Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Which Is the Safest Router?

Posted by BeauHD on from the safety-first dept.

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

15 of 386 comments (clear)

  1. PEBCAK by sexconker · · Score: 5, Informative

    A "secure" router won't help you. What does "hacked twice recently" actually mean?

    1. Re:PEBCAK by Excelcia · · Score: 5, Informative

      How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to. The people who think they are clever by second guessing Ask Slashdot questions get rather annoying in short order.

      I actually came to this question with some amount of actual curiosity. I used to build Linux firewalls for small businesses. This was back before routers were appliances. When NAT was still "IP Masquerading" on Linux, and it was actually a dirty word because it let you "share" internet connections when the early cable modem providers wanted to sell you an IP address for every computer using the connection. I moved on to process control and automation work, project management, and then switched tracks into the Navy. What relevance is that? The point is, there are lots of people like me who had at one point been heavily invested in the current state of the art who, for some years, haven't had the time or resources to follow current best practices. Ask Slashdot questions like these are actually helpful to those of us who would like the benefit of the experience of those who are still up on the state of the art.

      When you, and those like you, roll in with your clever meta-answers, it helps no one. You and (especially) the five moderators who upvoted your post as "informative" should hang your heads in collective shame.

    2. Re:PEBCAK by strikethree · · Score: 4, Informative

      While I appreciate your view, there are a few thigns you should be aware of:

      This is Slashdot. Much of the original crowd is pedantic for a reason. The original poster is indeed asking about routers and some people have answered that question directly. Sexconker has identified, correctly, that Mindprison is wanting to not get hacked.

      It is clear that Mindprison is under the impression that a secure "router" would help him not get hacked; however, if that it not what got Mindprison hacked, a more secure router will not help. Sexconker is trying to get to the root of the problem so that actual help can be delivered. Mindprison could buy a recommended router and STILL end up being hacked again. So how would just casually recommending a secure router help in this instance?

      As numerous other folks have pointed out, a router is not defined strictly as a security device. Slashdot has many network and security engineers in its ranks. I am one of them. My first line of thought went exactly as Sexconker's did: How can I actually help this person when they did not fully and accurately, using technical language, explain their problem? So he asked a question that many of us were thinking. (I think Sexconker is a he, I am actually unsure and it really doesn't matter).

      Denigrating him and the mods who modded him up (I was not one as I rarely read Slashdot while logged in anymore) is not terribly useful in this situation. To complicate matters even more, your minor tirade is actually an appropriate response sometimes, but this was not one of those times. Just keep reading other comments and you will still get the immediate type of response that you and Mindprison were looking for.

      Honestly though, Mindprison should have responded to Sexconker's question because then, the actual problem could be identified and addressed.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    3. Re:PEBCAK by MindPrison · · Score: 5, Informative

      Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.

      I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.

      They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.

      The first time I got hacked:

      Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.

      I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.

      Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.

      I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.

      This stopped the attack on my personal accounts.

      Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.

      After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).

      I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).

      What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME microcode included as well.

      I told this story to our security guys, and they said the same as someone else in this thread, someone thinks you have something to hide, and they're not script kiddies, you've been targeted - I suggest you start with a badass router, and take it from there, disable all server services in win 10 + remote services like remote registry etc.

      I don't know that much about windows 10. But that's all I know for now. Appreciate all the feedback , you wonderful Slashdotters!

      --
      What this world is coming to - is for you and me to decide.
  2. Re: The safest router is... by benedictaddis · · Score: 4, Informative

    I like Draytek routers. They have decent security and get updates for years, at a price thatâ(TM)s not cheap but not crazy either. If cost is an issue, install OpenWRT on any old router.

  3. Ubiquiti EdgeRouter X by thebes · · Score: 4, Informative

    https://www.ubnt.com/edgemax/e...

    Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.

    1. Re:Ubiquiti EdgeRouter X by aaarrrgggh · · Score: 4, Informative

      Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.

  4. OPNsense by darkain · · Score: 5, Informative

    OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

    But really, security isn't just one device. Secure ALL of your shit.

  5. Re: The safest router is... by saloomy · · Score: 5, Informative

    I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.

  6. Netgate by bferrell · · Score: 3, Informative

    A Netgate SG-1000 if you want a packaged solution;

    https://www.netgate.com/soluti...

    Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.

  7. Re:safest by Zmobie · · Score: 5, Informative

    one to which you have the source code:
    https://www.dd-wrt.com/site/in...

    This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.

  8. OpenBSD not Linux by drnb · · Score: 4, Informative

    A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.

    This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.

  9. Routers, firewalls, and IPS oh my by gavron · · Score: 3, Informative

    If all you need is a router there are plenty and they're mostly safe because they don't do much.
    If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
    Firewalls are MUCH more difficult to get right.

    Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
    enterprise-level hardware.

    If your goal is to spend less than $200 then you will not be getting anything worth describing
    as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
    set you want, knowing you'll need to do regular firmware upgrades and these will always be
    BEHIND the hacker curve. The companies selling "commodity" or "small business" products
    don't do research to break their stuff. They just sell as cheaply as possible.

    If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
    want and thus far are considered great.

    If your budget is limitless, Palo Alto Networks or Fortigate.

    Again - router just moves IP packets and this can be done by a cellphone running Android.
    Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.

    Good luck! This is a quest LOTS of people are on!!

    Ehud
    Tucson AZ

  10. Re:UBNT is CRAP by MikeDataLink · · Score: 4, Informative

    UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.

    Don't spread FUD. You can run their management controller (which totally rocks by the way) on any Windows or Linux PC for free or on a small appliance they sell for less than $100. After you've configured them you never have to run the controller again unless you want to change something.

    --
    Mike @ The Geek Pub. Let's Make Stuff!
  11. OpenWRT/LEDE by kbahey · · Score: 4, Informative

    My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.

    They provide updates regularly now, and it is very customizable.

    Highly recommended. Just pick a router that is explicitly supported.

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.