Follow Slashdot stories on Twitter


Forgot your password?
Wireless Networking Network Networking Privacy Security Technology

Ask Slashdot: Which Is the Safest Router? 385

MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

Ask Slashdot: Which Is the Safest Router?

Comments Filter:
  • by Anonymous Coward on Thursday May 17, 2018 @06:52PM (#56629550)

    The unplugged one.
    That's optimal safety, and minimal usability.
    Your question is ill-defined anyways.

    • by benedictaddis ( 1472927 ) on Thursday May 17, 2018 @06:56PM (#56629574)
      I like Draytek routers. They have decent security and get updates for years, at a price thatâ(TM)s not cheap but not crazy either. If cost is an issue, install OpenWRT on any old router.
      • by saloomy ( 2817221 ) on Thursday May 17, 2018 @07:14PM (#56629674)

        I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC [] with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.

        • by misnohmer ( 1636461 ) on Thursday May 17, 2018 @07:59PM (#56629882)

          A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain. Just because you can't hack it, doesn't mean it's safe. Misconfiguration is the most common cause for security holes (do you really know each and every piece of software you have running on it, every kernel module, driver, server, etc?), but even if you do manage to lock it down, security vulnerabilities in Linux and other open source software that Linux uses are discovered all the time and need to be patched fast as scripts exploiting them come just as fast. It's a full time job to keep a Linux box secured on the open internet.

          • by WindBourne ( 631190 ) on Thursday May 17, 2018 @08:13PM (#56629942) Journal
            Wrong. Worst would be any windows solutions. Linux starts in a fairly secure and most are minimalist fashion. However, misconfigure and behind on updates can change that quickly. Just like on any router.
          • OpenBSD not Linux (Score:5, Informative)

            by drnb ( 2434720 ) on Thursday May 17, 2018 @08:19PM (#56629960)

            A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain.

            This is why OpenBSD was created. Out-of-the-box security, time between remote exploits measured in years, and a firewall is part of the default install. Yes, it still needs patches but one is starting from a far far better place than Linux.

          • by arglebargle_xiv ( 2212710 ) on Friday May 18, 2018 @12:53AM (#56630930)
            It's a bit of a personal-taste thing, but I rather like my Bosch 1617EV. I've also heard good things about the Porter-Cable 690LR. Neither have ever been hacked, to the best of my knowledge.
          • If you want to use a self-made box, a much better idea is to run software that is dedicated to being a router such as pfSense or OPNsense (a fork of pfSense; both are forks of the now-unsupported m0n0wall). They're based on FreeBSD. Either of those should be as secure as any of the open source software for dedicated router hardware (DD-WRT, OpenWRT, Tomato, etc) and will have more features. They're both fully open source. The companies that develop them make money by selling support contracts and pre-config
      • Mikrotik are also offering SOHO routers loaded with features. One needs to know how to configure them though.
        The hAP is a really neat box.

      • OpenWRT is great when paired with hardware which is supported well. But saying that OpenWRT installation "on any old router" will be secure is bullshit. Only few routers are well supported by OpenWRT. Most of the routers are poorly supported - poorly as in no updates for ages, software no stable. How this is secure?

    • by Waffle Iron ( 339739 ) on Thursday May 17, 2018 @08:03PM (#56629898)

      The unplugged one.

      Not necessarily [].

      You should always follow safety practices appropriate for each type of tool.

      • The unplugged one.

        Not necessarily [].

        You should always follow safety practices appropriate for each type of tool.

        LMFAO.... More proof that even an unplugged router can cause serious pain and misery in the wrong hands.

    • by gavron ( 1300111 ) on Thursday May 17, 2018 @08:26PM (#56629976)

      If all you need is a router there are plenty and they're mostly safe because they don't do much.
      If you need a NAT gateway, Intrusion Protection System, etc. Now you're talking firewalls.
      Firewalls are MUCH more difficult to get right.

      Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some
      enterprise-level hardware.

      If your goal is to spend less than $200 then you will not be getting anything worth describing
      as "secure". Go to your nearest Walmart, Safeway, ACE, or whatever, and buy the feature
      set you want, knowing you'll need to do regular firmware upgrades and these will always be
      BEHIND the hacker curve. The companies selling "commodity" or "small business" products
      don't do research to break their stuff. They just sell as cheaply as possible.

      If your budget allows some latitude, check out the Juniper SRX series. They'll do what you
      want and thus far are considered great.

      If your budget is limitless, Palo Alto Networks or Fortigate.

      Again - router just moves IP packets and this can be done by a cellphone running Android.
      Firewall, however, includes inner/outer networks, NAT, forwarding rules, possibly packet inspection, and a higher layer of security.

      Good luck! This is a quest LOTS of people are on!!

      Tucson AZ

      • by jon3k ( 691256 )

        Even Cisco just got dinged today (2018-05-17) for having a fixed-password backdoor in some enterprise-level hardware.

        Software. Which Cisco found during it's own internal audit.

  • by Scutter ( 18425 ) on Thursday May 17, 2018 @06:53PM (#56629556) Journal

    Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.

    • by arth1 ( 260657 )

      Many routers let you add rules for various packet types and features, which can add security.

    • Not trying to be overly pedantic here, but wtf does OP mean in the first place by "I've been hacked twice"? Someone accessed one of his machines (the Commodore?) on the inside of his firewall through a regular ISP connection? Did someone "hack" into his Nest thermostat? If you don't understand basic equipment and security, I'm guessing you didn't find out you were "hacked" through a routine audit.
      • by msauve ( 701917 )
        Yep, although he certainly doesn't have a firewall - just a cheap NAT gateway.

        And the whole thing about calling such cheap Internet NAT gateways, "routers", really needs to stop (not to mention when they're combined with 802.11 AP functionality). The vast majority of consumer ones can't even run a routing protocol, not even ancient RIP. Unless the user is an idiot and opens up incoming holes, they're almost good enough. Their vulnerabilities mostly lie in management weaknesses which allow them to be compr
        • by jon3k ( 691256 )
          If it's moving packets between networks it's a router. If it does NAT as well it's doing more than a router is required to do to be called a router. Running a dynamic routing protocol isn't a requirement for being a router, that's why static routes exist.
          • by msauve ( 701917 )
            You're being (less than) pedantic. If you really want to be pedantic with regards to IP, it's a gateway. In practice, it's neither a router nor a gateway in correct, modern terms.
    • A "secure" router won't help you. What does "hacked twice recently" actually mean?

      Quite possibly this person means like the vulnerability in this router:
      https://nakedsecurity.sophos.c... []

      "We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do."
      Port forward every port you need to attack the host on the inside and go for it.

  • Can get one for $200 or less if you shop around

    Number one feature: No upnp available on the device
    • by Kenja ( 541830 )

      Can get one for $200 or less if you shop around

      This is what I did, HOWEVER you are miss-representing the cost as you must also get a license and a support contract to keep it up to date.

  • PEBCAK (Score:5, Informative)

    by sexconker ( 1179573 ) on Thursday May 17, 2018 @06:54PM (#56629564)

    A "secure" router won't help you. What does "hacked twice recently" actually mean?

    • Re:PEBCAK (Score:5, Insightful)

      by Anonymous Coward on Thursday May 17, 2018 @07:01PM (#56629606)

      This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.

    • I also find it hard to believe just any person would get hacked. Is this actually a common thing, that an anonymous individual would have a high speed internet connection with a proper firewall not open to vulnerable software would get 'hacked' on multiple occasions? Perhaps there is something about this person that is making them a target, and the solution is to stop doing that. If you have ports open, take a good look at the software. Use non-standard ports if you have to. That kind of thing.
    • Re:PEBCAK (Score:5, Informative)

      by Excelcia ( 906188 ) <> on Thursday May 17, 2018 @11:06PM (#56630492) Homepage Journal

      How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to. The people who think they are clever by second guessing Ask Slashdot questions get rather annoying in short order.

      I actually came to this question with some amount of actual curiosity. I used to build Linux firewalls for small businesses. This was back before routers were appliances. When NAT was still "IP Masquerading" on Linux, and it was actually a dirty word because it let you "share" internet connections when the early cable modem providers wanted to sell you an IP address for every computer using the connection. I moved on to process control and automation work, project management, and then switched tracks into the Navy. What relevance is that? The point is, there are lots of people like me who had at one point been heavily invested in the current state of the art who, for some years, haven't had the time or resources to follow current best practices. Ask Slashdot questions like these are actually helpful to those of us who would like the benefit of the experience of those who are still up on the state of the art.

      When you, and those like you, roll in with your clever meta-answers, it helps no one. You and (especially) the five moderators who upvoted your post as "informative" should hang your heads in collective shame.

      • Re:PEBCAK (Score:4, Insightful)

        by gweihir ( 88907 ) on Friday May 18, 2018 @12:48AM (#56630912)

        The answer is that the wrong question is being asked. Any other answer is less than helpful and may prompt the one asking the question to continue down the wrong road to solve this problem. The second part of the answer is to ask how this person was actually hacked. Very likely, he did some not-too smart thing and needs to stop doing that in order to solve his problem.

      • How about you stop being pedantic on what the background information means, and either helpfully answer the (fairly easy to understand) question or decide you have nothing useful to add to the conversation and not try to.

        Actually he may be the only person so far who has something meaningful to add. *OMG I WAS HACKED HOW DO I STOP* is not an question that anyone can answer without further details. For all anyone knows every solution in this thread right now may have the same holes and present the same risk.

        Asking someone to clarify a question is not about being pedantic. Its the common sense lacking in so many technical people who love jumping to solutions or conclusions without ever considering if the problem actually exist

      • Re:PEBCAK (Score:5, Informative)

        by strikethree ( 811449 ) on Friday May 18, 2018 @10:46AM (#56632952) Journal

        While I appreciate your view, there are a few thigns you should be aware of:

        This is Slashdot. Much of the original crowd is pedantic for a reason. The original poster is indeed asking about routers and some people have answered that question directly. Sexconker has identified, correctly, that Mindprison is wanting to not get hacked.

        It is clear that Mindprison is under the impression that a secure "router" would help him not get hacked; however, if that it not what got Mindprison hacked, a more secure router will not help. Sexconker is trying to get to the root of the problem so that actual help can be delivered. Mindprison could buy a recommended router and STILL end up being hacked again. So how would just casually recommending a secure router help in this instance?

        As numerous other folks have pointed out, a router is not defined strictly as a security device. Slashdot has many network and security engineers in its ranks. I am one of them. My first line of thought went exactly as Sexconker's did: How can I actually help this person when they did not fully and accurately, using technical language, explain their problem? So he asked a question that many of us were thinking. (I think Sexconker is a he, I am actually unsure and it really doesn't matter).

        Denigrating him and the mods who modded him up (I was not one as I rarely read Slashdot while logged in anymore) is not terribly useful in this situation. To complicate matters even more, your minor tirade is actually an appropriate response sometimes, but this was not one of those times. Just keep reading other comments and you will still get the immediate type of response that you and Mindprison were looking for.

        Honestly though, Mindprison should have responded to Sexconker's question because then, the actual problem could be identified and addressed.

    • Re:PEBCAK (Score:5, Informative)

      by MindPrison ( 864299 ) on Friday May 18, 2018 @11:19AM (#56633186) Journal

      Well, I guess I was a little tired, and provided too little information, but I can explain why I kept it short.

      I talked to some of the security guys at work (I work at a HUGE world wide company, I can't disclose who for obvious reasons), and I told them a detailed story, which I didn't tell you.

      They came to the conclusion that the root of my problems was that I used an unsafe router that has been infected, and that the attackers had most likely infected my router and somehow upgraded it with malicious firmware. Therefor they came to the conclusion that I should go and get a much safer router. So my first instinct, tired and a little stressed from it all - was to ask you. I'm not in my 20s anymore, and I'm not as up to code about the hacking possibilities and vulnerabilities as I once was rightfully for my time. Today, I know next to nothing compared to you guys.

      The first time I got hacked:

      Firefox 54: I was visiting a page to get some schematics for some home made remote control system, and I noticed that the browser had all of my CPU threads busy, and the computer became oddly sluggish. I had No-Script installed, ad-blocker and my windows 10 was up to shape with the latest defender database plus latest updates I could possibly download, I always update immediately when it suggests an update.

      I immediately wanted to force stop Firefox so I went to the Task Bar and looked at the processes, oh my goodness - several instances of firefox (hidden windows /popups that aren't immediately visible?) was running, and it was creating more as I watched. I ended up killing all processes, and ran anti malware software (well, windows defender with the latest definitions) and it came out clean, or so I thought.

      Went to bed, and got woken up by my phone with several warnings from my various social media telling me that someone is posting from a different IP address than I normally used, I got out of bed and panicked.

      I immediately changed ALL passwords to hideously long random letter passwords on ALL my services, and went for two factor-authentication on everything I could.

      This stopped the attack on my personal accounts.

      Thinking it all was over, and safe - 3 weeks went by, and all of a sudden when I was working with something on my Linux partition, the computer crashed hard, and it rarely ever does that.

      After that crash, the Bios (or boot menu) was completely garbled. Interestingly enough, so was the bios on my second computer, which was 10 years old, and my new work computer was only a few years old, but with relatively fresh installations of both Linux (on an M.2. NVMe storage) and Windows 10 on an normal SSD storage, totally separated from each other (well, needing 2 different boot menues to access each one).

      I took a memdump of the entire bios, and found that the raw graphics area contained assembly code whereas it should be an image (you can look at the image with raw data image browser/raw graphics dump, it won't look like a clean image, but you can see that there is image data there).

      What I did, is that I reflashed the bios with the help of a separate hardware switch (my mainboard has two bioses, totally hardware separated with a switch), and looking at the manufacturers homepage, they already know that their bios had been comprimised, so they provided a beta patch with ME microcode included as well.

      I told this story to our security guys, and they said the same as someone else in this thread, someone thinks you have something to hide, and they're not script kiddies, you've been targeted - I suggest you start with a badass router, and take it from there, disable all server services in win 10 + remote services like remote registry etc.

      I don't know that much about windows 10. But that's all I know for now. Appreciate all the feedback , you wonderful Slashdotters!

  • by thebes ( 663586 ) on Thursday May 17, 2018 @06:57PM (#56629580) []

    Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.

    • by aaarrrgggh ( 9205 ) on Thursday May 17, 2018 @07:11PM (#56629654)

      Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.

      • by thebes ( 663586 )

        I meant to add that the UBNT community is full of people willing to help...perhaps the best asset.

      • by aaronl ( 43811 )

        You can get IPS/IDS on the Unifi USG / USG Pro if you run beta code. I've had that installed for quite a while with no problems at all. Throughput is decreased as it still disable hardware offload features, but it works fine. I believe it's Suricata based, and you can choose from quite a few lists.

    • by imidan ( 559239 )
      This is the brand I'd like to go for when I replace my current setup (Apple Airport Express). I haven't done enough research on them yet, but my impression is that Ubiquiti could be a great replacement.
      • Go usg, switch and access points and cloud controller That's all unifi, and is easy to setup and configure. Edgerouter has more options but less user friendly.

        Unifis real advantage is the access points, and configuration. They are slowly updating usg to edge level of options.

        Owner of edge router, usb8 150 w 1 indoor and 1. Outdoor AP.

        • A USG is actually an EdgeRouter with extra code to interface with the UniFi controller. It can still be configured [] the way the EdgeRouter is. The beauty of the UniFi controller is having the most commonly accessed areas at a glance. And you don't have to leave it running unless you are utilizing guest services [] ( and who doesn't want to be able to set their WiFi up to accept payment from the family/friends when they come over? ). You can even run it from a Raspberry Pi.
    • They're good for a few hundred megabits. I had one at it was great when I had a 100/20 connections.
      I upgraded to 950/450 and it could only manage ~300Mbit.

      • by jon3k ( 691256 )
        I'd recommend an EdgeRouter PoE. That's what I'm using now and my speedtests on my 1Gb fiber are >900Mb/s.
    • I don't think I'd name that for "safest" in terms of security. I could be wrong, but I don't remember it having a whole lot of security features, e.g. web filtering, IPS, antivirus scanning.

    • by Foresto ( 127767 )

      If you're willing to learn how to configure a firewall, it's an excellent value.

      Bonus: If you don't like EdgeOS/Vyatta-style configuration, or you simply prefer open source, you can install OpenWRT on this device [].

  • Safest Router. (Score:2, Interesting)

    by Anonymous Coward

    In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.

    Besides being a much better performing router with full firew

  • safest (Score:4, Insightful)

    by Anonymous Coward on Thursday May 17, 2018 @06:58PM (#56629596)

    one to which you have the source code:

    • Re:safest (Score:5, Informative)

      by Zmobie ( 2478450 ) on Thursday May 17, 2018 @07:30PM (#56629750)

      one to which you have the source code: []

      This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.

      • I'm double NAT-ing/routing my kids traffic (only way I can do any kind of traffic control to reserve me some bandwidth for my school work and job) with a Raspberry Pi running Raspbian, handles that load fine. Wonder when we'll see something similar meant for routing and wifi AP setup, etc.

        If you don't care about power consumption, then an older PC and a few network cards and your preferred flavor of Linux or one of the BSDs.

        In the mean time, double ++ to a decent piece of commodity hardware and a Free OS t

        • I think the raspberry PI is not a good option for most households because they are quite slow.

          But double-NATing is the way to go. Two different physical routers from different companies.

      • I have a R7000. Avoid Netgear Nighthawks. Horrible firmware support. Just look on the Netgear forums. 3 and 4 year old bugs acknowledged and not fixed. Also DD-WRT, Tomato and Open WRT will install and work. BUT at a huge performance hit. The USB3 port is a custom implementation so no support. Hardware acceleration is not supported so you only get 1/2 speed at best. If you are looking at a $100+ router. Look at Ubiquity.

  • OPNsense (Score:5, Informative)

    by darkain ( 749283 ) on Thursday May 17, 2018 @06:59PM (#56629598) Homepage

    OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

    But really, security isn't just one device. Secure ALL of your shit.

    • OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

      I'd concur with that. Go with a pf based solution if you can. You can search on Amazon or Ebay for "pfsense" and any number of cheap mini boxes will turn up.

      What sort of CPU/RAM etc. you want is dependent on how many packets you are pushing in and out. You might want to buy with an eye to any possible increases in the number of th

  • Does safety mean that you can trust the code in the router or does safety mean performance of router to defend against attacks because those are different requirements. If code trust is more important, I would recommend any router that you can replace the firmware with open source firmware like DD-WRT or Tomato. For performance, I don't know of any comparisons published on different models of routers.
  • Google wifi (Score:5, Funny)

    by buck68 ( 40037 ) on Thursday May 17, 2018 @07:05PM (#56629620) Homepage

    I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.

  • Any router... (Score:5, Interesting)

    by hcs_$reboot ( 1536101 ) on Thursday May 17, 2018 @07:08PM (#56629634) long as you put OpenWrt on it.
    • linksys and 'mcdebian' (google it)

      good stuff and pretty much, pure debian on a 'plastic router'.

      after that, its all up to you. but the guts are there and its updatable more than most.

    • Been there done that. Unless you buy one or two specific models be prepared to lose tons of throughput. I was getting 1/3 the speed compared to the stock firmware.

      • OpenWRT used to discourage people to install on newer dual-chip routers, and indeed the bw was lower. But LEDE (the new OpenWRT) did amazing progress in this regard. Try it.
  • I am also networking and programming savvy but I always assumed good hacking jobs would go unnoticed. What tipped you off to being hacked and do you allow admin login to your router from the wan side? I'm generally aware that is the most likely attack vector. Thanks for any info.
  • The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.

  • pfSense on WANBOX (Score:4, Interesting)

    by MikeDataLink ( 536925 ) < minus cat> on Thursday May 17, 2018 @07:24PM (#56629720) Homepage Journal

    pfSense running on WANBOX []...

    pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.

  • Netgate (Score:4, Informative)

    by bferrell ( 253291 ) on Thursday May 17, 2018 @07:29PM (#56629744) Homepage Journal

    A Netgate SG-1000 if you want a packaged solution; []

    Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.

  • by AHuxley ( 892839 ) on Thursday May 17, 2018 @07:30PM (#56629746) Journal
    Fast so it can support a quality VPN.
    Then have a computer just for "internet" on it as the only computer on the network.
    An OS some bookmarks and what apps are needed.
    Have all long term data well away from any networked computer.
    Find a fast router with a good CPU that can support the best VPN protection.
    Make sure the loss of the VPN will not revert to any ISP ip.
    Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
    Everything can be restored and be back online quickly.
    Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
  • It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.

    I'll answer for a typical home user: Turris Omnia []. It's a bit pricey ($339 on Amazon []), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.

  • by danlor ( 309557 ) on Thursday May 17, 2018 @07:38PM (#56629794) Homepage

    Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.

    Any NAT device is sufficient.
    Patch all your stuff
    Don't download crap
    Don't execute the crap you download
    Don't play web games
    Don't use internet explorer
    uninstall flash
    uninstall java

    If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.

    • Please dont advertise NAT as security. NAT just allows allocation non-routable addresses that has a convenient by-default side-effect of denying all incoming traffic. In IPv6, you want to just use access lists, rather than NAT, and NAT should die in a fire from its being terribly overused. Lots of people have this idea that NAT is "secure", and access lists arent and put NAT in places where it really has no business Its a very bad rumour that causes people to think that public addresses themselves are *i
      • by Bert64 ( 520050 )

        Technically it doesn't explicitly "deny" incoming traffic, the inbound traffic is addressed to the gateway and it doesn't know which (if any) of the machines behind to forward it to.
        It's not intentionally denying incoming traffic, just that incoming traffic is broken due to nat.

      • Re: (Score:3, Insightful)

        by asifyoucare ( 302582 )

        But by default NAT denies ALL incoming traffic. How can you say that is not security feature?.

        Sure, firewalls and IPS/IDS do a lot more, but NAT is way better than direct exposure


  • I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD. []

    If you were to prefer Linux, it would be possible to use openwrt instead.

    • I use a cheap Pentium motherboard (also low power)

      The first Pentiums were nicknamed "Coffee Warmers" for good reason.

  • by DeVilla ( 4563 ) on Thursday May 17, 2018 @08:05PM (#56629908)
    I've heard good things about Cisco very recently. They put out lot of fixes.
  • by WindBourne ( 631190 ) on Thursday May 17, 2018 @08:10PM (#56629934) Journal
    They constantly update, and then made it skinny. In fact, I wish I had a couple of features back. However, it does a decent security job.
  • One not connected to a network powered off and in an underground fallout shelter, air-gapped from the world by a vacuum chamber inside a Faraday cage. Everything else is hackable.
  • Everybody has a different set of principles by which they judge a gateway router...but here's an approach I recommend. Insofar as I know, it's damned hard to "beat" this solution, unless the invader is able to modify the routers' own firmware:

    In a solution I call "Friday's Folly," I use TWO cascaded routers: The first is in my ISP's connection equipment, which has it's own configuration. I use that to assign a distinct and unique IP address range (don't use 192.168....; it's too often used for novices, s

    • The SECOND cascaded router has, on its' input side, an incoming address (as odd-looking as possible within the first router's LAN range). On the other side (multiple outlets for the LAN), i use a completely different IP Address range, picked almost at random. It is that range (which is masked down to just a small range) to access the protected LAN resources.

      Why would any hacker/cracker want to work so long to get inside the LAN; he(/she) would have to find a way to "probe" for the valid ranges inside the cascaded routers. At that point, I make the choice to install routers for which any signal on the WAN side can't be used to configure the router...therefore, its' configuration is withheld from all but qualified parties on the INSIDE of the network, on the LAN.

      Anybody figured out how, with a $20 second router in place, that cascaded router scheme can be easily hacked? The goal was to make the solution so cumbersome (from the WAN side), that they'll go try to invade some other, simpler, less well protected target.

      I got to do a fair bit of locksmithing over the years, and most of today's attacks against residential broadband networks are likely to be script kiddies (ie. crackheads looking for unlocked car doors); maybe the occasional slim-jim attack to get at the coins you keep in your car's console.

      Don't leave any coins in your console - yeah, I know they're convenient for tollbooths. And anything you do that makes your network harder to hit than the average Comcast user running Windows 7 and a million WiFi devices

      • That's the thing... ...The security guys I talked to at work, thinks I've been targeted by anything else than scriptkiddies, they mention that I've just been unfortunate to be attacked, someone out there thinks I've got something serious to hide, and they've tried LONG to get to it, so the better you're at "hiding" whatever you're hiding, the more interest you're gonna attract.

        So I'm thinking - maybe I should just let the damn fools in :/

        Anyway, I realize that my information was a bit sparse, so I'm reposti

  • A plain PC with two interface running a Linux or BSD system will do the job fine. And since it was not cited yet here, NetBSD can run that as free as secure as the other ones.

    A disadvantage (or advantage, YMMV) is that it requires learning some bits of Unix system administration.

  • Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack

    Maybe someone could update current configuration to today

    • Dual ethernet cards/firewall and SAMBA stood up to all but the inside attack

      Maybe someone could update current configuration to today

      Samba is an amazing piece of software, especially since the project has had to do so much to reverse-engineer a secret language. But making Unix talk to Windows is like making a PhD in Linguistics learn to say "Goo-goo-gah-gah baby want a rattle?". So sad that the world is full of babies.

  • by pubwvj ( 1045960 ) on Thursday May 17, 2018 @08:47PM (#56630060)

    I've had Apple Airports up and running, more than a dozen, since they first came out with newer ones over the years. Never had a problem. Excellent security. The fact that they are no longer being sold just means the price is cheaper - they're still excellent hardware and software.

  • by Cyberax ( 705495 ) on Thursday May 17, 2018 @09:02PM (#56630122)
    My current setup: OpenWRT on Turris Omnia. I've disabled Turris internal WiFi module (and installed a 4G PCIe LTE modem for a fallback connection) and I'm using TP-Link PoE wireless access points throughout my house. TP-Links are pretty well maintained, support VLANs and don't have any extra fluff.

    Turris MOX is an upcoming project that will make it even easier.
  • Your average individual has tech that is way beyond their ability to manage and secure, So security is performed as an add on by 3rd parties. And the truth is most of these 3rd party methods are not up to the job.
    It is not the fault of the user, since it is the vendors putting the devices out there for all. And not everyone is up to the job of properly managing their devices. It also does not help when vendors put inferior products out there, don't provide updates, etc. The normal user does not know or hav
  • OpenWRT/LEDE (Score:5, Informative)

    by kbahey ( 102895 ) on Thursday May 17, 2018 @09:41PM (#56630212) Homepage

    My main router was a Netgear running OpenWRT [] for years. They lagged behind in updates. Another group picked up where they left, and started the LEDE Project. Now the two projects have merged again.

    They provide updates regularly now, and it is very customizable.

    Highly recommended. Just pick a router that is explicitly supported.

  • If you have technical knowledge... OpenBSD. Actually I find pf(4) to be easier to handle than iptables(8).

    But there might be better solutions depending on your use case... like are you using WiFi, etc.. but from security standpoint I would go OpenBSD any day.

    Also... it's very lightweight, you can run it on almost anything.

The party adjourned to a hot tub, yes. Fully clothed, I might add. -- IBM employee, testifying in California State Supreme Court