|Router Security||Suggested secure routers||
Website by |
Configuring a router for security can only take you so far. You also need to chose the right router initially.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device or perhaps a pro-sumer model.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer.
My second choices would be Gryphon, OPNsense and pcWRT, with the proviso that I have not used any of them. For a few months, I would have recommended the UniFi Dream Machine by Ubiquiti, but no more. There is more on each below.
NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.
NOTE:Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.
Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router. In March 2020, I confirmed my earlier tests that Peplink routers do not spy on you at all. You also do not need to have an account with Peplink to use their routers.
Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.
Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.
The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.
Then too, consider the many stories about how apps are spying on us by sending data to huge number of third party marketing companies. Here is one such report from January 2020. The report lists some of the common tracker domains used by the apps they examined: ads.mopub.com, sdk-android.ad.smaato.net, googleads.g.doubleclick.net, api.pubnative.net, my.mobfox.com and more. The only way to block apps from spying on you, at least at home, is to have a router than can block domains like this. The Pepwave Surf SOHO can block all access to one sub-domain, by setting DNS to an invalid IP address, or, block web access to an entire domain (all sub-domains) with its Content Blocking feature. Or, both.
Some people only trust Open Source router firmware. For example, at PrivacyTools.io, they recommend OpenWrt, pfSense and LibreCMC. However, they offer no explanation for why these three systems are more secure than anything else. I do not think that all open source is good and all closed source is bad.
Secure defaults are needed because most routers are owned by people with no understanding of networking and these people should be secure by default. UPnP is an excellent example, it is insecure and enabled by default on every consumer router. WPS should be disabled by default, or better yet, not even available. Wi-Fi encryption should default to WPA2-AES. Etc. etc.
On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.
I have no hands-on experience with Gryphon.
The Gryphon router is a consumer device with many security features. The security features include: parental controls, intrusion detection, an ESET database of dangerous software and a verification of the firmware when first powered on. If the firmware was tampered with, it will not start up. There are three LAN ports, it does not support WPS, it can run a speed test on its own, the software self-updates and administration is done with a mobile app (no web interface). One downside: you must setup an account with Gryphon that includes giving them an email address.
Parents can see the websites kids visit. They claim to block DDoS attacks and monitor IoT devices for unusual network traffic. It should prevent users from clicking on websites with malware and it claims to scan network traffic with antivirus tools. Documentation is sparse. New devices can be blocked from Internet by default. At least initially, it only offered two SSIDs. With much Parental Control software, kids using a VPN can bypass any restrictions in the router. No review that I have seen addressed this.
HISTORY: Gryphon is a startup based in San Diego. They launched in 2014. They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016. Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."
PRICING: As of January 2020, a single box cost $210 but it was also sold as a pair for $400. A few Gryphon routers can be combined to form a mesh network. After the first year, owning it costs $99/year. An exception is the parental controls, that feature is free forever. In August 2019 a single Gryphon router was $230 from Amazon.com while their website sold it for $219 new and $189 refurbished. A pair was $400. In Dec. 2018, a single unit was $200 at Amazon and the Gryphone website sold a single unit for $220 and a pair for $420. In Sept. 2018, it cost $240 at Amazon for one unit. In Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair.
REVIEWS: There have been very few reviews of the Gryphon router. In a Sept. 2018 review at Business Insider the author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? He found the parental controls to be "tedious" but the router was fast. Installation was a pain. A Dec. 2018 review by Brian Nadel at Toms Guide did not go into much depth. A Jan. 2019 review by John Delaney for PC Magazine said the parental controls were excellent. It is very well reviewed at Amazon.com.
According to a Nov. 2019 review by Brian Walker, Gryphon can block ads and store a browsing history for each device. It does not support VLANs. One way around router controls is to run a VPN and he claims that it can block VPNs. A paid service called Gryphon Homebound (free for 90 days) allows you to block threats and unsafe content from your kids' cellphones even when they are not home. There are no details on how this works.
The second generation Gryphon is called Gryphon Guardian and the first shipments are scheduled for Jan. 2020. Like Eero and Synology, Gryphon seems to be scaling back with their latest generation. The new devices are smaller, probably less powerful and cheaper. The Guardian initially sells for $120.
I have not used a pcWRT router.
The pcWRT router was initially sold for its Parental Controls rather than security. That said, it has had security features added since it was first released back in 2015. One Parental Control feature is the ability to block YouTube videos that are not child-safe. For $129 (Amazon Feb. 2020) you get dual band AC Wifi with GB Ethernet. For $49 you get Wi-Fi N only on the 2.4GHz band and the Ethernet is only 100Mbps. In early 2019, the low end model was $99. There is an online demo of the router interface. The system is based on OpenWrt.
It can create four Wi-Fi networks and there is an option to "Enable WiFi client isolation". The availability of WiFi networks can be scheduled. Privacy is great, no account is needed with the vendor and they say the router does not phone home at all. Support for VPNs is excellent. As per this blog post, A router that talks three VPN protocols, pcWRT supports OpenVPN, IKEv2 and WireGuard, both as a server and a client. It can even configure multiple VLANs and send different VLANs through different VPN connections (or no VPN). Just amazing.
It also does ad blocking using the same technology as Pi-hole. To enable ad-blocking network-wide, just check "Enable Ad Block". You can enable it for some or all profiles. There is a white listing feature for the inevitable over-rides, such as when a website will not load without ads being displayed.
A number of DNS providers are pre-set, you can easily chose amongst them or specify anything of your choice. You have a lot of flexibility in controlling traffic: you can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol. More here: How to allow or block web sites on the router. Devices using the router can be assigned to profiles and each profile can use different DNS servers and have a custom black or white list of domains. I seems that you could define a profile for a child with a white list that only allows them access to a small number of approved domains. It can even block just a section of one website. They example they give is
It logs the blocked domains and also has a summary report of blockage.
The router lets you create a backup of the current configuration to a file. You can either be emailed when new firmware is available or the pcWRT can automatically update itself. Interesting blog from the company, How to use your router to block smart TV snooping talks aboutthe VLAN feature and watching the domains a smart TV talks to and then limiting the domains it is allowed to communicate with. The routers offer their own, free DDNS service that provides you with a hostname on the pcwrt.net domain.
Like many other routers, it can block Pings from the WAN side. It also has a stealth mode and I am not clear what that is/does.
The website says nothing about who created the router, and there is no Contact Us page either. All communication is via a Forum. Documentation is mostly in the blog on the website. There is also a 5 page pcWRT Parental Control Router User's Guide. They have good release notes and a history of firmware releases.
I have no hands-on experience using routers from DrayTek, but the company seems to be similar to Peplink, in that their products are clearly a step up from common consumer drek. That they care about security was shown by their publishing a 24-page router security best practices paper. Not only do they support WPA2 Enterprise, but most DrayTek routers have a built-in RADIUS server which makes implementing WPA2 Enterprise simple and realistic for consumers and small businesses. See a list of the features on their routers. As they say, they don't do entry level. They offer single WAN, dual WAN and multi-WAN models, just like Peplink.
This July 2018 article calls the Vigor 2862Lac router a perfect router for SMBs. SmallNetBuilder.com has reviewed DrayTek routers, but the most recent review was back in 2011. You can judge the user interface for yourself, DrayTek offers online emulators for all their routers.
DrayTek offers many different router models, finding the right one for you is not simple. According to their website, their cheapest routers are the Vigor 2133 series. Routers are only sold through partners, not directly by the company, and their US partners do not have much for sale. A sampling of US resellers, done in Feb. 2020, found these low end models for sale: Vigor-2760n for $130, 2133ac for $170, Vigor2926ac for $296 and a Vigor2926 for $200.
Some important issues that I do not know about DrayTek are: how long do they provide firmware updates for their routers and at what cost, and how long is tech support provided, and at what cost.
Peplink does not offer a mesh Wi-Fi system (at least not as of April 2020) so if you use a Peplink router that does not do Wi-Fi the question is what to pair it with. Although I have not used them, one excellent (and relatively expensive) option are Ruckus Access Points. Ruckus specializes in Wi-Fi and their Access Points are universally praised. They can also function in Mesh mode.
An issue with all Access Points is the software to control and manage them. The Ruckus"unleashed" line of Access Points have controller software built into the APs. Ubiquiti, in contrast, will sell you a $70 gizmo to run the controller software for their APs. Peplink Balance routers include AP controller software so if you just need Access Points (no mesh) then buying Peplink APs means not having to deal with controller software from a different company. See the data sheet (pdf) for the unleashed line of Ruckus APs. The first Ruckus unleashed AP becomes the master/controller. When another AP is added, it inherits the configuration from the master automatically. The 9U1 firmware models are "unleashed," other AP firmware requires separate controller software.
As a high end company, Ruckus does not sell directly to consumers, you are supposed to buy through an authorized reseller. You can also buy from Amazon.com, but doing so means no support from Ruckus. The only thing you get with an Amazon purchase is a 30 day guarantee that the AP is not dead on arrival. Since APs have no moving parts, buying a used one on eBay makes sense too. Prices from April 2020: An R310 at Amazon was $145, from Zones, an authorized reseller, $217. An R510 at Amazon was $260, at Zones it ws $387. I do not know the rules for Ruckus tech support or for ongoing firmware updates to the Access Points.
Two problems with Ruckus. They are now owned by Commscope which broke the links here when they retired the ruckuswireless.com website. I think this is the second company that bought out Ruckus. Powering the Ruckus APs is a pain. They come with nothing, since they usually get power over the Ethernet cable. However, that requires a specialized device (about $60) called a PoE injector. They can be powered normally, but you have to buy a 12 volt DC, 1 amp power supply on your own. I think this should cost about $10.