|Router Security||About This Site||
Website by |
I used to be like you. That is, I would buy a router, it would work fine and I would ignore it for years. As Nathan Kirsch wrote recently, "routers are the woeful wallflowers of computer components that are usually forsaken after the initial setup, only to be brought out for some violent shaking or tapping whenever the WiFi signals are unstable".
My first wake-up call came at the end of 2011 with the disclosure of the security flaw in the design of WPS. The router I was using at the time was so old, it pre-dated WPS, so I felt safe. But, router flaw after flaw seemed to be in the news and eventually one, having to do with HNAP, hit home. This, finally, sent me in search of a new, more secure router.
Since all consumers routers support WPS, I was into new territory, that is, the time had come to step up in class. But to what?
The only business class router that I had experience with was a Peplink Balance 20. It cost about $300 and didn't do WiFi. It's claim to fame was handling multiple concurrent Internet connections, load balancing and failing-over between them. But I had only a single ISP and wanted WiFi.
It turned out that Peplink had recently introduced a low-end router called the Pepwave Surf SOHO that did WiFi and sold for far less than the Balance 20. So, I tried it, liked it and have been a happy customer ever since. The funny thing is, Peplink doesn't focus on security at all. For example, for quite a while, the best WiFi encryption option on the Surf SOHO was a combination of WPA and WPA2, you could not opt for WPA2 exclusively (this has since changed). But, they don't support WPS and, unlike consumer routers, Peplink cares about their software.
Before I gave up on consumer routers, I would recommend Asus to people I knew. Then one day I tried to remotely administer an Asus router and was presented with an error message that made no sense. This was unacceptable. The router was in the home of a client and its failure reflected on me. Even ignoring security issues, for many of us, Internet access is important. We need the router to work flawlessly and this Asus was buggy.
An important lesson that I've learned is that when you buy a consumer router you are buying the hardware. When you buy a business class router, you are buying the software. Companies like Peplink sell the software capabilities of their routers, not the hardware. With consumer routers the goal is to provide the software as cheaply as possible. That's not good Defensive Computing. It's the software that either makes you secure or vulnerable.
If nothing else, I hope this site convinces you not to use a consumer router, and by the way, not to use hardware provided by your ISP. No need to listen to me, just take a look at the router bugs page and decide for yourself.
The configuration advice offered here is geared towards home routers. I have almost no experience configuring higher end devices from vendors like Sonicwall, Fortinet, WatchGuard, Sophos or Check Point. These devices do so much more than a home router that they fall into another category entirely - Unified Threat Management (UTM) and/or Next-Gen Firewall (NGFW) devices.
As noted on the home page, this site has no ads. It's a public service from me, Michael Horowitz. I am the sole author and developer.
I started this site at the end of January 2015 and it is still incomplete. I update it as time allows. Its like a hobby.
The site grew out of a talk I gave on Securing a Home Router in July 2014 at the HOPE (Hackers on Planet Earth) conference. A PDF of the slides is available. Thanks to 2600, audio of the talk is also available. An article about the talk appeared in Toms Guide.
FIXING ROUTER SECURITY
What might improve router security? No one can force programmers to create fewer bugs. No one can force router vendors to care more about security. But, the documentation can certainly be improved. Here are my suggestions.
Along the same lines, we have Internet connected devices should be sold with best before dates by Daniel Aleksandersen (May 2017) who argues:
Would you buy a $200 USD phone or a comparable $205 USD model if you knew the more expensive version would receive software and security updates longer than the cheaper option? ... Today, customers have no idea how to ascertain how long an internet connected product will receive critical updates ... Devices that connect to the internet ... should be sold with best before labels indicating how long customers will receive updates for the device, including firmware and any bundles software.
I am unsure about picking an SSID (network name). Specifically, is it a good thing or bad thing to try and pick a globally unique name? Of course, you want to change any default network name, but is something like "George" better or worse than "George89er38-abc2739qwerty123"? My fear with a long unique SSID is that a search engine like SHODAN can pick it out easily. It may be safer to be lost in the crowd.