make sure to use a software firewall

Joined
Oct 31, 2011
Messages
612
Location
maple ridge, bc
as i have said before, most if not all home routers are not secure, this study is scary in many ways

do not rely on your home router for firewall security

https://www.fkie.fraunhofer.de/cont...uter/HomeRouterSecurity_2020_Bericht.pdf

Executive Summary
This report analyses 127 current routers for private use developed by seven different large vendors
selling their products in Europe. An automated approach was used to check the router's most
recent firmware versions for five security related aspects.
We were able to extract completely 117 of the 127 firmware images. Four firmware images
could be extracted partly and six firmware images could not be extracted at all. 116 of 127
(91%) devices are powered by Linux. One was powered by ThreadX and another one by eCos.
The security aspects addressed in this report are:
When were the devices updated last time?
Which operating system versions are used and how many known critical vulnerabilities
affect these operating system versions?
Which exploit mitigation techniques do the vendors use? How often do they activate these
techniques?
Do the firmware images contain private cryptographic key material?
Are there any hard-coded login credentials?
Our results are alarming. There is no router without flaws. 46 routers did not get any security update within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if
the routers got recent updates, many of these known vulnerabilities were not fixed. What makes
matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy
crackable or even well known passwords that cannot be changed by the user. Most firmware
images provide private cryptographic key material. This means, whatever they try to secure with
a public-private crypto mechanism is not secure at all.

Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job
than the other vendors regarding most of the security aspects. However, AVM routers are not
flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link
and Zyxel.
To sum it up, much more effort is needed to make home routers as secure as current desktop or
server systems.
 
Tired of paranoia. My now ancient router running DD-WRT, has had no problems. Practice secure computing.

I haven't been hacked in a very, very long time, doing very, very dubious things. the article is some geek trying to pretend a mole hill is a mountain.

I've seen this countless times before, and never any issue.

Software firewalls are for idiots or those who want a lazy redundant solution, OR those who pirate software and want to selectively control which files are allowed to phone home to the mothership.

Okay to be fair, if you have no hardware firewall, then software it is!
 
Last edited:
I've covered this before in several threads. You aren't getting Enterprise security and support on hardware costing $40-100. These devices are produced on the cheap and firmware updates, if there are any in the first place, stop shortly after release and a replacement product is on the market. This whole situation works just fine for probably 99% of the buyers, so there's no incentive to change it either.

I've suggested that for folks wanting a more robust firewall solution they either build a PFSense box, Sophos box or buy a used SonicWall, Watchguard appliance....etc. Something with a decent GUI that doesn't involve knowing IOS or Junos.

A software firewall is like having a lock on your office door. That's great, but if the folks you want to keep out are already in the building and your wife and kids aren't in the office with you, keeping them out of the building in the first place should probably have been a higher priority.
 
  • Like
Reactions: Y_K
We use SonicWALL appliances at work. I would take one of the decommissioned ones home, but they are usually trash specs wise by the time they are taken out of service and since I have gigabit internet I want to be able to use it all. But even unregistered with no support it is better than your garden variety consumer router.

I have been using DD-WRT on my home router for years and haven't had an issue (I even host a server at home), but have been tinkering with PFSense.
 
  • Like
Reactions: Y_K
If my Mac FW accepts valid certificates without question, I am not sure that turning it on really gives me much more protection than my router if the private key has been compromised.


[Linked Image]
 
Last edited:
Untangle works very well also and is extremely customizable. I run Untangle UTM (firewall, WAF, IDS, AV, Web Filter, Ad Blocker, etc..), Advanced Tomato on my WiFi router, route all traffic to OpenDNS.com, and a few other things on the hosts on my home network. Overkill? Not from what I see with my job. For those that say things like "I've never been hacked and all I do is not click on stupid stuff!". Well, the point of most hacks is to not alert the victim that they've been hacked. They want you to think everything is normal so they can go about their nefarious ways. Defense in depth is worth a little extra expense.
 
the MAC OS firewall is pretty effective, I suggest you turn it on

https://support.apple.com/en-us/HT201642



About the application firewall
OS X includes an application firewall you can use to control connections made to your computer from other computers on your network.

OS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.
 
I've covered this before in several threads. You aren't getting Enterprise security and support on hardware costing $40-100. These devices are produced on the cheap and firmware updates, if there are any in the first place, stop shortly after release and a replacement product is on the market. This whole situation works just fine for probably 99% of the buyers, so there's no incentive to change it either.

I've suggested that for folks wanting a more robust firewall solution they either build a PFSense box, Sophos box or buy a used SonicWall, Watchguard appliance....etc. Something with a decent GUI that doesn't involve knowing IOS or Junos.

A software firewall is like having a lock on your office door. That's great, but if the folks you want to keep out are already in the building and your wife and kids aren't in the office with you, keeping them out of the building in the first place should probably have been a higher priority.

This is interesting to read relative to the Fraunhofer report and the other thread about this. Where the report falls short is in the analysis of any sort of “higher end” unit. In the other thread, you recommended a Cisco Z3 router. How would it fare in the analyses that Fraunhofer did? Flawless, or just a bit better?

It’s also interesting to see that (at least my interpretation) to get good firewall capability, you need yet another computer system to run that, in addition to the router and anything else. That’s clunky. Does that requirement go away with an “enterprise” unit?
 
This is interesting to read relative to the Fraunhofer report and the other thread about this. Where the report falls short is in the analysis of any sort of “higher end” unit. In the other thread, you recommended a Cisco Z3 router. How would it fare in the analyses that Fraunhofer did? Flawless, or just a bit better?

It’s also interesting to see that (at least my interpretation) to get good firewall capability, you need yet another computer system to run that, in addition to the router and anything else. That’s clunky. Does that requirement go away with an “enterprise” unit?

Yeah, you don't need a separate box if you buy something from Watchguard, Sophos, CheckPoint, SonicWall, Cisco Meraki...etc as they all are available with integrated WiFi. Where a separate box comes in handy is if you are working on a budget and don't mind the extra hardware. Most of these (very high quality) firewall distros are free, or free for home use (Sophos UTM).

I suggested the Z3 because it's the cheapest of the products offered under the Cisco Meraki umbrella. It's cloud-managed, gets regular firmware updates, but lacks UTM and a few other features that you get with an MX, but the MX costs a fair bit more.

The MX64W is the least expensive SD-WAN offering with integrated WiFi: https://meraki.cisco.com/product/security-sd-wan/small-branch/mx64w/
Paired with the Advanced Security licence you get a pretty good setup.

On how these devices would fair in the report? I'd expect them to do extremely well if not flawless in the report, given that firmware updates are regular, firmware testing extensive and of course the focus on security. The Z3 for example, I have several in the wild, most are running the "stable" track, which puts them on a 14.xx series firmware, I have another on the Beta track for testing. The Z3 runs the same MX software as the MX-series, you just lack many of the options in the cloud UI that you get with the MX's. So in my case, they are all running 14.42, which was released on May 7th, 2020.
 
Last edited:
Yeah, you don't need a separate box if you buy something from Watchguard, Sophos, CheckPoint, SonicWall, Cisco Meraki...etc as they all are available with integrated WiFi. Where a separate box comes in handy is if you are working on a budget and don't mind the extra hardware. Most of these (very high quality) firewall distros are free, or free for home use (Sophos UTM).

I suggested the Z3 because it's the cheapest of the products offered under the Cisco Meraki umbrella. It's cloud-managed, gets regular firmware updates, but lacks UTM and a few other features that you get with an MX, but the MX costs a fair bit more.

The MX64W is the least expensive SD-WAN offering with integrated WiFi: https://meraki.cisco.com/product/security-sd-wan/small-branch/mx64w/
Paired with the Advanced Security licence you get a pretty good setup.

On how these devices would fair in the report? I'd expect them to do extremely well if not flawless in the report, given that firmware updates are regular, firmware testing extensive and of course the focus on security. The Z3 for example, I have several in the wild, most are running the "stable" track, which puts them on a 14.xx series firmware, I have another on the Beta track for testing. The Z3 runs the same MX software as the MX-series, you just lack many of the options in the cloud UI that you get with the MX's. So in my case, they are all running 14.42, which was released on May 7th, 2020.

Thank you. Do you have a recommendation for a separate box? Seems that by the time one would buy that plus another consumer router, it wouldn’t be budget anymore...
 
Thank you. Do you have a recommendation for a separate box? Seems that by the time one would buy that plus another consumer router, it wouldn’t be budget anymore...

Well, it's usually an old computer somebody has kicking around, as the hardware requirements are far from lofty for just shuffling packets and inspecting them. Last one I ran at home here was a Core2Duo SFF HP :LOL: and that was quite a few years ago. I actually had a great deal of success doing "budget" Intel Atom extremely small form factor computers for clients that didn't want to spend the money on a Cisco box. It cost a couple hundred to toss together at the most and ran PFSense.

there are some budget offerings on Amazon that fit the bill, like this one:

You can see the recommended hardware to make it complete puts it at about $220.00. Slap PFSense on that and you are good to go.
 
So this goes between the world, and your router. In my case, between the cat 6 that Fios gives me, and my internal router.

There’s no latency concern? Obsolescence? Do I then deactivate certain protections on my router since it’s double duty and unnecessary?

Seems that by the time one spends $220 on this plus the setup, plus a router, they’re better off buying the Cisco box you recommended.
 
So this goes between the world, and your router. In my case, between the cat 6 that Fios gives me, and my internal router.

There’s no latency concern? Obsolescence? Do I then deactivate certain protections on my router since it’s double duty and unnecessary?

Seems that by the time one spends $220 on this plus the setup, plus a router, they’re better off buying the Cisco box you recommended.

There's no need for a consumer router at that point, you could get by with an access point (and cheap PoE switch if you have wired clients). However, most people embarking upon this adventure would already have one, like you, so then the easy thing to do is just turn it into an access point + switch combo by disabling DHCP on it and giving it an IP on the LAN side within the subnet you plan on using for management.

Yes, the Cisco Meraki product at that point has some value appeal, but the Z3 doesn't offer the same level of granular firewall control as you get from PFSense and of course you do have your subscription cost as well.

There's also the education angle: Setting up and messing with a PFSense box is going to improve your networking knowledge, which is never a bad thing IMHO.
 
Back
Top