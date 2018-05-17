Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Ask Slashdot: Which Is the Safest Router? 86

Posted by BeauHD from the safety-first dept.
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?

  • Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.

      by arth1 ( 260657 )

      Many routers let you add rules for various packet types and features, which can add security.

    • Not trying to be overly pedantic here, but wtf does OP mean in the first place by "I've been hacked twice"? Someone accessed one of his machines (the Commodore?) on the inside of his firewall through a regular ISP connection? Did someone "hack" into his Nest thermostat? If you don't understand basic equipment and security, I'm guessing you didn't find out you were "hacked" through a routine audit.
  • Can get one for $200 or less if you shop around

    Number one feature: No upnp available on the device

      by Kenja ( 541830 )

      Can get one for $200 or less if you shop around

      This is what I did, HOWEVER you are miss-representing the cost as you must also get a license and a support contract to keep it up to date.

  • PEBCAK (Score:4, Insightful)

    by sexconker ( 1179573 ) on Thursday May 17, 2018 @06:54PM (#56629564)

    A "secure" router won't help you. What does "hacked twice recently" actually mean?

      by Anonymous Coward on Thursday May 17, 2018 @07:01PM (#56629606)

      This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.

    • Thanks! There are so many unanswered details about this "question" and the premise - all I need is a great router to be safe from hacking! - is obviously wrong on SO many levels.
    • I also find it hard to believe just any person would get hacked. Is this actually a common thing, that an anonymous individual would have a high speed internet connection with a proper firewall not open to vulnerable software would get 'hacked' on multiple occasions? Perhaps there is something about this person that is making them a target, and the solution is to stop doing that. If you have ports open, take a good look at the software. Use non-standard ports if you have to. That kind of thing.

  • Ubiquiti EdgeRouter X (Score:3)

    by thebes ( 663586 ) on Thursday May 17, 2018 @06:57PM (#56629580)

    https://www.ubnt.com/edgemax/e... [ubnt.com]

    Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.

    • Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.

        by thebes ( 663586 )

        I meant to add that the UBNT community is full of people willing to help...perhaps the best asset.

      by imidan ( 559239 )
      This is the brand I'd like to go for when I replace my current setup (Apple Airport Express). I haven't done enough research on them yet, but my impression is that Ubiquiti could be a great replacement.

      • Go usg, switch and access points and cloud controller That's all unifi, and is easy to setup and configure. Edgerouter has more options but less user friendly.

        Unifis real advantage is the access points, and configuration. They are slowly updating usg to edge level of options.

        Owner of edge router, usb8 150 w 1 indoor and 1. Outdoor AP.

    • They're good for a few hundred megabits. I had one at it was great when I had a 100/20 connections.
      I upgraded to 950/450 and it could only manage ~300Mbit.

    • I don't think I'd name that for "safest" in terms of security. I could be wrong, but I don't remember it having a whole lot of security features, e.g. web filtering, IPS, antivirus scanning.

  • http://purplebark.net/maffew/scissors.pdf

    It is a time proven solution to network woes.

    by Anonymous Coward

    In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.

    Besides being a much better performing router with full firew

    by Anonymous Coward

    one to which you have the source code:
    https://www.dd-wrt.com/site/index

      by Zmobie ( 2478450 ) on Thursday May 17, 2018 @07:30PM (#56629750)

      one to which you have the source code:
      https://www.dd-wrt.com/site/in... [dd-wrt.com]

      This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.

      • I'm double NAT-ing/routing my kids traffic (only way I can do any kind of traffic control to reserve me some bandwidth for my school work and job) with a Raspberry Pi running Raspbian, handles that load fine. Wonder when we'll see something similar meant for routing and wifi AP setup, etc.

        If you don't care about power consumption, then an older PC and a few network cards and your preferred flavor of Linux or one of the BSDs.

        In the mean time, double ++ to a decent piece of commodity hardware and a Free OS t

  • OPNsense (Score:3)

    by darkain ( 749283 ) on Thursday May 17, 2018 @06:59PM (#56629598) Homepage

    OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.

    But really, security isn't just one device. Secure ALL of your shit.

  • Does safety mean that you can trust the code in the router or does safety mean performance of router to defend against attacks because those are different requirements. If code trust is more important, I would recommend any router that you can replace the firmware with open source firmware like DD-WRT or Tomato. For performance, I don't know of any comparisons published on different models of routers.

  • I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.

      by Anonymous Coward

      I had to work with a google home router a few weeks ago and it's a total piece of garbage IMHO. Not having a standard web interface meant I had to handle someone else's cell phone. It also doesn't do anything to prevent double nat or duplicate IPs. It's still green with no warning and allows other simple mistakes that much lesser routers point out instantly.
      I'm sure it will improve, but what I saw was total crap.

    • As someone who is aware of Googles tracking preferences, I would say you are an idiot, but that's because my definition of safety includes privacy. Bsd based anything
  • ...as long as you put OpenWrt on it.

    • linksys and 'mcdebian' (google it)

      good stuff and pretty much, pure debian on a 'plastic router'.

      after that, its all up to you. but the guts are there and its updatable more than most.

  • I am also networking and programming savvy but I always assumed good hacking jobs would go unnoticed. What tipped you off to being hacked and do you allow admin login to your router from the wan side? I'm generally aware that is the most likely attack vector. Thanks for any info.
  • In this day and age, nothing will help you. Buy a Microsoft phone and wrap a faraday cage around your bed. Use Microsoft Edge. PFSense is shit, a firewall wont help but disabling your Wi-Fi might.

  • The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.

  • pfSense running on WANBOX [amzn.to]...

    pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.

    by bferrell ( 253291 ) on Thursday May 17, 2018 @07:29PM (#56629744) Homepage Journal

    A Netgate SG-1000 if you want a packaged solution;

    https://www.netgate.com/soluti... [netgate.com]

    Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.

    by AHuxley ( 892839 ) on Thursday May 17, 2018 @07:30PM (#56629746) Journal
    Fast so it can support a quality VPN.
    Then have a computer just for "internet" on it as the only computer on the network.
    An OS some bookmarks and what apps are needed.
    Have all long term data well away from any networked computer.
    Find a fast router with a good CPU that can support the best VPN protection.
    Make sure the loss of the VPN will not revert to any ISP ip.
    Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
    Everything can be restored and be back online quickly.
    Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
  • The safest router is the one that does not let any packets through at all. Taking a pair of scissors to your Ethernet cables would work fine.

  • It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.

    I'll answer for a typical home user: Turris Omnia [turris.cz]. It's a bit pricey ($339 on Amazon [amazon.com]), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.

  • The Cisco/Meraki devices are phenomenal.
    They are not cheap by any means, but you can a short stack of a Router (MX series security appliance, MX64 was given when I took the class,) POE 8-port switch, and Wireless Access Point for free if you attend a Cisco CMNA class.

       

    by danlor ( 309557 ) on Thursday May 17, 2018 @07:38PM (#56629794) Homepage

    Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.

    Any NAT device is sufficient.
    Patch all your stuff
    Don't download crap
    Don't execute the crap you download
    Don't play web games
    Don't use internet explorer
    uninstall flash
    uninstall java

    If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.

  • I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.

    https://www.pfsense.org/ [pfsense.org]

    If you were to prefer Linux, it would be possible to use openwrt instead.

  • I've heard good things about Cisco very recently. They put out lot of fixes.
  • They constantly update, and then made it skinny. In fact, I wish I had a couple of features back. However, it does a decent security job.

