|Router Security||Suggested secure routers||
Website by |
Configuring a router for security can only take you so far. You also need to chose the right router initially.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device or perhaps a pro-sumer model.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer.
My second choice would be the $300 UniFi Dream Machine by Ubiquiti. That said, I have no hands-on experience with it all. The Dream Machine was introduced in November 2019 and, like the Pepwave Surf SOHO, it is a bottom-of-the-line device from a high end company. It is reasonable to expect the Dream Machine to be fairly secure, having not used it, I don't know for sure.
The Wire Cutter (thewirecutter.com) is a popular review site. However, do not take their advice on routers. Like most, they focus on speed, speed and speed. They completely ignore security in making their recommendations. They are also only aware of consumer routers, a very small sub-set of the real world.
NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.
NOTE:Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.
Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router.
Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.
Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.
The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.
On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.
Ubiquiti has many fans and their UniFi line is a step up from consumer routers. However, their AmpliFi and Alien line are both for consumers.
Getting started with UniFi has always been both too expensive and too complicated. For example, you need to buy their router, their switch, their Access Point(s) and then deal with their server software, yet another headache. You have to run their controller software somewhere, perhaps on one of your computers, perhaps in a virtual machine or perhaps on a small hardware device (UniFi cloud key) they sell just for this purpose.
Their Dream Machine made it both cheaper and easier to get started with the UniFi line from Ubiquiti.
As a business/professional system, the Dream Machine supports firewall rules, VLANs, 2FA, Intrusion Detection, Intrusion Prevention, GeoIP Filtering and has an extensive web interface (in addition to a mobile app). It self-updates and supports 4 SSIDs. However, it only supports one WAN connection, there is no provision for fail-over. Another problem is that it requires you to have an account with Ubiquiti. Peplink does not require this.
Of some concern is the fact that remote access is enabled by default - no one does that. Also, remote access seems to be through Ubiquiti (unifi.ui.com), not sure if offers direct access to the router. Also worrying is that when the router was released, many features were in Beta or Alpha. Peplink would never do that.
Another concern with Ubiquiti is that sometime in October 2019 they started spying on their customers, did not tell anyone about it and offered no way to opt out.
I first noticed this November 3, 2019, in this Twitter thread by Royce Williams. It links to a Reddit discussion: Ubiquiti adds phone-home to the access point firmware and an official response from the company. Quoting it: "We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch ... The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61."
In other words, they screwed up the AP phoning home and created a memory leak that crashed their devices. Even if their intentions are not bad, their software quality seems poor. The Access Points phone home to trace.svc.ui.com which Ubiquiti says you can block in the router. However, it keep re-trying which is where the memory leak came from. That bug has been fixed.
More official response on Nov. 3, 2019: Update: UniFi Phone Home/Performance Data Collection. They gave in and will let customers opt out of this. This article: Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? by Shaun Nichols of The Register (Nov 2019) adds nothing but there are 107 comments as I write this.
Ubiquiti also has a line of Edge Routers. They are a step above consumer routers but I have not used one, so I have no opinion on how secure they are. None of the EdgeRouters do Wi-Fi, so you would need to add wired access points. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. The three cheapest models are $59, $99 and $109 (as of Sept. 2019). The Operating System is called EdgeOS and the User Guide is online. Many have spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of which are dedicated. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.
I have no hands-on experience with Gryphon.
The Gryphon router is a consumer device with many security features. The security features include: parental controls, intrusion detection, an ESET database of dangerous software and a verification of the firmware when first powered on. If the firmware was tampered with, it will not start up. There are three LAN ports, it does not support WPS, it can run a speed test on its own, the software self-updates and administration is done with a mobile app (no web interface). One downside: you must setup an account with Gryphon that includes giving them an email address.
Parents can see the websites kids visit. They claim to block DDoS attacks and monitor IoT devices for unusual network traffic. It should prevent users from clicking on websites with malware and it claims to scan network traffic with antivirus tools. Documentation is sparse. New devices can be blocked from Internet by default. At least initially, it only offered two SSIDs. With much Parental Control software, kids using a VPN can bypass any restrictions in the router. No review that I have seen addressed this.
HISTORY: Gryphon is a startup based in San Diego. They launched in 2014. They have been on IndieGoGo, Kickstarter and Backerkit. Bloomberg wrote about them in Nov. 2016. Shipping was initially planned for June 2017. In August 2017, shipping was expected in October 2017. In Feb. 2018 they claimed to have "received the first production batch of Gryphons last week and are in the process of shipping them."
PRICING: As of January 2020, a single box cost $210 but it was also sold as a pair for $400. A few Gryphon routers can be combined to form a mesh network. After the first year, owning it costs $99/year. An exception is the parental controls, that feature is free forever. In August 2019 a single Gryphon router was $230 from Amazon.com while their website sold it for $219 new and $189 refurbished. A pair was $400. In Dec. 2018, a single unit was $200 at Amazon and the Gryphone website sold a single unit for $220 and a pair for $420. In Sept. 2018, it cost $240 at Amazon for one unit. In Feb. 2018 pricing at Backerkit was $250 for a single unit and $450 for a pair while pricing at their website was $200 for a single device and $350 for a pair.
REVIEWS: There have been very few reviews of the Gryphon router. In a Sept. 2018 review at Business Insider the author admitted to not being techie enough to evaluate the security of the router. So, why does the company give him a router to review? Could they be afraid of a technical examination? He found the parental controls to be "tedious" but the router was fast. Installation was a pain. A Dec. 2018 review by Brian Nadel at Toms Guide did not go into much depth. A Jan. 2019 review by John Delaney for PC Magazine said the parental controls were excellent. It is very well reviewed at Amazon.com.
According to a Nov. 2019 review by Brian Walker, Gryphon can block ads and store a browsing history for each device. It does not support VLANs. One way around router controls is to run a VPN and he claims that it can block VPNs. A paid service called Gryphon Homebound (free for 90 days) allows you to block threats and unsafe content from your kids' cellphones even when they are not home. There are no details on how this works.
The second generation Gryphon is called Gryphon Guardian and the first shipments are scheduled for Jan. 2020. Like Eero and Synology, Gryphon seems to be scaling back with their latest generation. The new devices are smaller, probably less powerful and cheaper. The Guardian initially sells for $120.
I have no hands-on experience with the F-Secure SENSE router.
Like Gryphon, SENSE is marketed on its security. A big difference is that SENSE seems to have been discontinued. As of Jan. 2020, it is no longer available as a stand-alone purchase. It is now part of the F-Secure TOTAL Premium cyber security package, which also includes their Freedome VPN and password manager. When you buy TOTAL, you get the router for free. But, this offer is only valid while supplies last. You pay for TOTAL every year. One year to protect 5 devices is $110, 2 years to protect 1-3 devices is $140. The elephant in the room, however, is how long the SENSE router will be supported. Beats me. Also, it does not support mesh.
The explanation of the SENSE router on their website is poor. It does every good thing you could imagine, curing Cancer and world peace included. In fairness, here is their lead: "Secure your smart home with one device, now and in the future. Sense creates a secure network for all of your connected devices to monitor and protect them through one simple interface. With privacy and security both at home and on the go, you have the freedom to unleash your smart lifestyle." Beats me what the product does. Here's more: "Sense creates a secured Wi-Fi network in your home. Traffic in the network is analyzed by Sense with the help of F-Secure security cloud, where threat definitions are updated in real time. The cloud leverages next generation security features such as machine learning and behavior based threat analysis to give you corporate-level security in your own home, and block attacks before they even happen. Sense also blocks unwanted tracking attempts ..."
My concern is that like the Trend Micro software in Asus router, could F-Secure be reading your emails as part of checking things for viruses? Eventually they got clearer: "F-Secure SENSE is the combination of a smart security router, an advanced security app and industry-leading cloud protection." There is no web interface. Sense initially did not include a VPN or Tor but they planned to integrate their VPN service in the future. It is not clear to me (as of Jan. 2020) if their TOTAL package uses software on your devices for its VPN or if the VPN runs out of the router.
HISTORY: As of Nov. 2015 they were taking pre-orders with an estimated ship date of Spring 2016. As of Oct 2016, they were still taking pre-orders for 200 Euros, which included a one-year subscription but there was no estimated ship date. As of May 2017 it was available in Denmark, Finland, France, Germany, Ireland, Netherlands, Norway, Sweden and United Kingdom. As of July 2017, it was available in the US for $199 which included the first year of an ongoing subscription that was to cost $119 after the first year. The router was said to be usable without the subscription. As of Sept. 2018 it was still $199 and there was free shipping. In Jan. 2019 it was $100 at Best Buy in the US with free shipping and a 1 year F-Secure Internet Security subscription for up to 25 PCs or Macs and unlimited Android devices.
REVIEWS: Your Questions On F-Secure SENSE, Answered Videos from F-Secure. No author, undated. Reddit AMA August 2017. F-Secure Sense Review by Brian Nadel of Toms Guide Nov 2017. No WPS but support is planned. This is not a good feature in a secure router. Each Wi-Fi frequency band is required to have a different SSID. Ugh. Does not support static IP addresses. Ugh. No parental controls. Windows software includes a firewall. During initial setup, you "can opt out of having local data about usage sent to F-Secure." F-Secure provides 24/7 phone support.
Peplink does not offer a mesh Wi-Fi system (at least not as of Oct. 2019) so if you use a Peplink router that does not do Wi-Fi the question is what to pair it with. Although I have not used them, one excellent (and relatively expensive) option is Ruckus. Ruckus specializes in Wi-Fi and their Access Points are universally praised. They can also function in Mesh mode, where one AP talks to another wirelessly.
An issue with all Access Points is the software to control and manage them. The Ruckus"unleashed" line of Access Points have their controller software built into the APs. Ubiquiti will sell you a $70 gizmo to run the controller software for their APs. Peplink Balance routers include AP controller software so if you just need Access Points (no mesh) then buying Peplink APs means not having to deal with controller software from a different company. The cheapest Ruckus AP is the R310. Higher end models are the R510 and the R610. For home use the R310 is probably fine. The 9U1 models are "unleashed," other variations require separate controller software.
As a high end company, Ruckus does not sell directly to consumers, you have to buy through an authorized reseller. Do not buy their hardware on Amazon.com, they will not support it. I do not know the rules for tech support or for ongoing firmware updates to the Access Points. Ruckus APs are designed to be powered from the Ethernet cable. If you don't already have a switch that offers electricity via Ethernet, you will need to buy either a power-over-Ethernet adapter or an AC adapter to power each Ruckus AP.
It is hard to tell how much a router vendor really cares about security - until you submit a bug to them and see how the deal with it. On the October 19, 2019 episode of the Cyberwire podcast (Hoping for SOHO security) someone from ISE was interviewed about their recent report SOHOpelessly Broken 2.0 that found multiple flaws in routers and NAS devices. When it came to dealing with the problems that ISE reported, Asus and Netgear were drastically different. Simply put: Asus good, Netgear bad.
Quoting ISE: "Netgear exhibited severe communication issues, resulting in our finding being patched long before our reports were even confirmed. This was the longest and most arduous disclosure of this research project. Nearly 5 months were spent waiting for Netgear to respond to the BugCrowd reports, and an additional 3 months were spent attempting to get CVEs from Netgear, and then MITRE. After contacting MITRE, Netgear was removed from the official CVE numbering authority list." In contrast, they said "Asus promptly responded to our vulnerability submission. They worked closely with us to ensure they were mitigating the reported vulnerabilities appropriately.".
Below are the bugs that ISE found. Both companies have been making routers for a very long time. This seems like quite a lot of bugs for software that should be mature at this point.
CVE-2018-14710 – Reflected Cross-Site Scripting via appGet.cgi
CVE-2018-14711 – Missing Cross-Site Request Forgery Protection on appGet.cgi
CVE-2018-14714 – Command Injection via load_script Hook in appGet.cgi
CVE-2018-14713 – Uncontrolled Format String via nvram_match Family in appGet.cgi
CVE-2018-14712 – Stack Buffer Overflow via delete_sharedfolder() in appGet.cgi
Netgear Nighthawk X10-R9000
CVE-2019-12510 – Authentication bypass via X-Forwarded-For header
CVE-2019-12511 – System command injection via SOAP API
CVE-2019-12512 – Cross-site scripting via X-Forwarded-For header
CVE-2019-12513 – Cross-site scripting in logs via malicious DHCP request
An experience of mine points out how much tech support cares. If they don't care, then it is impossible to consider the router secure. Peplink cares, AmpliFi does not.
In October 2019 I had a problem that I don't understand: TCP port 53 appeared to be open on the WAN side of an AmpliFi router and on three Peplink routers. The problem itself is not relevant here, just how each company dealt with it.
AmpliFi ignored my first email for a week. A second email was responded to and they said it was needed and pointed me to an irrelevant article about a Linux system needing port 53 open on the LAN side. A couple back/forths made it obvious that the person I was in contact with either didn't know or care. I had given them the public IP address of the AmpliFi router and the nmap output. They did not try to replicate the nmap result. In contrast, Peplink did try to replicate the nmap scan. The first and obvious step from a company that cares.
In addition, AmpliFi has a poor record with WPS. You can appear to disable WPS in the mobile app, but it is not fully disabled. Network scanning software shows that WPS is still enabled. Their tech support told me not to worry about it. But, I do. And, it is not clear to me at all how remote control of an AmpliFi works. So, I can't tell if it's secure. Their remote control system is unlike others I have seen, it requires you to use a Google account.
Also, the AmpliFi mesh points (candlesticks) can be used as Wi-Fi extenders for any network. The bad news is that when used with non-AmpliFi routers they enable WPS with no way to disable it. AmpliFi is a typical consumer product and should be avoided.
When it comes to Router Security and/or Privacy, Consumer Reports is as wrong as wrong gets. I am referring to this August 2019 article: Many Wireless Routers Lack Basic Security Protections, Consumer Reports' Testing Finds which says:
CR's router testing includes the companies' privacy policies, because so much sensitive data flows through the devices. Our privacy experts analyzed every router manufacturer’s documentation. We gave better scores to routers—including some models from Eero, Google, and Netgear—that spell out what information their manufacturers might collect from users, such as network speeds, the name of the internet service provider, and how much data you're transmitting to the web.
This is as wrong as wrong gets. For one thing, it assumes all router vendors spy on you, which is NOT true. There are routers that can be used without the router company knowing a damn thing about your network. And, without having to create an account with the router manufacturer. My favorite router company, Peplink/Pepwave is one such company. So too is Ubiquiti which makes the AmpliFi. Each can be used with total privacy.
That said, to use AmpliFi privately means giving up remote access to the system. AmpliFi only allows remote control using a Gmail or Facebook account. Peplink offers two systems for remote access to their routers, one system goes through them (InControl2), the other does not. Specifically, thet still offer remote access via an open port. The port can be anything, access can be limited to HTTPS and you get to change the userid too, so it is as secure as this type of system can be.
In contrast, there is no opting out of Eero/Amazon or Google with their routers. Each requires you to have an account. But worse, they are the last two router companies anyone concerned with privacy should use. Yet, Consumer Reports gives them high marks for privacy. Lunacy. Both companies want to spy on you and a router is a perfect place for this spying.
Another indication that Consumer Reports is clueless, comes from the last few words in the quote above. A router offers access to much more than just "the web".
My final indication of their incompetence comes from their approach - reading privacy policies. If a router is phoning home, this can be detected. But, that requires technical competence.
- - - - - - - -
This page is still being worked on ....