Slashdot Mirror
Ask Slashdot: Which Is the Safest Router?
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
The unplugged one.
That's optimal safety, and minimal usability.
Your question is ill-defined anyways.
Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Can get one for $200 or less if you shop around
Number one feature: No upnp available on the device
Specialization is for insects. -Heinlein
A "secure" router won't help you. What does "hacked twice recently" actually mean?
The disconnected one.
https://www.ubnt.com/edgemax/e...
Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.
The safest router out there is the one that is off, but with that said, I'd recommend something based on pfSense. Security through obscurity hasn't helped, like with the second backdoor password found in some Cisco products.
http://purplebark.net/maffew/scissors.pdf
It is a time proven solution to network woes.
In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.
Besides being a much better performing router with full firewall capability and just about any feature you want to download and install packages for it is on the bleeding edge of security updates.
https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
one to which you have the source code:
https://www.dd-wrt.com/site/index
OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.
But really, security isn't just one device. Secure ALL of your shit.
Does safety mean that you can trust the code in the router or does safety mean performance of router to defend against attacks because those are different requirements. If code trust is more important, I would recommend any router that you can replace the firmware with open source firmware like DD-WRT or Tomato. For performance, I don't know of any comparisons published on different models of routers.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Norton Core - Uses global intelligence network from all of symantec products, excellent wireless coverage, get notified or require acceptance for all new connections, super easy to configure and monitor. Free malware protection for endpoints and mobile devices included.
https://www.pfsense.org/
Get a PC running Linux/OpenBSD/pfSense/etc. with two NICs, enable any applicable hardening, enable automatic updates.
Bonus points if you can get that running on a mini fanless system with an SSD.
I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.
...as long as you put OpenWrt on it.
Slashdot, fix the reply notifications... You won't get away with it...
...plugging directly into the modem is worse than no router.
Personal safety on the Internet depends on layered security approach. A "router" simply connects networks together, it's the firewall features and any IDS/IPS and filtering and malware scanning capabilities which make them more secure. There are open source projects and neat hardware platforms for this if you like to DIY, but for off-the-shelf products really you're looking at something like a FortiGate or SonicWall with threat subscriptions kept up-to-date. These are usually not cheap.
At the end of the day though, having a fully-patched home router using OpenDNS for DNS lookups, password-protected management interfaces, strong wireless passwords, and fully patched endpoints with some form of anti-malware protection and a policy for only using apps from "known good" sources is generally best. Add in some browser plug-ins, stop running apps as an administrator, and use a password manager with complex passwords and don't click on links in emails without popping them into virustotal.com and you should be as safe as reasonably possible.
Security is not a router or a piece of software or a service.
It is a process that includes rigorous applications of best practices, monitoring, auditing, testing.
Security ensures when (not if) something goes wrong that you have all of the information and resources to recover in minimal time with minimal loss.
You can build your own router. There are some nice projects and neat hardware to install them on. You can have as much control as you want and you can keep apprised of patches, best practices, monitored alerts.
Or you might not have that kind of time. You probably just want an appliance you can buy that gives you good service and doesn't end up as a botnet node that steals your info.
So just do a little research. See what vendors have a good track record, see how long they keep posting updates for their products. See what features you want. (Good wifi is worth paying for). Like with anything else, if you put in that effort you'll probably be ok. That's pretty much all you can expect from something you pay less than 200 bucks for.
You want more, you'll pay for it in time and money.
I am also networking and programming savvy but I always assumed good hacking jobs would go unnoticed. What tipped you off to being hacked and do you allow admin login to your router from the wan side? I'm generally aware that is the most likely attack vector. Thanks for any info.
In this day and age, nothing will help you. Buy a Microsoft phone and wrap a faraday cage around your bed. Use Microsoft Edge. PFSense is shit, a firewall wont help but disabling your Wi-Fi might.
Please keep in mind that they make low-end routers as cheap as possible.
And no, they don't care about the firmware. As long as it does the very, very basic.
Thus, if you want a secure router, you can spend hundreds on a name brand 'secure' router, or you can install a stable, proven and free operating system on it.
The one with updates installed and configured correctly. Do you really need the UPnP and do you really have to administer the router outside of your network? Do you really have to have administrative access from all your devices and does that really have to be available all the time? Do those unused functionalities have to be enabled and do you actually even have to share a printer in your home? (Consumer) Router firewall is not everything. Protect your devices behind it too from each other.
The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.
pfSense running on WANBOX...
pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.
Mike @ The Geek Pub. Let's Make Stuff!
A Netgate SG-1000 if you want a packaged solution;
https://www.netgate.com/soluti...
Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.
Fast so it can support a quality VPN.
Then have a computer just for "internet" on it as the only computer on the network.
An OS some bookmarks and what apps are needed.
Have all long term data well away from any networked computer.
Find a fast router with a good CPU that can support the best VPN protection.
Make sure the loss of the VPN will not revert to any ISP ip.
Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
Everything can be restored and be back online quickly.
Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
Domestic spying is now "Benign Information Gathering"
Both reasonable price and insanely good features/security
The safest router is the one that does not let any packets through at all. Taking a pair of scissors to your Ethernet cables would work fine.
It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.
I'll answer for a typical home user: Turris Omnia. It's a bit pricey ($339 on Amazon), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.
Help save the critically endangered Blue Iguana
The Cisco/Meraki devices are phenomenal.
They are not cheap by any means, but you can a short stack of a Router (MX series security appliance, MX64 was given when I took the class,) POE 8-port switch, and Wireless Access Point for free if you attend a Cisco CMNA class.
Routers are guaranteed to be unsafe if either:
1. It has "cloud" in product title or datasheet.
2. It comes in a plastic box.
The absence of either of these things does not imply safety.
Any DDWRT, *Sense or plain old Linux box with some iptables rules if you don't have a life is infinitely better than off the shelf crap by people who don't give a damn.
While firewalls and network security in general are meaningless WRT to security at least having a router that won't be hacked remotely and conscripted into a coin mining DDOS launching botnet is a step in the right direction.
Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.
Any NAT device is sufficient.
Patch all your stuff
Don't download crap
Don't execute the crap you download
Don't play web games
Don't use internet explorer
uninstall flash
uninstall java
If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.
I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.
https://www.pfsense.org/
If you were to prefer Linux, it would be possible to use openwrt instead.
I wouldn't trust anything off the shelf.
Just get an old computer, connect a switch and/or a WiFi interface to it and put something like OPNsense on it. Better yet, roll your own solution from scratch.
I find that how you configure the firewall is more important then what the underlying firewall is. As an example, alot of systems are getting cryptolocked because you have RDP enabled on the internet, on a standard 3389 port forwarding to an unpatched system. Irregardless of the type of firewall and all the great deep level packet inspection, as soon as encryption kicks in (even with SSL decryption), its hard to catch the malware passing through.
I think having all these subscription based services like IPS, and antivirus gives the false sense of security in this complex world of IT security.
1. Limit your exposure of ports and IPs on the internet to whats necessary, not whats convenient.
2. Ensure that the systems taking in these foreign connections are well patched and monitored
3. Don't assume that you can't get hacked if you have no ports open. All it takes is downloading and executing a single malware file that can act as a secure channel back out to bring in its true payload
KW
Buy a small used Juniper router then do some research to get the latest firmware, and default setup for a NAT solution. 100Mbps models are around 100 bucks on Ebay
https://www.ebay.com/itm/Juniper-SRX100H2-2GB-Flash-8-Port-10-100-Security-VPN-Firewall-w-AC-Adapter/202302842635?hash=item2f1a30670b:g:J4AAAOSwphNa6Ogj
If you need to get above 100Mbps - get an SRX210 for about the same or a little more. Stay away from the POE models... their power brick/draw is pretty high but if you need POE too they aren't too shabby. Two of their interfaces are 1Gbps and the rest are 100Mbps.
https://www.ebay.com/itm/Juniper-Networks-SRX210-Services-Gateway-Enhanced-security-applianc-SRX210BE/252042279570?epid=1500571488&hash=item3aaee3fa92:g:ptUAAOSwwBha9Hup
These are commercial small-business routers on the cheap.
Get a router that you can replace the stock firmware with openwrt (lede was a fork, now merged back in). Of those watch get a *supported* mt76 based router (e.g. D-Link 860) or ath10k based one (archer c7). The ath10k has a small a binary blob problem, it's not like the fully open ath9k of years ago. The mt76 is the most open of current hardware.
Just double check the revision of the router you pick is supported. Sometimes a new version is actually a completely new router!
The other openwrt routers (e.g. Linksys) also run openwrt just fine, but rely on the manufacture to update the firmware to fix bugs the openwrt contributors can't.
First, I’d suggest going double nat using a couple of routers for a layered appproach. Internet connected to one, one connected to the second, internal network connected to another interface on that second. I also would look for something other than mass market stuff. Using different vendors at each layer would be a good idea as well. Update firmware, keep track of changes by reading the release notes. Also make sure everything inside your network is up to date and secure. Power it off if you can. Can’t hack it if it doesn’t have power. Generally.
I've heard good things about Cisco very recently. They put out lot of fixes.
They constantly update, and then made it skinny. In fact, I wish I had a couple of features back. However, it does a decent security job.
I prefer the "u" in honour as it seems to be missing these days.
One not connected to a network powered off and in an underground fallout shelter, air-gapped from the world by a vacuum chamber inside a Faraday cage. Everything else is hackable.
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.
This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.
If all you need is a router there are plenty and they're mostly safe because they don't do much.
If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
Firewalls are MUCH more difficult to get right.
Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
enterprise-level hardware.
If your goal is to spend less than $200 then you will not be getting anything worth describing
as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
set you want, knowing you'll need to do regular firmware upgrades and these will always be
BEHIND the hacker curve. The companies selling "commodity" or "small business" products
don't do research to break their stuff. They just sell as cheaply as possible.
If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
want and thus far are considered great.
If your budget is limitless, Palo Alto Networks or Fortigate.
Again - router just moves IP packets and this can be done by a cellphone running Android.
Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.
Good luck! This is a quest LOTS of people are on!!
Ehud
Tucson AZ
Get a SparcStation IPX. Install a second ethernet card in one of the Sbus slots.
Install OpenBSD/Sparc on it. Set it up as a router.
Everybody has a different set of principles by which they judge a gateway router...but here's an approach I recommend. Insofar as I know, it's damned hard to "beat" this solution, unless the invader is able to modify the routers' own firmware:
In a solution I call "Friday's Folly," I use TWO cascaded routers: The first is in my ISP's connection equipment, which has it's own configuration. I use that to assign a distinct and unique IP address range (don't use 192.168....; it's too often used for novices, so they don't have to think.). Pick a different range altogether...that's the first point of confusion for the erstwhile hacker. The time delay through both routers is virtually undetectable.
The SECOND cascaded router has, on its' input side, an incoming address (as odd-looking as possible within the first router's LAN range). On the other side (multiple outlets for the LAN), i use a completely different IP Address range, picked almost at random. It is that range (which is masked down to just a small range) to access the protected LAN resources.
Why would any hacker/cracker want to work so long to get inside the LAN; he(/she) would have to find a way to "probe" for the valid ranges inside the cascaded routers. At that point, I make the choice to install routers for which any signal on the WAN side can't be used to configure the router...therefore, its' configuration is withheld from all but qualified parties on the INSIDE of the network, on the LAN.
Anybody figured out how, with a $20 second router in place, that cascaded router scheme can be easily hacked? The goal was to make the solution so cumbersome (from the WAN side), that they'll go try to invade some other, simpler, less well protected target.
The opponent may be able to get past the first router by peeking inside the ISP vendors' equipment...but that's a chimera, reaching only the SECOND router...for which they have no resources inside the first router to leverage to open up the second router. So, now they're constrained to fashion some tool on the first router that will arbitrarily scan the second router, looking for a hit.
A plain PC with two interface running a Linux or BSD system will do the job fine. And since it was not cited yet here, NetBSD can run that as free as secure as the other ones.
A disadvantage (or advantage, YMMV) is that it requires learning some bits of Unix system administration.
Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack
Maybe someone could update current configuration to today
Simply disconnect completely and there is zero chance of getting hacked.
as home routers.
They actually care about good firmeware/software quality, have a shitload of features (most can also be disabled, so no bloat), and most importantly, *always* give you automatic updates. Even a decade after, you still get the newest OS and actually new features. The only case where I saw them not offer a new feature, was when the hardware physically could not support it.
So yeah, unless you want to set up your own router from scratch, a FritzBox is a safe bet.
Please dont advertise NAT as security. NAT just allows allocation non-routable addresses that has a convenient by-default side-effect of denying all incoming traffic. In IPv6, you want to just use access lists, rather than NAT, and NAT should die in a fire from its being terribly overused. Lots of people have this idea that NAT is "secure", and access lists arent and put NAT in places where it really has no business Its a very bad rumour that causes people to think that public addresses themselves are *insecure* and that we need to break end to end for security. Leads to many issues. NAT has it's place, but it isn't fu^%%*ing everywhere.
I've had Apple Airports up and running, more than a dozen, since they first came out with newer ones over the years. Never had a problem. Excellent security. The fact that they are no longer being sold just means the price is cheaper - they're still excellent hardware and software.
I have an untangle firewall in front of my router... the free version works fine on a little "book" computer I built for about $150, but I paid for content filtering for my kids computers/phones. It's been great so far.
Surprised no one has said anything a bout untangle at home and the Sophia home utm. It’s a supply your own hardware and wireless, but they have all the next gen features like clam and ssl inspection. I use ubiquity wraps for the wireless
UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.
My current setup: OpenWRT on Turris Omnia. I've disabled Turris internal WiFi module (and installed a 4G PCIe LTE modem for a fallback connection) and I'm using TP-Link PoE wireless access points throughout my house. TP-Links are pretty well maintained, support VLANs and don't have any extra fluff.
Turris MOX is an upcoming project that will make it even easier.
Your average individual has tech that is way beyond their ability to manage and secure, So security is performed as an add on by 3rd parties. And the truth is most of these 3rd party methods are not up to the job.
;)
It is not the fault of the user, since it is the vendors putting the devices out there for all. And not everyone is up to the job of properly managing their devices. It also does not help when vendors put inferior products out there, don't provide updates, etc. The normal user does not know or have the information to select one that makes the grade. In fact it is often true that security is seen as a hindrance to the ease of use and thus discarded by choice. As a result I think there will always be 100s of millions of compromised devices in the eco system.
Which leaves me with this answer, with out proper hands on management you can not have a secure environment for ones devices today.
Just my 2 cents
Variants of your password are. Have good AV and a password manager on all of your devices. Use a random password for each website. Keep up to date on security updates for your OS, your web browser and programs like Office, Adobe Reader, Adobe Flash, Java and other apps that are common attack vectors. If necessary buy software that can automatically patch common third party apps if you donâ(TM)t want to spend the time.
Make sure your OS comes with its own firewall, turn it on and severely limit the open ports.
Get a good business class router/firewall from a reputable company that offers support and maintenance. Keep your firmware up to date or select a firewall that will automatically download and install firmware updates during hours itâ(TM)s not in use.
Ideally have no ports open ports on the firewall that allow for unsolicited incoming traffic. If youâ(TM)re going to host your own email server, web server or other service that requires open ports that allow unsolicited incoming external traffic donâ(TM)t go that route. Use a reputable third party provider instead. If remote access is necessary find a reputable vendor with a product that can do it via HTTPS.
Recognize that you get what you pay for. If youâ(TM)re trying to DIY and you donâ(TM)t know what youâ(TM)re doing then donâ(TM)t do it. Pay for secure products and services from reputable vendors. The bitterness of poor quality remains long after the sweetness of a low price.
I agree, Cisco backdoors are the best.
My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.
They provide updates regularly now, and it is very customizable.
Highly recommended. Just pick a router that is explicitly supported.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
If you have technical knowledge... OpenBSD. Actually I find pf(4) to be easier to handle than iptables(8).
But there might be better solutions depending on your use case... like are you using WiFi, etc.. but from security standpoint I would go OpenBSD any day.
Also... it's very lightweight, you can run it on almost anything.
I've been running IPFire Linux for years and its been great. Cant believe nobody mentioned it. Was one of the first to feature fqcodel QoS and the transparent Squid URL filter has been handy for filtering sites for the kids.
https://www.ipfire.org/
Works good virtualized on ESXi as well.
www.ipfire.org and your choice of hardware, then Guardian and Snort add-ons.
Bitdefender Box 2
It's supposed to cover everything in your home...
Or Samba, HTTP, FTP, DLNA, etc. Every service is another vulnerability.
Minimally, all the router needs to do is route, possibly with NAT, preferably IPv6 only. It does not even need to be pingable. A few ipchains rules will turn the machine into a black hole. A router that is off does not qualify as it does not route.
The opposite of security is convenience.
I took the antennae off of my WRT54GL router (besides disabling wifi in software.) Oh, and I flashed it with Tomato WRT which is so old it doesn't have the heartbeat bug in it.
https://www.wired.com/2016/12/ton-popular-netgear-routers-exposed-no-easy-fix/
The term router is thrown around today to mean many different things.
As far as security and preventing break-ins and hacks, NO router or simple firewall/NAT device will protect you. That's not their function.
You really need to investigate NGFW appliances. These are devices which recognise, understand and act upon all traffic on your network, and traffic leaving/entering your network. That is the only way to actively prevent an intrusion. These tend to integrate a router, firewall, NAT, PAT, IPS, IDS, active virus scanner, and network traffic analyser/controller.
I own and am protected by a Palo Alto PA-220 device, which is an excellent investment. If you are serious about security, and unless you are a serious security expert, you don't roll your own solution. Pure and simple.
Hackers will always want the biggest bang for their buck, so they'll attack very popular routers. Who wants to bother with the product used by 5% of the population?
Look in to using OpenDNS. It's free and will keep you away from a lot of bad "stuff"
...any router that's powered down, & has had an unfortunate encounter with a sledgehammer, especially if you're a CenturyLink customer.
If you visit a security conference, you will find that most of the attendees are using Chromebooks. They are much more secure than your typical Windows or Apple device. Another issue people often have is that they re-use the same password for multiple services. One of the services gets compromised, and the attackers use your credentials to access your email account, and thus other services. Set a unique password for each account. Save those passwords in a password manager. Enable the 2-factor authentication feature on your email account. Firewalls will not protect you against modern threats. Antivirus will only protect you against some of the modern threats. I also suggest you also consider taking an internet security class, to avoid common pitfalls. Most modern issues can be avoided by educating yourself against common attacks, which often involve social engineering.
If your going with IPv6, make sure you firewall understands zone concepts. Using address ranges is a very bad idea when IPv6 is used as things can change and testing becomes nearly impossible. For home use you might have a zone for your gaming systems, a zone for your work computers, a zone for guest wifi. Also make sure that it can cope with things more complex than the "Trust/Untrust/DMZ" model which was fine before multi-port routers and VLANs.
Recently discovered Check Point's security appliance, with all the options configured, it works very well.
The router you use is irrelevant if it's poorly configured or maintained.
It's hard to gauge whether you're talking about domestic or commercial routers, but I assume you're talking about your home router. Myself, I'm partial to Mikrotik routers. But, they recently had quite a nasty flaw that had existed for some time too. So, your approach should be to consider security first. Perimeter firewall, host level firewalls, SELinux, AppArmour, least privilege, etc.
I've been loving my older ASUS wifi router. If I were buying one today, I might get something like this model:
https://www.amazon.com/RT-ACRH...
"I like systems, their application excepted", George Sand (French)
At least F-Secure have a router aimed for the not so tech-savvy consumers.
There's a German brand of routers/ATA/IAD/DECT-base/WLAN combined boxes called Fritz!Box. They don't use the web frontend provided by the chipset manufacturer so they use their own, which means that the bugs in 99% of other routers don't work there. Firmware updates regarding features are available for a few years, bugfixes even longer. Costs start at 30 Euros for a refurbished middle model and go up to >200 Euros for the top of the line models.
Other than that, use some Linux computer to build your own router.
I'm assuming we are talking about home routers (no enterprise grade stuff here). If you have the required knowledge, buy a router supported by OpenWRT. Install this distro and keep it properly managed (keep security updates up-to-date, create a sane configuration, etc.).
Otherwise you are screwed.
You question implies that you can measure and compare security.
... that those vulnerable parts of the router firmware typically aren't made by the router manufacturer. The manufacturer usually just reskins the web interface. That's why it's now common to have cross-model attacks on large percentages of the routers.
So you'd probably end up running virtually the same firmware as 90% of the rest. Price is no indication, BTW, as I've seen even expensive routers doing just that.
Honestly if you know your way around iptables its easiest to make a small linux box. Rasp pi with add on usb ether ethernet port will do.
Comment removed based on user account deletion
I'm using Endian product for my business since a couple of year and I have to say that those are good products. Easy to use also for non expert.
Their product are based on open source software so is safe as the open source code can be safe. In my experience they are quite fast in the update as soon a new vulnerability is discovered
They have a community edition for free.
endian.com
Have a look at Turris Omnia - https://www.turris.cz/en/
Or stop running unneeded services (I am looking at you Ubuntu)... Or if you are running Windows, for the love of everything holy; STOP!
Proper security is usually end-to-end so your router might even be compromised. The next hop (ISP) is untrusted anyway. Make sure your end devices are secure.
https://omnia.turris.cz/en/
https://www.turris.cz/en/
I created a device that disconnects my home network from the internet..
- during sleeping hours
- when it detects that there are no phones and laptops on the network.
It's part of an Ethical Smart Home experiment where we are designing a privacy friendly smart home. Some details:
- It has a hardware switch to reconnect at any time.
- It's fail safe. In case of power failure the internet is reconnected.
use a small pc, these days you can find enough motherboards with two ethernet connections, and install linux or a bsd on it, done.
the pc doesn't even have to be powerfull or be able to run a gui.
been doing it this way for 20 years, always up to date with patches, easy to replace and get back running if broken, etc.
On a long enough timeline, the survival rate for everyone drops to zero.
Somebod recently managed to leak data through the power cord.
Generally all routers are basically the same for consumers. If you want more security you need to look towards safer practices running better security on devices and using complex passwords.
In any scenario there are explicit facts and implied facts. The explicit fact in this scenario is that the asker was hacked twice. The implied fact, from the question, is that one or both were related to his router. Turning that around on the asker questions his competence to ask the question, and is an arrogant assertion that your mere assumption that he likely doesn't know what he's talking about is more probable than the poser's clear implication in the question that the router is pertinent to the discussion.
There are some Ask Slashdot questions where the implied facts are inherently inconsistent with the question being asked. In cases like that, go to town pointing it out. This here, however, is pretty open and shut and the asker deserves deference in his scenario. In general all implied facts should be assumed to be in favour of the poser of the question knowing what he's talking about.
In short, and I'm going to bold this so you can refer back to it, unless there is an overwhelming reason not to, either answer the question asked or exercise your constitutional right to remain silent.
A router won't help you when you take a laptop to a cafe or some other place.
You want better security on the endpoint devices. Assume 0-trust of any network including your home one.
What a lot of comments to a 2-line post where the person doesnt even explain what happened, leave alone what router was being used. People just jump into conclusions !?? Obviously your security setup was bad, in which case the router wont matter. Use a VPN.
The safest router would be the one with rounded corners.
I have been using Sophos UTM for years and I love how it has a default secure state and you have to unblock everything you want to use. However UTM is getting close to EOL and so I switched to their new XG firewall. IT is more open as a default but that is easily fixed with a new rule that blocks everything. After a bit of learning I like the new xg firewall and because it is free I can't complain about the price. I bought a cheap desktop online and added a second nic card. It has been running for about 6 months without any problems.
I bought a Synology home router appliance about a year ago after observing that:
- my Synology diskstation NAS had been receiving firmware updates for years (with auto updates)
- their routers appeared to run similar firmware (including the same borderline gratuitous web admin interface)
- the published change log for the router firmware included reasonably frequent releases and fixes for many CVEs: https://www.synology.com/en-us/releaseNote/RT2600ac
In particular, I bought this one: https://www.synology.com/en-us/products/RT2600ac
So far I'm a happy customer. The router checks for updates automatically, sends an email to me as an FYI when an update is available, and auto updates itself.
I was pleasantly surprised to be able to enable 2 factor authentication on the admin interface (using Google Authenticator), although it has the downside of making it harder to get in when the Internet connection is down.
My only complaint feature wise is that it's only possible to restrict access to the wired network from the guest wireless networks, not the primary wireless network -- and it's not possible to turn off only the primary wireless network. I.e. it's not possible to completely disable wireless access to the wired network.
Obviously frequent auto updates, historically long device update support, CVE fixes, and 2 factor authentication don't guarantee security, but they beat a lot of what I've seen in the home router appliance market. Synology doesn't have a long history of building routers, but they have a decent history of building reasonably popular NAS appliances. I doubt that their routers get as much attention from responsible security researchers as more popular manufactures' do, though.
The main problem with routers is they have outdated firmware and sometimes they're leaving open ports for devices that have outdated firmware, OS's not updated, or there are devices on the network that were hacked through no fault of the firewall (phishing, installing infected apps, etc). To eliminate #1 and #2, I suggest a router that always provides updated firmware with minimal effort on your part.
The one that does that best is Google Wifi as long as you don't care about what's in their updates. They're intended for the non-technical user.
If you're willing to keep the router updated on your own, and know enough to flash firmware, buy any router with decent ratings and price that has DD-WRT compatbility. DD-WRT is 3rd party open source firmware software for routers that stays continuously updated. Most router makers abandon their routers within a year or two and many routers being sold today don't even have that long to go before they're abandoned, because they've been on the shelf a while.
For home use, the *best* in safety is that firewall/router that runs third party firmware like DD-WRT or OpenWRT. Personally, I run OpenWRT on my WRT-1900ACS Linksys with a USB powered cooling fan sitting on top. Also, run the minimum on your router. No VPN end points or other services on the router connected to the internet. Don't port forward, except to DMZ based hosts, and don't have the DMZ host on your private LAN, always go though another firewall/router to get to the real stuff.
However, I'm guessing that unless you have port forwarding, you got hacked from the inside by some exploit you willingly executed. All the secure network equipment in the world won't help if you don't keep malware and virus detection actively running and updated regularly, AND if you insist on running stuff from hazy sources.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Sonicwall is the best.
Untangle Home It is $50 per year for home use, and includes all of the premium features, at a fraction of the cost. Untangle is easily comparable to the other retail security appliance vendors, but it is Much easier to configure. Many of the admins that favor a "lock out everything" mindset do not appreciate Untangle because it does not take that approach. But that makes it easier for the home-gamer to setup and fine tune. There will be a definite learning curve because there are so many more features available. For hardware, I recommend; A barebone headless pc that can be kitted out for $230 or less.
Check out the bidefender box 2.
"I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?"
What make of model was this modem and was it running using the default username/password, UPnP enabled and the ISPs remote upgrade enabled. Personally I've ditched the supplied modem, use a third party model with customized software running as a blob.
The current crisis security problem demonstrate the dangers of a monoculture, as in when a virus comes along, it wipes out most of the ecosystem. The solution being to mix-and-match the hardware/software combinations to effectively produce unique devices, not all susceptible to the latest malware.
'CyberInsecurity: The cost of Monopoly How the Dominance of Microsoft's Products Poses a Risk to Security'
You were hacked because you did something stupid, like trust a website or an app or a download that you shouldn't have. Just like most people whose home system have been hacked. No router, firewall or ruleset is going to stop you from doing stupid things.
And how do you stop doing stupid things? You identify the stupid thing you did in the past: what you did, why you did it, and what the results were, intended and otherwise, so you know what behavior not to repeat in the future. You'll never stop repeating a mistake if you don't understand it.
Install OpenBSD, it's the only way to be sure
first, like the questions everyone keeps asking is how are you getting hacked? more data would be helpful... baring that...
somethings I would recomend.....
-if you want to change your router any of the decent reviewed routers are ok. or you can roll a bunch of options like ddwrt, etc. I just use a
commercial one.
- make sure your computers firewall is ON and that it logs all connections. (and that its blocking inbound)
- if windows, makes sure the logging and auditing are on.
-use the latest version of what ever your OS is...
-look at whats actually installed, and what your actualling installing. doing install anything thats not 100% trusted. no 'warez', or priated
software, no pirated mp3, movies anything. if its not 100% trusted it needs to go... this is an important step....
-if you suspect a hack, full reinstall of everything is in order period full stop....
-do an opsec review of all your accounts, cleanup on the privacy and security settings and change all your passwords. and update security questions etc. every account should have unique random password, use something like lastpass or 1password.
-make sure your using the latest browser versions chrome is pretty good here and add flash, and ad blockers. and add httpseveryhwere
-dont click on untrusted links, or run anything untrusted like facebook games etc.
-if your using mac or windows use malwarebytes and a good security endpoint product.. sophos is free and decent.
-setup an opendns account and use it block all the bad sites in it.
-make sure all your software is always up to date
-dont run as admin, run as standard user and if windows us UAC to full. use 2nd accout for admin.
this should help your out alot.
-Nex6
There is no simple solution to this problem, it's a full network design issue.
My current network setup:
1. ISP Connection.
2. PFSense Firewall with Suricata.
3. Unifi Gateway: https://store.ubnt.com/collect...
4. Router: https://store.ubnt.com/collect...
5. Switch (Managed): https://store.ubnt.com/collect...
6. Wireless AP's: https://store.ubnt.com/collect...
7. ELK Server, so I can monitor the network and computers
Finally firewalls on all the computers, which are all running Linux, so I use UFW and Firejail to make everything nicely locked down. I don't use those exact parts, but close enough. Make sure to disable any built in AP's that come bundled with ISP Modem / Routers. Your ISP connection should ONLY be a modem.
The safest router is a router that you don't connect to any network.
My recommendations for the most secure options for home or small office use:
Dedicated hardware: Asuswrt-Merlin ( https://asuswrt.lostrealm.ca/ ) combined with one of the compatible ASUS router models. It's being actively supported; new versions appear every one to two months, and would likely appear more quickly if there were a major zero-day exploit. Not as feature-rich as DD-WRT or the like but more frequently updated.
Build your own PC or pre-configured PC: pfSense ( https://www.pfsense.org/ ) or OPNsense ( https://opnsense.org/ ). OPNsense is a fork of pfSense, which in turn is a fork of the now unsupported m0n0wall. They're based on FreeBSD. The companies sell pre-configured systems and support contracts as a source of income, but the software is free and open source and you can roll your own system. A PC has more memory and computing power than a dedicated router box, so these are more feature-rich than anything that runs on one of those boxes.
I would also recommend using carbide bits, as a 98 year old might not be able to change them easily, holding the shaft lock while torquing on the latching nut.
yes, this was off-topic. but it's a nice giggle.
if this is supposed to be a new economy, how come they still want my old fashioned money?
There is no such thing as a perfectly secured router/firewall/gateway. Any degree of access required increases attack surface. The most you can do is lock down everything you possibly can, intelligently allow the absolute minimum of access (bi-directionally) required to do what you need to do, and pray. Most reputable open-source *ix based solutions work the best (unless you're talking commercial/industrial appliances) , and which one you want depends on which featureset you require combined with available hardware. There are even pre-spun *ix distros for this specific purpose. The other half of this is intelligent use of the interwebs. It's already been said, but don't go to sketchy sites, don't fool around with flash/java games (remove flash and java from your PC if you can), don't use windows/OSX unless you absolutely have to, and don't click stupid stuff.
I have an external pfSense firewall, also running Snort also, running on a controller that is the first entry point from my ISP's input box. My router then connects to the pfSense firewall. This affords me some protection from anyone getting to my router through the internet. Over wifi is another problem, but we are hard wired only here. You can setup pfSense on an old computer.
If you have a Mac, I love and have never had a problem with LittleSnitch. https://www.obdev.at/products/...
What about Turris Omnia?
"UPnP."
"Web Configuration"
"Dependancies on External Vendors"
"Remote Configuration"
The above excludes almost every device you are likely to find in Best Buy / Wallmart / FUture Shop / etc -- almost every single "consumer" device.
Has a proper stateful firewall whether or not included with a "proper" NATP implementation (not cheap Chinese NAT).
This will drive your price point over $5000 for a NEW device.
Again, make SURE that all remote access and web configuration features are disabled. If you cannot entirely configure the device from your computer when only your computer is connected to the device and absolutely nothing else whatsoever is connected to anything anywhere, then you may as well just cut off your nuts with rusty pinking shears since you have zero security ...
One of the things I've used off and on in the past is Steve Gibson's grc.com shields up testing.
It does a decent job of scanning all of the normal ports, as well as being able to scan any port range you want.
It gives a graphical representation of the results, where if every square is green, then you're set as far as outside -> inside attack vectors.
They also have a leaktest, where you load an agent and it runs a few tests.
I know Steve's something of an odd-duck, but damn if his Spinrite software hasn't saved my bacon a few times, so I know he does solid work in at least most areas.
Proprietary software is the enemy: no safety with it exists and most routers are dependent on proprietary components. The only routers that I'd consider purchasing are ones that we have a complete set of source code for. LibreCMC is regularly releasing updated packages and releases more often than most other distributions. The embedded distribution also only ships free software, is endorsed by the Free Software Foundation, and actually has routers commercially available that can be purchased with the complete set of source code included from https://www.thinkpenguin.com/ even the bootloader code is available!
I recommend Synology RT2600AC. It uses the Qualcomm IPQ8065 chipset.
One of the FreeBSD router packages like m0n0wall or pfsense running on x86 hardware works well enough. Even better, use an inexpensive VLAN switch as an Ethernet port expander so that m0n0wall or pfsense can route between every device on your network allowing you to choose what can see what. By default, everything can then see the internet, the internet cannot see anything, and nothing on the internal network can see anything else on the internal network. This will prevent one compromised system from compromising other local systems.
I'd take a look at the free firewall software from Sophos (Sophos XG Firewall Home Edition). You can load that onto a low-power/fanless PC. Pair that with OpenDNS (also free), and it make for a very secure solution.
You could also look at some of the next-generation firewall appliances out there, but that typically requires spending more and sometimes a subscription is required.
I think the reason you got hacked twice is because you think the router is what provides safety. The router does not provide you any safety, that is the job of the firewall. You don't even understand the the difference between the two, so you are bound to be hacked over and over again. Get a good firewall, use whatever router you want.
soekris hardware + openbsd (as other have mentioned) is going to be a very reliable, relatively secure solution.
you most likely could leave it running for 5 years and not be hacked, un-updated. that assumes you're just running a tcp/ip stack and PF enabled, and expose no tcp/udp services and otherwise restrict packets by default in to the host.
Roqos Core is a Debian Linux based completely open source firewall IPS router that one can login and run any command as "root". All cybersecurity solutions must be open as otherwise you don't know if the router has been hacked code, has malware in it, or participates in DDOS, etc. Roqos Core is the only Intrusion Prevention System based on Suricata in the residential market. Currently it has more than 10,000 signatures specifically compiled for homes, and they are updated automatically every day 4 AM local time, as well as automatic software updates, hence no more firmware updates. For zeroday attached they are updated instantaneously. More information is at http://roqos.com./ Disclosure: This may sound biased opinion as I am affiliated with Roqos :)
I have been dabbling with https://opnsense.org and you cant beat the price as well
Its pretty much turnkey, allows GeoIP blocking, intrusion detection etc..
I think Pi-holes are now available prepackaged and ready to go now for improved simplicity?
I appreciate your claims...but I invite you to actually explain how--if they can get "inside" the first router, and suss out the address range for the second router, they can get into that second router. The routers are not platforms for programming; each has its' own proprietary-ness that must be coped with. Then, even if they gain first-level access, they've got to suss out how to program that second router, too, and develop code for that...which they have to somehow slide past the first router to get into an executable environment on the LAN side.
In general, most security methods are deterrents because they raise the price to the potential attacker to an unacceptable level, and that encourages them to quit and go find that laptop user in a coffee shop using the local (and free) Wi-FI connection. It's a lot of work, just to find out that you've just hacked "Grammy Rose's" Facebook access platform!
In conclusion: I published a common IP-address string. Are you so dense as to believe that I would publish my actual IP Address? And, yes, I've known it as "cascaded NAT," but you can call it "double NAT" if you wish. All I know is that it all works for me, and has for over 30 years. Someday, maybe, I'll have to toss it out and do something more elaborate...but, so far, I've been pleased with my local results.