Slashdot Mirror
Ask Slashdot: Which Is the Safest Router?
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
The unplugged one.
That's optimal safety, and minimal usability.
Your question is ill-defined anyways.
Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
A "secure" router won't help you. What does "hacked twice recently" actually mean?
https://www.ubnt.com/edgemax/e...
Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.
In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.
Besides being a much better performing router with full firewall capability and just about any feature you want to download and install packages for it is on the bleeding edge of security updates.
https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/
one to which you have the source code:
https://www.dd-wrt.com/site/index
OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.
But really, security isn't just one device. Secure ALL of your shit.
I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.
...as long as you put OpenWrt on it.
Slashdot, fix the reply notifications... You won't get away with it...
I am also networking and programming savvy but I always assumed good hacking jobs would go unnoticed. What tipped you off to being hacked and do you allow admin login to your router from the wan side? I'm generally aware that is the most likely attack vector. Thanks for any info.
The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.
pfSense running on WANBOX...
pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.
Mike @ The Geek Pub. Let's Make Stuff!
Can get one for $200 or less if you shop around
This is what I did, HOWEVER you are miss-representing the cost as you must also get a license and a support contract to keep it up to date.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
A Netgate SG-1000 if you want a packaged solution;
https://www.netgate.com/soluti...
Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.
Fast so it can support a quality VPN.
Then have a computer just for "internet" on it as the only computer on the network.
An OS some bookmarks and what apps are needed.
Have all long term data well away from any networked computer.
Find a fast router with a good CPU that can support the best VPN protection.
Make sure the loss of the VPN will not revert to any ISP ip.
Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
Everything can be restored and be back online quickly.
Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
Domestic spying is now "Benign Information Gathering"
Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.
Any NAT device is sufficient.
Patch all your stuff
Don't download crap
Don't execute the crap you download
Don't play web games
Don't use internet explorer
uninstall flash
uninstall java
If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.
I've heard good things about Cisco very recently. They put out lot of fixes.
They constantly update, and then made it skinny. In fact, I wish I had a couple of features back. However, it does a decent security job.
I prefer the "u" in honour as it seems to be missing these days.
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.
This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.
If all you need is a router there are plenty and they're mostly safe because they don't do much.
If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
Firewalls are MUCH more difficult to get right.
Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
enterprise-level hardware.
If your goal is to spend less than $200 then you will not be getting anything worth describing
as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
set you want, knowing you'll need to do regular firmware upgrades and these will always be
BEHIND the hacker curve. The companies selling "commodity" or "small business" products
don't do research to break their stuff. They just sell as cheaply as possible.
If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
want and thus far are considered great.
If your budget is limitless, Palo Alto Networks or Fortigate.
Again - router just moves IP packets and this can be done by a cellphone running Android.
Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.
Good luck! This is a quest LOTS of people are on!!
Ehud
Tucson AZ
Please dont advertise NAT as security. NAT just allows allocation non-routable addresses that has a convenient by-default side-effect of denying all incoming traffic. In IPv6, you want to just use access lists, rather than NAT, and NAT should die in a fire from its being terribly overused. Lots of people have this idea that NAT is "secure", and access lists arent and put NAT in places where it really has no business Its a very bad rumour that causes people to think that public addresses themselves are *insecure* and that we need to break end to end for security. Leads to many issues. NAT has it's place, but it isn't fu^%%*ing everywhere.
I've had Apple Airports up and running, more than a dozen, since they first came out with newer ones over the years. Never had a problem. Excellent security. The fact that they are no longer being sold just means the price is cheaper - they're still excellent hardware and software.
My current setup: OpenWRT on Turris Omnia. I've disabled Turris internal WiFi module (and installed a 4G PCIe LTE modem for a fallback connection) and I'm using TP-Link PoE wireless access points throughout my house. TP-Links are pretty well maintained, support VLANs and don't have any extra fluff.
Turris MOX is an upcoming project that will make it even easier.
UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.
Don't spread FUD. You can run their management controller (which totally rocks by the way) on any Windows or Linux PC for free or on a small appliance they sell for less than $100. After you've configured them you never have to run the controller again unless you want to change something.
Mike @ The Geek Pub. Let's Make Stuff!
My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.
They provide updates regularly now, and it is very customizable.
Highly recommended. Just pick a router that is explicitly supported.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
I can only imagine that you had a frustrating experience with one product and mistakenly assumed that all of the company's other products work the same way. My EdgeRouter works rather well, and has never required any centralized or cloud management of any kind. I usually manage it via ssh.
If you visit a security conference, you will find that most of the attendees are using Chromebooks. They are much more secure than your typical Windows or Apple device. Another issue people often have is that they re-use the same password for multiple services. One of the services gets compromised, and the attackers use your credentials to access your email account, and thus other services. Set a unique password for each account. Save those passwords in a password manager. Enable the 2-factor authentication feature on your email account. Firewalls will not protect you against modern threats. Antivirus will only protect you against some of the modern threats. I also suggest you also consider taking an internet security class, to avoid common pitfalls. Most modern issues can be avoided by educating yourself against common attacks, which often involve social engineering.
Comment removed based on user account deletion
In any scenario there are explicit facts and implied facts. The explicit fact in this scenario is that the asker was hacked twice. The implied fact, from the question, is that one or both were related to his router. Turning that around on the asker questions his competence to ask the question, and is an arrogant assertion that your mere assumption that he likely doesn't know what he's talking about is more probable than the poser's clear implication in the question that the router is pertinent to the discussion.
There are some Ask Slashdot questions where the implied facts are inherently inconsistent with the question being asked. In cases like that, go to town pointing it out. This here, however, is pretty open and shut and the asker deserves deference in his scenario. In general all implied facts should be assumed to be in favour of the poser of the question knowing what he's talking about.
In short, and I'm going to bold this so you can refer back to it, unless there is an overwhelming reason not to, either answer the question asked or exercise your constitutional right to remain silent.
That's the thing... ...The security guys I talked to at work, thinks I've been targeted by anything else than scriptkiddies, they mention that I've just been unfortunate to be attacked, someone out there thinks I've got something serious to hide, and they've tried LONG to get to it, so the better you're at "hiding" whatever you're hiding, the more interest you're gonna attract.
So I'm thinking - maybe I should just let the damn fools in :/
Anyway, I realize that my information was a bit sparse, so I'm reposting what I've reposted a lot of places in here, just as a "thank you" to all who replied and suggested:
Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.
I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.
They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.
The first time I got hacked:
Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.
I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.
Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.
I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.
This stopped the attack on my personal accounts.
Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.
After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).
I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).
What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME m
What this world is coming to - is for you and me to decide.