Ask Slashdot: Which Is the Safest Router? 386
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
The safest router is... (Score:3, Insightful)
The unplugged one.
That's optimal safety, and minimal usability.
Your question is ill-defined anyways.
Re: The safest router is... (Score:4, Informative)
Re: The safest router is... (Score:5, Informative)
I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC [solid-run.com] with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.
Re: The safest router is... (Score:5, Interesting)
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain. Just because you can't hack it, doesn't mean it's safe. Misconfiguration is the most common cause for security holes (do you really know each and every piece of software you have running on it, every kernel module, driver, server, etc?), but even if you do manage to lock it down, security vulnerabilities in Linux and other open source software that Linux uses are discovered all the time and need to be patched fast as scripts exploiting them come just as fast. It's a full time job to keep a Linux box secured on the open internet.
Re: The safest router is... (Score:5, Insightful)
OpenBSD not Linux (Score:5, Informative)
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.
This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.
Re:OpenBSD not Linux (Score:4, Insightful)
The Linux kernel is really just as secure as an OpenBSD kernel. You can also easily configure a distro with the exact same services and no more that would run on a default OpenBSD install.
As the GP pointed out, Linux distros need a bit of reconfiguration and expertise to do so. This is a common point of failure in the Linux based approach.
In contrast, OpenBSD's default configuration is minimal, just enough to do those core infrastructure systems like a router/firewall.
The problem is the human, not the kernel, which is why OpenBSD is often considered far superior for this specific task, a router/firewall. Few opportunities for human based errors.
Re: The safest router is... (Score:5, Funny)
Re: (Score:3)
Re: (Score:2)
And your own install of a typical linux distro running on generic hardware will actually have updates available and easily installable, the same can't be said of the ancient embedded linux found on a typical cheap router.
Re: (Score:3)
It's the days where it requires five minutes of work and you put in 0 that get you.
Re: The safest router is... (Score:4, Insightful)
I'm going to be blamed for any failures, including the failure to deliver a solution in a timely fashion.
Re: (Score:2)
Mikrotik are also offering SOHO routers loaded with features. One needs to know how to configure them though.
The hAP is a really neat box.
Re: (Score:3)
OpenWRT is great when paired with hardware which is supported well. But saying that OpenWRT installation "on any old router" will be secure is bullshit. Only few routers are well supported by OpenWRT. Most of the routers are poorly supported - poorly as in no updates for ages, software no stable. How this is secure?
Re:The safest router is... (Score:4, Funny)
The unplugged one.
Not necessarily [amazon.com].
You should always follow safety practices appropriate for each type of tool.
Re: (Score:2)
The unplugged one.
Not necessarily [amazon.com].
You should always follow safety practices appropriate for each type of tool.
LMFAO.... More proof that even an unplugged router can cause serious pain and misery in the wrong hands.
Routers, firewalls, and IPS oh my (Score:4, Informative)
If all you need is a router there are plenty and they're mostly safe because they don't do much.
If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
Firewalls are MUCH more difficult to get right.
Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
enterprise-level hardware.
If your goal is to spend less than $200 then you will not be getting anything worth describing
as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
set you want, knowing you'll need to do regular firmware upgrades and these will always be
BEHIND the hacker curve. The companies selling "commodity" or "small business" products
don't do research to break their stuff. They just sell as cheaply as possible.
If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
want and thus far are considered great.
If your budget is limitless, Palo Alto Networks or Fortigate.
Again - router just moves IP packets and this can be done by a cellphone running Android.
Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.
Good luck! This is a quest LOTS of people are on!!
Ehud
Tucson AZ
Re: (Score:2)
Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some enterprise-level hardware.
Software. Which Cisco found during it's own internal audit.
Router? (Score:3)
Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.
Re: (Score:2)
Many routers let you add rules for various packet types and features, which can add security.
Re: (Score:3)
Re: (Score:3)
... which means the router has firewall capabilities.
In the same way as a shoe has mallet capabilities.
If you route UDP packets to 192.42.112.1/21 to a sink, or don't allow protocol 9 packets to traverse between internal and external networks, that adds security, but it does not make it a firewall.
Re: (Score:3)
Re: (Score:2)
And the whole thing about calling such cheap Internet NAT gateways, "routers", really needs to stop (not to mention when they're combined with 802.11 AP functionality). The vast majority of consumer ones can't even run a routing protocol, not even ancient RIP. Unless the user is an idiot and opens up incoming holes, they're almost good enough. Their vulnerabilities mostly lie in management weaknesses which allow them to be compr
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A "secure" router won't help you. What does "hacked twice recently" actually mean?
Quite possibly this person means like the vulnerability in this router:
https://nakedsecurity.sophos.c... [sophos.com]
"We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do."
Port forward every port you need to attack the host on the inside and go for it.
Go Enterprise - Juniper SRX300 (Score:2)
Number one feature: No upnp available on the device
Re: (Score:3)
Can get one for $200 or less if you shop around
This is what I did, HOWEVER you are miss-representing the cost as you must also get a license and a support contract to keep it up to date.
PEBCAK (Score:5, Informative)
A "secure" router won't help you. What does "hacked twice recently" actually mean?
Re:PEBCAK (Score:5, Insightful)
This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.
Re: (Score:2)
Re: (Score:2)
Most likely they just got infected with some random malware...
Re:PEBCAK (Score:5, Informative)
How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to. The people who think they are clever by second guessing Ask Slashdot questions get rather annoying in short order.
I actually came to this question with some amount of actual curiosity. I used to build Linux firewalls for small businesses. This was back before routers were appliances. When NAT was still "IP Masquerading" on Linux, and it was actually a dirty word because it let you "share" internet connections when the early cable modem providers wanted to sell you an IP address for every computer using the connection. I moved on to process control and automation work, project management, and then switched tracks into the Navy. What relevance is that? The point is, there are lots of people like me who had at one point been heavily invested in the current state of the art who, for some years, haven't had the time or resources to follow current best practices. Ask Slashdot questions like these are actually helpful to those of us who would like the benefit of the experience of those who are still up on the state of the art.
When you, and those like you, roll in with your clever meta-answers, it helps no one. You and (especially) the five moderators who upvoted your post as "informative" should hang your heads in collective shame.
Re:PEBCAK (Score:4, Insightful)
The answer is that the wrong question is being asked. Any other answer is less than helpful and may prompt the one asking the question to continue down the wrong road to solve this problem. The second part of the answer is to ask how this person was actually hacked. Very likely, he did some not-too smart thing and needs to stop doing that in order to solve his problem.
Re: (Score:3)
How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to.
Actually he may be the only person so far who has something meaningful to add. *OMG I WAS HACKED HOW DO I STOP* is not an question that anyone can answer without further details. For all anyone knows every solution in this thread right now may have the same holes and present the same risk.
Asking someone to clarify a question is not about being pedantic. Its the common sense lacking in so many technical people who love jumping to solutions or conclusions without ever considering if the problem actually exist
Re:PEBCAK (Score:5, Informative)
While I appreciate your view, there are a few thigns you should be aware of:
This is Slashdot. Much of the original crowd is pedantic for a reason. The original poster is indeed asking about routers and some people have answered that question directly. Sexconker has identified, correctly, that Mindprison is wanting to not get hacked.
It is clear that Mindprison is under the impression that a secure "router" would help him not get hacked; however, if that it not what got Mindprison hacked, a more secure router will not help. Sexconker is trying to get to the root of the problem so that actual help can be delivered. Mindprison could buy a recommended router and STILL end up being hacked again. So how would just casually recommending a secure router help in this instance?
As numerous other folks have pointed out, a router is not defined strictly as a security device. Slashdot has many network and security engineers in its ranks. I am one of them. My first line of thought went exactly as Sexconker's did: How can I actually help this person when they did not fully and accurately, using technical language, explain their problem? So he asked a question that many of us were thinking. (I think Sexconker is a he, I am actually unsure and it really doesn't matter).
Denigrating him and the mods who modded him up (I was not one as I rarely read Slashdot while logged in anymore) is not terribly useful in this situation. To complicate matters even more, your minor tirade is actually an appropriate response sometimes, but this was not one of those times. Just keep reading other comments and you will still get the immediate type of response that you and Mindprison were looking for.
Honestly though, Mindprison should have responded to Sexconker's question because then, the actual problem could be identified and addressed.
Re:PEBCAK (Score:5, Informative)
Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.
I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.
They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.
The first time I got hacked:
Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.
I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.
Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.
I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.
This stopped the attack on my personal accounts.
Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.
After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).
I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).
What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME microcode included as well.
I told this story to our security guys, and they said the same as someone else in this thread, someone thinks you have something to hide, and they're not script kiddies, you've been targeted - I suggest you start with a badass router, and take it from there, disable all server services in win 10 + remote services like remote registry etc.
I don't know that much about windows 10. But that's all I know for now. Appreciate all the feedback , you wonderful Slashdotters!
Re: (Score:2)
Thanks! There are so many unanswered details about this "question" and the premise - all I need is a great router to be safe from hacking! - is obviously wrong on SO many levels.
Start digging around and he's a torrent tracker, running a web/mail/DNS server with convenient telnet access and all sorts of yummy customer data... LOL
(I don't know if that's what he's securing, or the nature of the "hacking", very good questions...)
BUT, the nature of the question remains good.
Based on the nature of Slashdot, we can assume his home network is already a little more sophisticated than the typical person who assumes WiFi=Internet, and if he's been online since the Commodore days (whether Amig
Ubiquiti EdgeRouter X (Score:5, Informative)
https://www.ubnt.com/edgemax/e... [ubnt.com]
Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.
Re:Ubiquiti EdgeRouter X (Score:5, Informative)
Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.
Re: (Score:2)
I meant to add that the UBNT community is full of people willing to help...perhaps the best asset.
Re: (Score:3)
You can get IPS/IDS on the Unifi USG / USG Pro if you run beta code. I've had that installed for quite a while with no problems at all. Throughput is decreased as it still disable hardware offload features, but it works fine. I believe it's Suricata based, and you can choose from quite a few lists.
Re: (Score:3)
The wizards just create a stateful firewall. Good starting point, but very basic... again in the perspective of buyer beware. There are likely a few "standard" firewall rules that could be added to further limit exposure, but it gets complicated quickly.
(The community is very active though and helpful.)
Re: (Score:2)
Re: Ubiquiti EdgeRouter X (Score:2)
Go usg, switch and access points and cloud controller That's all unifi, and is easy to setup and configure. Edgerouter has more options but less user friendly.
Unifis real advantage is the access points, and configuration. They are slowly updating usg to edge level of options.
Owner of edge router, usb8 150 w 1 indoor and 1. Outdoor AP.
Re: (Score:3)
Re: (Score:2)
They're good for a few hundred megabits. I had one at it was great when I had a 100/20 connections.
I upgraded to 950/450 and it could only manage ~300Mbit.
Re: (Score:2)
Re: (Score:2)
I don't think I'd name that for "safest" in terms of security. I could be wrong, but I don't remember it having a whole lot of security features, e.g. web filtering, IPS, antivirus scanning.
Re: (Score:2)
If you're willing to learn how to configure a firewall, it's an excellent value.
Bonus: If you don't like EdgeOS/Vyatta-style configuration, or you simply prefer open source, you can install OpenWRT on this device [openwrt.org].
Re:UBNT is CRAP (Score:5, Informative)
UBNT routers and access points are crap. They are utterly dependent on their "central management" which you quite often do NOT want and which is dependent on their cloud services.
Don't spread FUD. You can run their management controller (which totally rocks by the way) on any Windows or Linux PC for free or on a small appliance they sell for less than $100. After you've configured them you never have to run the controller again unless you want to change something.
Re: (Score:3)
I can only imagine that you had a frustrating experience with one product and mistakenly assumed that all of the company's other products work the same way. My EdgeRouter works rather well, and has never required any centralized or cloud management of any kind. I usually manage it via ssh.
Safest Router. (Score:2, Interesting)
In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.
Besides being a much better performing router with full firew
safest (Score:4, Insightful)
one to which you have the source code:
https://www.dd-wrt.com/site/index
Re:safest (Score:5, Informative)
one to which you have the source code:
https://www.dd-wrt.com/site/in... [dd-wrt.com]
This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.
Re: (Score:2)
I'm double NAT-ing/routing my kids traffic (only way I can do any kind of traffic control to reserve me some bandwidth for my school work and job) with a Raspberry Pi running Raspbian, handles that load fine. Wonder when we'll see something similar meant for routing and wifi AP setup, etc.
If you don't care about power consumption, then an older PC and a few network cards and your preferred flavor of Linux or one of the BSDs.
In the mean time, double ++ to a decent piece of commodity hardware and a Free OS t
Re: (Score:2)
I think the raspberry PI is not a good option for most households because they are quite slow.
But double-NATing is the way to go. Two different physical routers from different companies.
Re: (Score:2)
I have a R7000. Avoid Netgear Nighthawks. Horrible firmware support. Just look on the Netgear forums. 3 and 4 year old bugs acknowledged and not fixed. Also DD-WRT, Tomato and Open WRT will install and work. BUT at a huge performance hit. The USB3 port is a custom implementation so no support. Hardware acceleration is not supported so you only get 1/2 speed at best. If you are looking at a $100+ router. Look at Ubiquity.
OPNsense (Score:5, Informative)
OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.
But really, security isn't just one device. Secure ALL of your shit.
Re: (Score:3)
I'd concur with that. Go with a pf based solution if you can. You can search on Amazon or Ebay for "pfsense" and any number of cheap mini boxes will turn up.
What sort of CPU/RAM etc. you want is dependent on how many packets you are pushing in and out. You might want to buy with an eye to any possible increases in the number of th
What are the parameters for "safety"? (Score:2)
Google wifi (Score:5, Funny)
I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.
Re: Google wifi (Score:4, Funny)
Any router... (Score:5, Interesting)
Re: (Score:2)
linksys and 'mcdebian' (google it)
good stuff and pretty much, pure debian on a 'plastic router'.
after that, its all up to you. but the guts are there and its updatable more than most.
Re: (Score:2)
Been there done that. Unless you buy one or two specific models be prepared to lose tons of throughput. I was getting 1/3 the speed compared to the stock firmware.
Re: (Score:3)
Re: (Score:2)
I still have one of those old, coveted Linksys WRT54GL routers in a drawer somewhere, I wonder how much an enthusiast would pay for it today...
Not much, as it is trivial to go online and order a newer router that supports N and AC with 128 or 256MB of flash storage (vs the 32MB on the GL) and run modern releases of DD-WRT, vs needing to use the completely stripped down mini-releases to fit on 32MB.
How did you know (Score:2)
OpenBSD (Score:2)
The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.
pfSense on WANBOX (Score:4, Interesting)
pfSense running on WANBOX [amzn.to]...
pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.
Netgate (Score:4, Informative)
A Netgate SG-1000 if you want a packaged solution;
https://www.netgate.com/soluti... [netgate.com]
Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.
Ethernet (Score:3)
Then have a computer just for "internet" on it as the only computer on the network.
An OS some bookmarks and what apps are needed.
Have all long term data well away from any networked computer.
Find a fast router with a good CPU that can support the best VPN protection.
Make sure the loss of the VPN will not revert to any ISP ip.
Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
Everything can be restored and be back online quickly.
Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
It's a subjective question, but for home users... (Score:2)
It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.
I'll answer for a typical home user: Turris Omnia [turris.cz]. It's a bit pricey ($339 on Amazon [amazon.com]), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.
Barking up the wrong tree? (Score:5, Interesting)
Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.
Any NAT device is sufficient.
Patch all your stuff
Don't download crap
Don't execute the crap you download
Don't play web games
Don't use internet explorer
uninstall flash
uninstall java
If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.
NAT != firewall (Score:3)
Re: (Score:2)
Technically it doesn't explicitly "deny" incoming traffic, the inbound traffic is addressed to the gateway and it doesn't know which (if any) of the machines behind to forward it to.
It's not intentionally denying incoming traffic, just that incoming traffic is broken due to nat.
Re: (Score:3, Insightful)
Roll your own (Score:2)
I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.
https://www.pfsense.org/ [pfsense.org]
If you were to prefer Linux, it would be possible to use openwrt instead.
Re: (Score:2)
I use a cheap Pentium motherboard (also low power)
The first Pentiums were nicknamed "Coffee Warmers" for good reason.
Heard good things about Cisco lately (Score:4, Funny)
Went with Google WiFi for security reason (Score:3)
The safest Router is (Score:2)
A Safer Solution (Score:2)
Everybody has a different set of principles by which they judge a gateway router...but here's an approach I recommend. Insofar as I know, it's damned hard to "beat" this solution, unless the invader is able to modify the routers' own firmware:
In a solution I call "Friday's Folly," I use TWO cascaded routers: The first is in my ISP's connection equipment, which has it's own configuration. I use that to assign a distinct and unique IP address range (don't use 192.168....; it's too often used for novices, s
Re: (Score:2)
The SECOND cascaded router has, on its' input side, an incoming address (as odd-looking as possible within the first router's LAN range). On the other side (multiple outlets for the LAN), i use a completely different IP Address range, picked almost at random. It is that range (which is masked down to just a small range) to access the protected LAN resources.
Why would any hacker/cracker want to work so long to get inside the LAN; he(/she) would have to find a way to "probe" for the valid ranges inside the cascaded routers. At that point, I make the choice to install routers for which any signal on the WAN side can't be used to configure the router...therefore, its' configuration is withheld from all but qualified parties on the INSIDE of the network, on the LAN.
Anybody figured out how, with a $20 second router in place, that cascaded router scheme can be easily hacked? The goal was to make the solution so cumbersome (from the WAN side), that they'll go try to invade some other, simpler, less well protected target.
I got to do a fair bit of locksmithing over the years, and most of today's attacks against residential broadband networks are likely to be script kiddies (ie. crackheads looking for unlocked car doors); maybe the occasional slim-jim attack to get at the coins you keep in your car's console.
Don't leave any coins in your console - yeah, I know they're convenient for tollbooths. And anything you do that makes your network harder to hit than the average Comcast user running Windows 7 and a million WiFi devices
Re: (Score:3)
That's the thing... ...The security guys I talked to at work, thinks I've been targeted by anything else than scriptkiddies, they mention that I've just been unfortunate to be attacked, someone out there thinks I've got something serious to hide, and they've tried LONG to get to it, so the better you're at "hiding" whatever you're hiding, the more interest you're gonna attract.
So I'm thinking - maybe I should just let the damn fools in :/
Anyway, I realize that my information was a bit sparse, so I'm reposti
Any BSD box (Score:2)
A plain PC with two interface running a Linux or BSD system will do the job fine. And since it was not cited yet here, NetBSD can run that as free as secure as the other ones.
A disadvantage (or advantage, YMMV) is that it requires learning some bits of Unix system administration.
Olde school... (Score:2)
Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack
Maybe someone could update current configuration to today
Re: (Score:2)
Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack
Maybe someone could update current configuration to today
Samba is an amazing piece of software, especially since the project has had to do so much to reverse-engineer a secret language. But making Unix talk to Windows is like making a PhD in Linguistics learn to say "Goo-goo-gah-gah baby want a rattle?". So sad that the world is full of babies.
Apple Airport (Score:3)
I've had Apple Airports up and running, more than a dozen, since they first came out with newer ones over the years. Never had a problem. Excellent security. The fact that they are no longer being sold just means the price is cheaper - they're still excellent hardware and software.
OpenWRT on Turris Omnia (Score:4, Insightful)
Turris MOX is an upcoming project that will make it even easier.
This question exposes the real issue! (Score:2)
It is not the fault of the user, since it is the vendors putting the devices out there for all. And not everyone is up to the job of properly managing their devices. It also does not help when vendors put inferior products out there, don't provide updates, etc. The normal user does not know or hav
OpenWRT/LEDE (Score:5, Informative)
My main router was a Netgear running OpenWRT [openwrt.org] for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.
They provide updates regularly now, and it is very customizable.
Highly recommended. Just pick a router that is explicitly supported.
openbsd (Score:2)
But there might be better solutions depending on your use case... like are you using WiFi, etc.. but from security standpoint I would go OpenBSD any day.
Also... it's very lightweight, you can run it on almost anything.
Re: (Score:2, Funny)
The Russians are the experts in this. I'd buy one from them.
Re: (Score:2)
Re: (Score:2)
You can run OpenBSD on an Ubiquiti EdgeRouter (fanless, SSD). Maybe not necessary, but gives you some more features and options. No hardening required. Simple updates via a cron job.
Re: A faraday cage. (Score:2)
Re: (Score:2)
Oh man you're living in the past, that's an answer for 18 years ago
OpenBSD doesn't run on 32 bit Sparc any more, only UltraSparc (64 bit)