Current Router Attack and Router Choice

Status
Not open for further replies.

Y_K

Joined
May 29, 2009
Messages
2,826
Location
WA (USA)
Hi,
With all the Russian and other attackers installing packet sniffers into router firmware any chance that non-consumer grade hardware is any better in this regard? or is it as simple as paying attention and exercising dues diligence? On one hand a lot of users don't change factory admin::password, and on another hand the manufacturers leave back doors that we don't know about, yet bad guys somehow do.. Security by obscurity never worked.. Anyway, I even looked at pfsense ready-made hardware from their site, but they have their fair share of complaints as well.
Any straightforward way to distance myself and reduce the vectors?

I am comfortable with installing obscure things on 20-year old hardware, just wanted to get a ready-made 'solution', set and forget kind of stuff.
Right now I have fully functioning and updated ASUS N66U.

TIA
 
Originally Posted By: Y_K
Hi,
With all the Russian and other attackers installing packet sniffers into router firmware

Which routers/firmwares are affected by this? I have not heard anything.

Quote:
Right now I have fully functioning and updated ASUS N66U.
Run aftermarket firmware on it, such as DD-WRT or Tomato?

I used an N66U for a very long time. Always ran Tomato on it. Good router (and firmware).
 
You could buy a Cisco ASA, Juniper SSG or even a Sonicwall if you want something more "hardcore".

Sonicwall is probably the easiest to setup for somebody not CLI literate in the other two.
 
What we hear with delay usually

As for tomatoes and peaches I prefer products from folks who spent years in net socket programming to PhDs in biochemistry who fancy themselves computer scientists on a side. Hackers vs real pros akin to Linux vs BSD. In other words: I don't buy into Tomato or WRT hacks, unless we are sharing fun experiences
 
Originally Posted By: OVERKILL
You could buy a Cisco ASA, Juniper SSG or even a Sonicwall if you want something more "hardcore".

Sonicwall is probably the easiest to setup for somebody not CLI literate in the other two.


Thank you. So, Sonicwall and AP for WiFi would be the direction?
 
Originally Posted By: Y_K
Originally Posted By: OVERKILL
You could buy a Cisco ASA, Juniper SSG or even a Sonicwall if you want something more "hardcore".

Sonicwall is probably the easiest to setup for somebody not CLI literate in the other two.


Thank you. So, Sonicwall and AP for WiFi would be the direction?


Yes.
 
Sophos UTM or XG. Free for home/personal use. Install it on a Intel J1800 or J1900 fanless 10w solution. Enterprise grade next gen firewalls for home use.

XG allows you to have full endpoint protection with a heartbeat to the firewall providing unified network protection.

I use UTM because of the maturity of the product and the flexibility of configurations. I have it installed on the following hardware:

https://www.amazon.com/gp/product/B0719L1VFK/ref=oh_aui_detailpage_o04_s00?ie=UTF8&psc=1

https://www.sophos.com/en-us/products/unified-threat-management.aspx
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

Created physically separate network for wifi and different SSID for IoT devices with wifi network isolation.

The reporting and notification options are many.

Pretty impressive software.
 
How many routers are externally accessible with user name and password? Linksys and tp link not out of box.

I don’t get the idea of using commercial grade stuff at home unless for challenge or hobby? I never have any issues running about 20 items off same router including Ooma, using video conferencing and kids/wife consuming you tube/Netflix/xfinity streaming across 3 to 4 devices at full resolution.
 
Originally Posted By: madRiver
How many routers are externally accessible with user name and password? Linksys and tp link not out of box.


Most if configured as such.
 
Originally Posted By: madRiver
How many routers are externally accessible with user name and password? Linksys and tp link not out of box.

I don’t get the idea of using commercial grade stuff at home unless for challenge or hobby? I never have any issues running about 20 items off same router including Ooma, using video conferencing and kids/wife consuming you tube/Netflix/xfinity streaming across 3 to 4 devices at full resolution.


It's not about "having issues" it's about the risk of exploit, data mining, man-in-middle style attacks or even DNS poisoning/redirect. These can all be "issues" that you are blissfully unaware of unfortunately.

Some of the easier to install commercial solutions (and frankly, we are talking about SMB stuff here, not Enterprise) provide deep levels of threat management and mitigation, while being not difficult for somebody who is relatively novice to setup properly and secure. Sure, you can go Cisco UTM with an ASA, Firepower...etc, but that's generally outside the comfort zone for most people and price-wise, well, even entry-level is pretty pricey.
 
Originally Posted By: Quattro Pete
Originally Posted By: Y_K
What we hear with delay usually
Sounds like much ado about nothing. If you don't change your router's default login credentials, you only have yourself to blame.


Agree on the user login, but what about all the obscure back-doors? What about a dozen buffer overrun vulnerabilities fixed the latest update for my current router?
Better not know all this and live a happy life with a notepad..
 
First off, own a modern router. Legacy routers sometimes have no support from the manufacturer and can be insecure. Check firmware for updates for your router about 1x per month. Just checked my Asus RT-AC5300 and yep, it had an update available.

Then check to see if your settings are tight.

1. Did you change the default password and ssid?
2. Do you have a strong password? I mean really strong. Like 16 characters or more including upper AND lower case letters, numbers AND punctuation
3. Encryption enabled? Is it strong encryption?
4. WPS disabled?
5. UPnP disabled?
6. Web access from WAN disabled?
7. Ping from WAN disabled?
8. DMZ disabled?
9. Port trigger, forwarding disabled?
10. Anonymous login to FTP share disabled?
11. Do you have a guest network that is not password protected and encrypted?

Does your router have a firewall? Is it enabled?

There can be many other settings for your router. Drill down and set it as secure as you can.
 
What do you want to accomplish? The steps being discussed are great but, some steps and tech are more effective than others depending what you want to accomplish. For example, do you need to consider a vpn or secure dns? who makes the hardware you are looking at if you are concerned about built in backdoors? A lot of hardware is coming from Mainland China. Not trying to be paranoid or difficult but, to figure out the best home IT security for your needs, it's helpful to define what you want to accomplish so that you spend your money and effort in the most effective manner for your specific needs.
 
Originally Posted By: BobsArmory
First off, own a modern router. Legacy routers sometimes have no support from the manufacturer and can be insecure. Check firmware for updates for your router about 1x per month. Just checked my Asus RT-AC5300 and yep, it had an update available.

Then check to see if your settings are tight.

1. Did you change the default password and ssid?
2. Do you have a strong password? I mean really strong. Like 16 characters or more including upper AND lower case letters, numbers AND punctuation
3. Encryption enabled? Is it strong encryption?
4. WPS disabled?
5. UPnP disabled?
6. Web access from WAN disabled?
7. Ping from WAN disabled?
8. DMZ disabled?
9. Port trigger, forwarding disabled?
10. Anonymous login to FTP share disabled?
11. Do you have a guest network that is not password protected and encrypted?

Does your router have a firewall? Is it enabled?

There can be many other settings for your router. Drill down and set it as secure as you can.



Even then, buggy or poorly written firmware can mitigate all of the above unfortunately
frown.gif


https://routersecurity.org/consumerrouters.php

Not that Enterprise gear is perfect. But you generally get much better support, more recent releases, more mature software and much, MUCH longer term support.
 
Yes, the sole number of DHCP overruns fixed in the latest update for my router is stunning. It's like:"Oh, wait, I have been running this fish all these years?"
 
Originally Posted By: Y_K
Hi,

Any straightforward way to distance myself and reduce the vectors?

I am comfortable with installing obscure things on 20-year old hardware, just wanted to get a ready-made 'solution', set and forget kind of stuff.
Right now I have fully functioning and updated ASUS N66U.

TIA


I wouldnt think about it to much expect to say if your router is more then a few years old, replace it.
Also, of course, if an existing router, make sure firmware is up to date. Router manufacturers update their firmware when threats are discovered but if your router is old, they may not.
Upgrading to a commercial type router wouldnt serve much purpose.

Most issues are caused by human error then homeowner owned router invasions. Meaning, people download and install mal-ware.

Even in the commercial sector, I know for fact its been creating HUGE headaches for BIG companies who employees need to download files on a daily basis in their industry, artwork in the promotional industry. Problem is, for the employees handling this artwork day in and day out end up opening up a spoofed email and its takes down their entire system, sometimes for days to get up and going again. Again, talking big companies.

The biggest threat to you and most everyone is malware, Im pretty sure.
We truly are still in the dark ages, in another decade this will be a thing of the past, in the meantime, just keep your firmware up to date, stop installing wifi controlled home devices if you have no need for them other then a toy to play with and most of all, ignore your emails that have attachments, nothing is important in an email and if in doubt, look up the phone number of the institution emailing you (dont take the number off the email) and ask for a postal letter to you regarding the issue.

Hear about the LV Casino break in?
Personal Data about the casinos high rollers were stolen from the Casino computer system. Know how the system was broken into?
Though a unsecured WiFi temperature gauge that was in the Casinos Fish Tank.

At times, we people are no more smart then any animal in the kingdom, feed all this garabge that we do not need, all based on marketing that gets into our heads and makes us want it, for most people, you do not need a lot of this wifi garbage, thermostats, Alexa, Echo, stand out in my mind most, door locks second.

Whats even more the very companies that you buy this wifi garbage from, you agree to share all your personal data and that of your family with, all in the name of free!
 
Last edited:
^^^ Alarmguy U nailed it!

Like you don't hire a swat team to guard a piggy bank Getting commercial gear is overkill. As long as your router (same one I have BTW) continues to get regular updates then you're doing OK. A big part of any gear is configuring it well. Turn OFF services/features you dont need and lock down the rest. Under the hood of a good router is similar electronics to the big boys and a lot of the core code of say a linksys is coming from the parent company of Cisco anyways. Get any good hacker book and the weak link is still primarily the human factor.
 
Last edited:
some of you guys are a bit funny
wink.gif
The commercial (SMB) gear I advised the OP to buy earlier isn't expensive, nor is it hard to configure. I'm not advising he spend $15K on home network stuff. Yes, I have Enterprise-grade gear at home, but that's because I get it cheap, and deal with it every day, so it makes sense. That's not what I'd advocate for anybody not in the position of wanting to have a home lab for testing or the like. That would be silly.

However, some of the smaller security appliances designed for branch offices or SMB's are an excellent choice for a home device and will offer better stability, mature firmware, proper support and a greater suite of security features at a price that isn't a whole heck of a lot more than what you'd pay for a "premium" piece of consumer equipment. The DELL Sonicwall products are a particularly good fit here, based on my experience, but of course there are others including Cisco's Meraki product line or the WatchGuard Firebox products.
 
Status
Not open for further replies.
Back
Top