, I have several in the wild, most are running the "stable" track, which puts them on a 14.xx series firmware, I have another on the Beta track for testing. The Z3 runs the same MX software as the MX-series, you just lack many of the options in the cloud UI that you get with the MX's. So in my case, they are all running 14.42, which was released on May 7th, 2020.
Thank you. Do you have a recommendation for a separate box? Seems that by the time one would buy that plus another consumer router, it wouldn’t be budget anymore...
 
Top