Router Security Router Resources Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 
Table of Contents
Security AdvisoriesEmulators
My blogs about routersSelf Updating Routers
Consumer Router Alternatives  Third Party Firmware
TOR and VPN Client RoutersVPN Client Routers
TOR RoutersJust Released Routers
Coming soon. Maybe.Default Router Passwords
Other Router Security AdviceAdding a router to a gateway
Addon Security DevicesAddon Security via Firmware
Router/Network softwareAssorted Resources

Security Advisories from router vendors

Emulators - kick the tires on a routers web interface  top

My blogs about routers  top

Self-updating Routers   top

Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.

Consumer Router Alternatives   top

Third Party Firmware   top

One way to avoid consumer router firmware is to install alternate, third-party firmware.

TOR and VPN Client Routers   top

VPN Client Routers   top

When many consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. This allow access to your home devices while traveling. It can also be used as a free VPN, in that you can funnel your Internet access through your home router while traveling. More interesting, to me, are routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware of the router. In the old days, very few routers could function as a VPN client, but that has changed over time.

Note that there are different types of VPNs. For a long time, the most popular type was OpenVPN, but it has a big drawback - it takes a lot of computing horsepower. OpenVPN on a router is likely to be very slow. The newer WireGuard flavor of VPNs requires much less computing horsepower so, it should be faster.

If you need to know more about VPNs, see the VPN page on my DefensiveComputingChecklist.com website.

OLD: An excellent article on the subject (best I have seen) is VPN Router – Ultimate Guide (Setup, Tests, Best VPN Routers) by Sven Taylor of RestorePrivacy.com (Dec. 2017).

TOR Routers   top

A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."

Just Released Routers   top

Hot off the router presses.

Coming soon. Maybe.   top

A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.

Default Router Passwords   top

Other Router Security Advice   top

This topic was moved on January 1, 2018 to the new Other Router Security Advice page.

Adding a router to a gateway   top

Add-on Security Devices   top

Many devices are sold that claim to add security to an existing network. Note these issues with this class of device: (1) A VPN running on a device on your LAN should be able to bypass whatever restrictions and/or protections the add-on box offers. (2) These devices play in the sandbox of a single LAN or VLAN. (3) If you are trying to block children from doing stuff, they can use the 4G/LTE Internet connection on their phone to bypass restrictions on your LAN. (4) All these devices will slow down your Internet connection. This slowdown may or may not be noticeable. (5) Most of these devices only protect your Wi-Fi devices, they do not protect Ethernet connected devices. (6) I always wonder what data these devices are sending back to their manufacturers? (7) If a device requires an ongoing subscription, be sure to check if it becomes a paper weight if you don't renew the subscription.

The Fingbox is networking device that you plug into a LAN port on your router. For it to babysit all the devices connected to the router, it is abusing ARP and making itself appear as the default gateway. If you use VLANs, you would need one for each VLAN. It is limited to monitoring a single Wi-Fi SSID. Some routers block some features. It collects data about your network activity and sends it to Fing/Domotz. So, people who want security get more surveillance. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block new devices by default, notify when a device leaves the network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on WAN side open ports in router. Notifications are by an alert on a mobile device running the Fingbox app and/or by email. No texts. It also has a network vulnerability test. It can detect whether UPnP or NAT-PMP are enabled in the router, and, if so, it reports on the ports that were opened by UPnP and can also close these ports. It was discussed on Episode 745 of the Mac Geek Gab Podcast (Jan. 21, 2019). See the June 2018 User Guide and the March 2018 User Guide.
History: It first became available in October 2017. It was reviewed in Dec. 2017 by Doug Reid for SmallNetBuilder.com. As of May 2020 it cost $99. In Jan. 2019, it was also $99, in Dec. 2017 it cost $129.

Perhaps the first such home network security appliance was the Bitdender box. David Strom reviewed it in June 2015. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router. Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. It also scans the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.
Sometime in 2018 they released a second generation, the Bitdefender BOX 2, that sold for $180 to $200 with a 1 year subscription ($99/year afterwards). In Feb. 2020 the price was $130, in October 2020 it was $150. The company offers 24/7 Setup and Tech Support for free at 800-804-4602. You must create a Bitdefender account. It includes their antivirus/security software for an unlimited number of Windows, MacOS, Android and iOS devices. Also includes Bitdefender VPN to use on Windows, Android, macOS and iOS. The free vpn offers 200MB of daily traffic per device. They sell a higher end VPN product for an additional fee. Three configurations are supported: with an ISP-supplied gateway, with a modem and an existing router, or, with just a modem, in which case the Box functions as the only router. They prefer using it with a modem and existing router in which case the Box does DHCP. It works with most routers, not all. It will notify in the mobile app when a new device connects to the LAN and it can control what that device can do. It self-updatess and re-boots in the middle of the night to install new firmware. It offers Parental Controls, blocks bad URLs, scans for network security flaws and alerts about malicious activity. A May 2019 review by Sam Cook gave it an overall rating of Poor. The home page of their website touts reviews with excerpts from the reviews, but, it does not link to the actual review, which is always a bad sign.

Firewallais from a company started by former executives at Cisco. There were at one time five Firewalla devices. However the Red and Blue have stopped production and are End-of-Life as of October 2023. The Red and Blue were the first devices and they plugged into a router LAN port via Ethernet to offer security, monitoring, ad-blocking (based on ad serving domain names) and parental controls. Then came Blue Plus ($189 as of March 2022, sold out as of Aug. 2023), Purple and finally the $478 (as of March 2022) Gold model. Only the Gold model can function as a stand-alone wired (no Wi-Fi) router. See their documentation of the model differences. In March 2022, this documentation said the Purple was in Beta and would start shipping in Jan. 2021, so clearly, documentation is not their thing. There are no monthly fees. It claims to protect your network from viruses and malware, and if so, is a rare product offering that for free. It can notify you when a new device joins the network and the notice lets you block the new device. It can also notify you when an offline device it has seen before comes back on-line, or when a currently on-line devices goes off-line. It does intrusion prevention, both IDS and IPS. It does both internal and external vulnerability scans and self-updates. It runs a full Linux distribution and includes an OpenVPN server. It looks for unusual uploading behavior and has hourly, daily and monthly bandwidth usage reports (for each device?). It can track bandwidth by domain. It can show every single IP connection for a monitored device. It offers outbound firewall rules. You can squeeze some more performance out of it by picking which devices are monitored. There is both an OpenVPN and WireGuard VPN client however the setup instructions are only for OpenVPN (as of March 2022) which strikes me as sloppy. It supports site to site VPN connections. As for privacy, it continuously monitors your network and phones home about what is going on: Quoting: "Firewalla uses deep insight and cloud-based behavior analytics engines to actively detect and automatically block problems as they arise." Parental controls show what kids are doing, lets parents cut off all net access, or block just gaming or social networks. It can block adult websites. It uses either ARP poisoning or DHCP to intercept Traffic and thus is not compatible with all routers. I am reasonably sure that it can only do what it does within a single LAN/VLAN. It is administered with a mobile app. There is a web interface in beta testing. I found that picking a model was just too hard, the documentation on the pros/cons of each is useless.
November 2022: There are already too many Firewalla models for me to keep track of. Now they are planning yet another model, the Purple SE, a cheaper version of the Purple. The big differences between the Purple SE and the Purple are that the SE will be slower (max speed 500Mbps) and not have Wi-Fi. As of Aug. 2023 the Purple SE is $230 compared to $340 for the Purple. Note that the Purple has "Short-range and low-power Wi-Fi" so it is not really comparable to other routers. On the upside, the Purple can connect to the Internet by connecting to an existing Wi-Fi network. Peplink calls this feature Wi-Fi as WAN. Combined with its small size, this might make the Purple a good travel router. That said, the Pepwave Surf SOHO has full Wi-Fi and is much cheaper (although bigger). The software functionality of the SE will be the same as the Purple. See announcement info here and here.
Reviews and more:

  1. Reviewed in July 2019 by Kevin C. Tofel
  2. Reviewed in Nov. 2019 by Rita El Khoury of Android Police. This shows some very interesting network related reports. Pretty sophisticated stuff for a cheap device.
  3. Reviewed in March 2019 by Neil J. Rubenking for PC Magazine
  4. Reviewed in May 2020 by Jason Cipriani for ZDNet. He had initial setup problems when used with a mesh router.
  5. See the history of firmware releases
  6. In June 2020 I added a section on the third generation Firewalla, the Gold model, to the Secure Routers page.
  7. The Firewalla Blue Plus was reviewed in Dec. 2020 by Dong Ngo. It was $200 then and the price is the same as of June 2021. Speed is up to 500 Mbps. You must have an account with Firewalla. Ugh. It collects quite a bit of information.
  8. In March 2021, Kevin Tofel wrote: Don't audit your smart home devices with a router. Use this instead. Both Blue and Gold models monitor the devices on your LAN and tell you where data is being sent by server and/or country. You can see which devices are the most chatty.
  9. In March 2022, Glenn Fleishman reviewed the Gold model for PC World. He felt it best not to use it as a router, but to position it between a modem and a router.
  10. In April 2022 the Purple was reviewed by Wired magazine. The review was lame as the author did not have the necessary technical background. At the time, it sold for $319 US. It can either be installed between the router and modem, or, it can act as a router, or it can connect to an Ethernet port of the router. It does Wi-Fi but just barely. Using it requires some technical skill.
  11. Firewalla Privacy Policy
  12. Questions related to privacy and data visibility by Firewalla
Note: There is more about Firewalla on the Secure Routers page.

Syfer was going to compete with Firewalla. It too sat between a modem and a router. The website said in Dec. 2019 that shipping would start in April 2019. It started on Indiegogo. Initially it cost $200 with a one-year subscription, as of April 2020, it was down to $180. Afterwards, it costs $10/month. It does not work with gateway devices, which are a combination modem and router. You must have a separate modem and router to use it. It is configured with a mobile app. It provides a VPN but you must use their VPN service. It offers parental controls and, of course, protects your home from all bad stuff including ads and trackers. It also claims to be a next-Gen Smart Firewall and to offer Smart Home and IoT Protection, whatever that means. The company is near Atlanta, GA but there is no physical address for it. As of April 2020, the last blog on their website was from Nov. 2018. As of October 2021 there is no blog at all and it is no longer sold to consumers, instead it is being sold to ISPs. They explain the data they collect here.

The Trend Micro Home Network Security box was first introduced laste in 2016. It plugs into your router via its single Ethernet port. In 2019 and April 2020 it cost $110 with a one year subscription. Starting in year two, it costs $60/year. If you don’t purchase renewals the device will simply stop working. Trend says it "provides protection against cyber-attacks for every Internet-connected device in your home" which is not true as it does not protect Ethernet-connected devices. It is configured with a mobile app. Features: Intrusion Prevention (IPS), Dangerous Site and File Blocking, Remote Access Protection, Profile-based Management, Website Filtering, Inappropriate App Used, Time Limits, connected at Home notifications, network dashboard, Smart Protection and ad blocking. It checks for default device passwords. It can disconnect unwanted devices from your Wi-Fi network. It can tell you when the kids are home. As of Jan. 2017 it assumed all HTTPS websites were safe. You need to have a Trend Micro account to use the thing, so there is a potential privacy issue. A Dec. 2016 review said it does not scan incoming email attachments for malware, does not filter out spam and does not check for malicious web links in real time. It does not work with all routers. It does not work with Peplink, my preferred router company. An Oct. 2017 review noted that you can not use port forwarding with it. A Feb. 2020 review by Dong Ngo said that you can get the same protection for free with an Asus router via the Asus AiProtection feature. He liked the Parental Controls but pointed out that the Ethernet port is the relatively slow 100Mbps rather than the standard Gigabit speed. Read more from Trend: You are In Safe Hands with Trend Micro Home Network Security (Dec. 2019). In a May 2020 review for PC Magazine, Neil J. Rubenking was not impressed at all.

Cujo sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. Then May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior. It has been reported that Spectrum will start using Cujo sometime in 2019. In March 2019, Talos found 11 bugs in the device.

Dojo plugs into your router and watches your network for security issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. On June 1, 2017, TechCrunch wrote: "All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."
History: Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard. On Oct 15, 2016, Amazon.com said it was unavailable. In January 2017 it was reported that Dojo would be available in the US in mid-April 2017. By May 2017, there was a new Amazon page that on Jan 21, 2019 was selling it for $99. On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). The ongoing charge, after the first year, will be $99/year. As of Jan 21, 2019 it was being sold by Bullguard for $200 with a free lifetime subscription service.

Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Their press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. It begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter. It is only available directly from the company.

Add-on Security via Router Firmware   top

In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. As of Jan. 2019, it was slated to "soon" be available on the Orbi AC3000 model RBK50 and the Orbi Voice AC3000 model RBK50V. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.

Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more. It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).

Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.

Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.

Likewise, some TP-Link routers also include Trend Micro software, marketed under the name HomeCare. The software adds antivirus and malware protection, and malicious site blocking to the firmware. It was initially released for the Deco M5 mesh system and the Archer C5400, C3150 and C2300. They also claim it will quarantine a previously infected device that joins the network.

Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.

Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.

Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.

Dovado, a router manufacturer based in the United Arab Emirates has integrated a SafeDNS filtering module in one of its routers.

For the most part, I avoid Parental Controls on this site, but what the heck. Netgear has partnered with Circle to include Circle's parental control software in some NETGEAR routers. Specifically, Circle is available in the Orbi line and 7 different Nighthawk routers (see here and here). You create profiles for each family member and then assign devices to each person. For free you can pause the Internet for specific people, filter what is and is not allowed and view a history of visited websites for each profile. Premium features cost $50/year (as of Jan. 2019) or $5/month. This lets you set time limits, create OffTimes when the Internet is blocked and offers more detailed usage statistics. Circle has to be activated first, then it is managed with a mobile app. They claim all data is kept locally, that nothing is sent back to Circle. It is also available as a stand-alone device. Jim Salter reviewed Circle for Ars Technica in July 2019.

Router/Network software   top

Assorted Resources   top


Top 
Page Created: March 29, 2015      
Last Updated: October 22, 2024 1AM CT
Viewed 175,452 times
(50/day over 3,537 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024