Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Which Is the Safest Router?

Posted by BeauHD on from the safety-first dept.

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

32 of 386 comments (clear)

  1. The safest router is... by Anonymous Coward · · Score: 3, Insightful

    The unplugged one.
    That's optimal safety, and minimal usability.
    Your question is ill-defined anyways.

    1. Re: The safest router is... by benedictaddis · · Score: 4, Informative

      I like Draytek routers. They have decent security and get updates for years, at a price thatâ(TM)s not cheap but not crazy either. If cost is an issue, install OpenWRT on any old router.

    2. Re: The safest router is... by saloomy · · Score: 5, Informative

      I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.

    3. Re: The safest router is... by misnohmer · · Score: 5, Interesting

      A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain. Just because you can't hack it, doesn't mean it's safe. Misconfiguration is the most common cause for security holes (do you really know each and every piece of software you have running on it, every kernel module, driver, server, etc?), but even if you do manage to lock it down, security vulnerabilities in Linux and other open source software that Linux uses are discovered all the time and need to be patched fast as scripts exploiting them come just as fast. It's a full time job to keep a Linux box secured on the open internet.

    4. Re:The safest router is... by Waffle+Iron · · Score: 3, Funny

      The unplugged one.

      Not necessarily.

      You should always follow safety practices appropriate for each type of tool.

    5. Re: The safest router is... by WindBourne · · Score: 4, Insightful

      Wrong. Worst would be any windows solutions. Linux starts in a fairly secure and most are minimalist fashion. However, misconfigure and behind on updates can change that quickly. Just like on any router.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    6. Re: The safest router is... by arglebargle_xiv · · Score: 5, Funny

      It's a bit of a personal-taste thing, but I rather like my Bosch 1617EV. I've also heard good things about the Porter-Cable 690LR. Neither have ever been hacked, to the best of my knowledge.

    7. Re: The safest router is... by Chrontius · · Score: 3, Insightful

      So what the fuck do I give my 98 year old grandfather?

      I'm going to be blamed for any failures, including the failure to deliver a solution in a timely fashion.

  2. PEBCAK by sexconker · · Score: 5, Informative

    A "secure" router won't help you. What does "hacked twice recently" actually mean?

    1. Re:PEBCAK by Anonymous Coward · · Score: 5, Insightful

      This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.

    2. Re:PEBCAK by Excelcia · · Score: 5, Informative

      How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to. The people who think they are clever by second guessing Ask Slashdot questions get rather annoying in short order.

      I actually came to this question with some amount of actual curiosity. I used to build Linux firewalls for small businesses. This was back before routers were appliances. When NAT was still "IP Masquerading" on Linux, and it was actually a dirty word because it let you "share" internet connections when the early cable modem providers wanted to sell you an IP address for every computer using the connection. I moved on to process control and automation work, project management, and then switched tracks into the Navy. What relevance is that? The point is, there are lots of people like me who had at one point been heavily invested in the current state of the art who, for some years, haven't had the time or resources to follow current best practices. Ask Slashdot questions like these are actually helpful to those of us who would like the benefit of the experience of those who are still up on the state of the art.

      When you, and those like you, roll in with your clever meta-answers, it helps no one. You and (especially) the five moderators who upvoted your post as "informative" should hang your heads in collective shame.

    3. Re:PEBCAK by gweihir · · Score: 3, Insightful

      The answer is that the wrong question is being asked. Any other answer is less than helpful and may prompt the one asking the question to continue down the wrong road to solve this problem. The second part of the answer is to ask how this person was actually hacked. Very likely, he did some not-too smart thing and needs to stop doing that in order to solve his problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:PEBCAK by strikethree · · Score: 4, Informative

      While I appreciate your view, there are a few thigns you should be aware of:

      This is Slashdot. Much of the original crowd is pedantic for a reason. The original poster is indeed asking about routers and some people have answered that question directly. Sexconker has identified, correctly, that Mindprison is wanting to not get hacked.

      It is clear that Mindprison is under the impression that a secure "router" would help him not get hacked; however, if that it not what got Mindprison hacked, a more secure router will not help. Sexconker is trying to get to the root of the problem so that actual help can be delivered. Mindprison could buy a recommended router and STILL end up being hacked again. So how would just casually recommending a secure router help in this instance?

      As numerous other folks have pointed out, a router is not defined strictly as a security device. Slashdot has many network and security engineers in its ranks. I am one of them. My first line of thought went exactly as Sexconker's did: How can I actually help this person when they did not fully and accurately, using technical language, explain their problem? So he asked a question that many of us were thinking. (I think Sexconker is a he, I am actually unsure and it really doesn't matter).

      Denigrating him and the mods who modded him up (I was not one as I rarely read Slashdot while logged in anymore) is not terribly useful in this situation. To complicate matters even more, your minor tirade is actually an appropriate response sometimes, but this was not one of those times. Just keep reading other comments and you will still get the immediate type of response that you and Mindprison were looking for.

      Honestly though, Mindprison should have responded to Sexconker's question because then, the actual problem could be identified and addressed.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    5. Re:PEBCAK by MindPrison · · Score: 5, Informative

      Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.

      I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.

      They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.

      The first time I got hacked:

      Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.

      I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.

      Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.

      I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.

      This stopped the attack on my personal accounts.

      Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.

      After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).

      I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).

      What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME microcode included as well.

      I told this story to our security guys, and they said the same as someone else in this thread, someone thinks you have something to hide, and they're not script kiddies, you've been targeted - I suggest you start with a badass router, and take it from there, disable all server services in win 10 + remote services like remote registry etc.

      I don't know that much about windows 10. But that's all I know for now. Appreciate all the feedback , you wonderful Slashdotters!

      --
      What this world is coming to - is for you and me to decide.
  3. Ubiquiti EdgeRouter X by thebes · · Score: 4, Informative

    https://www.ubnt.com/edgemax/e...

    Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.

    1. Re:Ubiquiti EdgeRouter X by aaarrrgggh · · Score: 4, Informative

      Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.

  4. safest by Anonymous Coward · · Score: 4, Insightful

    one to which you have the source code:
    https://www.dd-wrt.com/site/index

    1. Re:safest by Zmobie · · Score: 5, Informative

      one to which you have the source code:
      https://www.dd-wrt.com/site/in...

      This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.

  5. OPNsense by darkain · · Score: 5, Informative

    OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

    But really, security isn't just one device. Secure ALL of your shit.

  6. Google wifi by buck68 · · Score: 5, Funny

    I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.

    1. Re: Google wifi by schklerg · · Score: 3, Funny

      As someone who is aware of Googles tracking preferences, I would say you are an idiot, but that's because my definition of safety includes privacy. Bsd based anything

      --
      Be Excellent To Each Other
  7. Any router... by hcs_$reboot · · Score: 4, Interesting

    ...as long as you put OpenWrt on it.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  8. pfSense on WANBOX by MikeDataLink · · Score: 4, Interesting

    pfSense running on WANBOX...

    pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.

    --
    Mike @ The Geek Pub. Let's Make Stuff!
  9. Netgate by bferrell · · Score: 3, Informative

    A Netgate SG-1000 if you want a packaged solution;

    https://www.netgate.com/soluti...

    Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.

  10. Barking up the wrong tree? by danlor · · Score: 5, Interesting

    Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.

    Any NAT device is sufficient.
    Patch all your stuff
    Don't download crap
    Don't execute the crap you download
    Don't play web games
    Don't use internet explorer
    uninstall flash
    uninstall java

    If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.

  11. Heard good things about Cisco lately by DeVilla · · Score: 3, Funny

    I've heard good things about Cisco very recently. They put out lot of fixes.

  12. OpenBSD not Linux by drnb · · Score: 4, Informative

    A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.

    This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.

    1. Re:OpenBSD not Linux by drnb · · Score: 3, Insightful

      The Linux kernel is really just as secure as an OpenBSD kernel. You can also easily configure a distro with the exact same services and no more that would run on a default OpenBSD install.

      As the GP pointed out, Linux distros need a bit of reconfiguration and expertise to do so. This is a common point of failure in the Linux based approach.
      In contrast, OpenBSD's default configuration is minimal, just enough to do those core infrastructure systems like a router/firewall.

      The problem is the human, not the kernel, which is why OpenBSD is often considered far superior for this specific task, a router/firewall. Few opportunities for human based errors.

  13. Routers, firewalls, and IPS oh my by gavron · · Score: 3, Informative

    If all you need is a router there are plenty and they're mostly safe because they don't do much.
    If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
    Firewalls are MUCH more difficult to get right.

    Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
    enterprise-level hardware.

    If your goal is to spend less than $200 then you will not be getting anything worth describing
    as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
    set you want, knowing you'll need to do regular firmware upgrades and these will always be
    BEHIND the hacker curve. The companies selling "commodity" or "small business" products
    don't do research to break their stuff. They just sell as cheaply as possible.

    If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
    want and thus far are considered great.

    If your budget is limitless, Palo Alto Networks or Fortigate.

    Again - router just moves IP packets and this can be done by a cellphone running Android.
    Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.

    Good luck! This is a quest LOTS of people are on!!

    Ehud
    Tucson AZ

  14. OpenWRT on Turris Omnia by Cyberax · · Score: 3, Insightful

    My current setup: OpenWRT on Turris Omnia. I've disabled Turris internal WiFi module (and installed a 4G PCIe LTE modem for a fallback connection) and I'm using TP-Link PoE wireless access points throughout my house. TP-Links are pretty well maintained, support VLANs and don't have any extra fluff.

    Turris MOX is an upcoming project that will make it even easier.

  15. Re:UBNT is CRAP by MikeDataLink · · Score: 4, Informative

    UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.

    Don't spread FUD. You can run their management controller (which totally rocks by the way) on any Windows or Linux PC for free or on a small appliance they sell for less than $100. After you've configured them you never have to run the controller again unless you want to change something.

    --
    Mike @ The Geek Pub. Let's Make Stuff!
  16. OpenWRT/LEDE by kbahey · · Score: 4, Informative

    My main router was a Netgear running OpenWRT for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.

    They provide updates regularly now, and it is very customizable.

    Highly recommended. Just pick a router that is explicitly supported.

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.