|Router Security||Suggested secure routers||
Website by |
Configuring a router for security can only take you so far. You also need to chose the right router initially.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device or perhaps a pro-sumer model.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer.
My second choices would be Gryphon, OPNsense and pcWRT, with the proviso that I have not used any of them. For a few months, I would have recommended the UniFi Dream Machine by Ubiquiti, but no more. There is more on each below.
NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.
NOTE:Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.
Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router. In March 2020, I confirmed my earlier tests that Peplink routers do not spy on you at all. You also do not need to have an account with Peplink to use their routers.
Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.
Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.
The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.
Then too, consider the many stories about how apps are spying on us by sending data to huge number of third party marketing companies. Here is one such report from January 2020. The report lists some of the common tracker domains used by the apps they examined: ads.mopub.com, sdk-android.ad.smaato.net, googleads.g.doubleclick.net, api.pubnative.net, my.mobfox.com and more. The only way to block apps from spying on you, at least at home, is to have a router than can block domains like this. The Pepwave Surf SOHO can block all access to one sub-domain, by setting DNS to an invalid IP address, or, block web access to an entire domain (all sub-domains) with its Content Blocking feature. Or, both.
Some people only trust Open Source router firmware. For example, at PrivacyTools.io, they recommend OpenWrt, pfSense and LibreCMC. However, they offer no explanation for why these three systems are more secure than anything else. I do not think that all open source is good and all closed source is bad.
Secure defaults are needed because most routers are owned by people with no understanding of networking and these people should be secure by default. UPnP is an excellent example, it is insecure and enabled by default on every consumer router. WPS should be disabled by default, or better yet, not even available. Wi-Fi encryption should default to WPA2-AES. Etc. etc.
On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.
I have no hands-on experience with Gryphon.
The Gryphon router is a consumer device with many security features. The security features include: parental controls, intrusion detection, an ESET database of dangerous software and a verification of the firmware when first powered on. If the firmware was tampered with, it will not start up. There are three LAN ports in the first generation devices, it does not support WPS, it can run a speed test on its own, the software self-updates and administration is done with a mobile app (no web interface).
One downside: you must setup an account with Gryphon and give them an email address. Documentation is sparse. There is no phone-based tech support. When they transitioned from one app to another, there was no notice given to users of the old app. At least initially, it only offered two SSIDs.
Parents can see the websites kids visit. Parents can even view browsing history if the child surfs with Incognito Mode. Parents can limit the screen time of children. It claims to prevent users from clicking on websites with malware. The problem with any such system is dealing with exceptions. With much Parental Control software, kids using a VPN can bypass any restrictions in the router. No review that I have seen addressed this.
The app notifies you when a new device connects and you can then assign a profile to it. New devices can be blocked from the Internet by default.
They claim it blocks DDoS attacks and monitors IoT devices for unusual network traffic. It claims to scan network traffic with antivirus tools. The ESET malware and ransomware protection is free for a year. After that, it costs $79 annually.
For mobile devices away from home, they offer Gryphon Homebound for free for three months. It routes data from the mobile device back to the Gryphon router at home, so that it can be "managed".
HISTORY: Gryphon is a startup based in San Diego. They launched in 2014. They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016. Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."
PRICING: As of September 2020, a single box cost $210, and it was also sold as a pair for $400. A few Gryphon routers can be combined to form a mesh network. After the first year, owning it costs $99/year. An exception is the parental controls, that feature is free forever. In August 2019 a single Gryphon router was $230 from Amazon.com while their website sold it for $219 new and $189 refurbished. A pair was $400. In Dec. 2018, a single unit was $200 at Amazon and the Gryphone website sold a single unit for $220 and a pair for $420. In Sept. 2018, it cost $240 at Amazon for one unit. In Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair.
REVIEWS: There have been very few reviews of the Gryphon router. In a Sept. 2018 review at Business Insider the author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? He found the parental controls to be "tedious" but the router was fast. Installation was a pain. A Dec. 2018 review by Brian Nadel at Toms Guide did not go into much depth. A Jan. 2019 review by John Delaney for PC Magazine said the parental controls were excellent. It is very well reviewed at Amazon.com.
According to a Nov. 2019 review by Brian Walker, Gryphon can block ads and store a browsing history for each device. It does not support VLANs. One way around router controls is to run a VPN and he claims that it can block VPNs. A paid service called Gryphon Homebound (free for 90 days) allows you to block threats and unsafe content from your kids' cellphones even when they are not home. There are no details on how this works.
The second generation Gryphon is called Gryphon Guardian and the first shipments were in early 2020. Like Eero and Synology, Gryphon seems to be scaling back with their latest generation. The new devices are smaller, probably less powerful and cheaper. They include malware filtering from ESET and have only one Ethernet LAN port. The Guardian initially sold for $120. In July 2020 it was $109 for one or $299 for a three-pack. In September 2020, it was $99 for one and $239 for a 3-pack. They offer a 90 day money-back guarantee.
I have not used a pcWRT router.
The pcWRT router was initially sold for its Parental Controls rather than security. That said, it has had security features added since it was first released back in 2015. One Parental Control feature is the ability to block YouTube videos that are not child-safe. For $129 (Amazon Feb. 2020) you get dual band AC Wifi with GB Ethernet. For $49 you get Wi-Fi N only on the 2.4GHz band and the Ethernet is only 100Mbps. In early 2019, the low end model was $99. There is an online demo of the router interface. The system is based on OpenWrt.
It can create four Wi-Fi networks and there is an option to "Enable WiFi client isolation". The availability of WiFi networks can be scheduled. Privacy is great, no account is needed with the vendor and they say the router does not phone home at all. Support for VPNs is excellent. As per this blog post, A router that talks three VPN protocols, pcWRT supports OpenVPN, IKEv2 and WireGuard, both as a server and a client. It can even configure multiple VLANs and send different VLANs through different VPN connections (or no VPN). Just amazing.
It also does ad blocking using the same technology as Pi-hole. To enable ad-blocking network-wide, just check "Enable Ad Block". You can enable it for some or all profiles. There is a white listing feature for the inevitable over-rides, such as when a website will not load without ads being displayed.
A number of DNS providers are pre-set, you can easily chose amongst them or specify anything of your choice. You have a lot of flexibility in controlling traffic: you can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol. More here: How to allow or block web sites on the router. Devices using the router can be assigned to profiles and each profile can use different DNS servers and have a custom black or white list of domains. It seems that you could define a profile for a child with a white list that only allows them access to a small number of approved domains. It can even block just a section of one website. They example they give is
It logs the blocked domains and also has a summary report of blockage.
The router lets you create a backup of the current configuration to a file. You can either be emailed when new firmware is available or the pcWRT can automatically update itself. Interesting blog from the company, How to use your router to block smart TV snooping talks aboutthe VLAN feature and watching the domains a smart TV talks to and then limiting the domains it is allowed to communicate with. The routers offer their own, free DDNS service that provides you with a hostname on the pcwrt.net domain.
Like many other routers, it can block Pings from the WAN side. It also has a stealth mode and I am not clear what that is/does.
The website says nothing about who created the router, and there is no Contact Us page either. All communication is via a Forum. Documentation is mostly in the blog on the website. There is also a 5 page pcWRT Parental Control Router User's Guide. They have good release notes and a history of firmware releases.
I have no hands-on experience using routers from DrayTek, but the company seems to be similar to Peplink, in that their products are clearly a step up from common consumer drek. That they care about security was shown by their publishing a 24-page router security best practices paper. Not only do they support WPA2 Enterprise, but most DrayTek routers have a built-in RADIUS server which makes implementing WPA2 Enterprise simple and realistic for consumers and small businesses. See a list of the features on their routers. As they say, they don't do entry level. They offer single WAN, dual WAN and multi-WAN models, just like Peplink.
This July 2018 article calls the Vigor 2862Lac router a perfect router for SMBs. SmallNetBuilder.com has reviewed DrayTek routers, but the most recent review was back in 2011. You can judge the user interface for yourself, DrayTek offers online emulators for all their routers.
DrayTek offers many different router models, finding the right one for you is not simple. According to their website, their cheapest routers are the Vigor 2133 series. Routers are only sold through partners, not directly by the company, and their US partners do not have much for sale. A sampling of US resellers, done in Feb. 2020, found these low end models for sale: Vigor-2760n for $130, 2133ac for $170, Vigor2926ac for $296 and a Vigor2926 for $200.
I do not know how long DrayTek supports the software in their routers, but someone who bought a new Vigor 2860 in 2013 wrote to tell me that it is still getting bug fixes in June 2020. You can judge how long firmware support is provided at their Downloads and Resources page. This person also reports that firmware updates are free.
As for tech support, this same person reports that it is free and in their words "fairly responsive and helpful" However, I do not know how long they provide tech support for.
As for the company itself, this experienced DrayTek owner confirms that they are much like Peplink, writing: "Draytek Vigor routers are business-grade routers, and as such have vastly more capability than the average consumer needs or would even understand, and so the configuration is a matter of selecting just those few items you need from a considerable array of options ... they are regarded as one of the more secure routers available (in the UK, at least)..."
Another company to consider is GL.iNet. I have not used their products, but they are cheap and the company has a focus on security.
Their routers run OpenWRT and include an OpenVPN client, a WireGuard client, Tor and encrypted DNS from either Cloudflare or NextDNS. The Slate (GL-AR750S-Ext) was released in 2019 and sells for about $55 (as of Feb. 2021). The Beryl (GL-MT1300) is newer and sells for about $70. They have many other models too.
At these prices, we can't expect great speeds or for the routers to handle too many attached devices. As for VPN speeds, when running the OpenVPN client, the company says to expect about 20Mbps with each model. When running the WireGuard client, expect roughly 70Mbps with the Slate and 90Mbps with the Beryl. Rather than your main router, they may be a better fit for a secondary router.
In September 2020, Turris released a new device, the Turris Shield. As I write this, very little is known about it, there are no reviews of the Shield and even the documentation page on the Turris website has nothing about it. It is sold as a firewall rather than a router and is meant to sit between the modem and the router. People who have a single Internet device, a combination modem and router, can place the Shield behind it, rather than in front. This, however, will only protect Ethernet devices as the Shield does not do Wi-Fi.
On the upside, the software (TurrisOS based on OpenWRT) is open source and Turris says it self-updates, both the OS itself and updates to defend against new attacks. I am confused about the term "attack". Any router purchased at retail should have a firewall with no open WAN side ports and thus defend the LAN behind it. So the purpose of the Shield firewall is unclear to me. The Shield is described as a "unique firewall" and a "unique security system" but there is no explanation of what makes it unique. Turris says it respond to threats within seconds, but it is not clear to me what types of threats it is responding to or how it is responding.
Turris says that it can be used by non-technical of people, that all you need to do is pick a password and the device does everything else on its own. Too good to be true? Time will tell. It is administered via a web interface.
The Shield can be both an OpenVPN server and client. VPN servers in routers serve two purposes. One allows you to login to the device when you are traveling and use it as a free VPN to avoid paying for a commercial service such as ProtonVPN, Mullvad or TunnelBear. The available documentation does not say it can do this. The other purpose is to provide access to files and devices on the LAN when you are traveling. I would expect this to be blocked by any router as the router firewall would see this as an unsolicited incoming connection. Using the Shield as a VPN client puts all your eggs in one basket and gives you no flexibility. Individual devices can not be excluded from the VPN tunnel and if there is a problem with the VPN connection, all your devices are knocked off-line. If the VPN is slow, all your devices are slow. My personal preference is for a VPN box that connects to the LAN side of a router rather than the WAN side.
Some missing information: what is its maximum throughput with and without a VPN? Does it support inbound or outbound firewall rules? If it does support rules then not mentioning this is negligent documentation. If it does not support firewall rules, then, again, just what does it do?
As of early September 2020, the Shield was available for purchase in Germany, Great Britain, Spain, France, Italy and the Czech Republic. Alza was selling it for 104 British pounds, which was roughly equal to $138 US dollars.
Peplink does not offer a mesh Wi-Fi system (at least not as of April 2020) so if you use a Peplink router that does not do Wi-Fi the question is what to pair it with. Although I have not used them, one excellent (and relatively expensive) option are Ruckus Access Points. Ruckus specializes in Wi-Fi and their Access Points are universally praised. They can also function in Mesh mode.
An issue with all Access Points is the software to control and manage them. The Ruckus"unleashed" line of Access Points have controller software built into the APs. Ubiquiti, in contrast, will sell you a $70 gizmo to run the controller software for their APs. Peplink Balance routers include AP controller software so if you just need Access Points (no mesh) then buying Peplink APs means not having to deal with controller software from a different company. See the data sheet (pdf) for the unleashed line of Ruckus APs. The first Ruckus unleashed AP becomes the master/controller. When another AP is added, it inherits the configuration from the master automatically. The 9U1 firmware models are "unleashed," other AP firmware requires separate controller software.
As a high end company, Ruckus does not sell directly to consumers, you are supposed to buy through an authorized reseller. You can also buy from Amazon.com, but doing so means no support from Ruckus. The only thing you get with an Amazon purchase is a 30 day guarantee that the AP is not dead on arrival. Since APs have no moving parts, buying a used one on eBay makes sense too. Prices from April 2020: An R310 at Amazon was $145, from Zones, an authorized reseller, $217. An R510 at Amazon was $260, at Zones it ws $387. I do not know the rules for Ruckus tech support or for ongoing firmware updates to the Access Points.
Two problems with Ruckus. They are now owned by Commscope which broke the links here when they retired the ruckuswireless.com website. I think this is the second company that bought out Ruckus. Powering the Ruckus APs is a pain. They come with nothing, since they usually get power over the Ethernet cable. However, that requires a specialized device (about $60) called a PoE injector. They can be powered normally, but you have to buy a 12 volt DC, 1 amp power supply on your own. I think this should cost about $10.