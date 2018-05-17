Ask Slashdot: Which Is the Safest Router? 86
MindPrison writes: As ashamed as I am to admit it -- a longtime computer user since the Commodore heydays, I've been hacked twice recently and that has seriously made me rethink my options for my safety and well-being. So, I ask you dear Slashdot users, from one fellow longtime Slashdotter to another: which is the best router for optimal safety today?
I like using Linux boxes with packet-forwarder turned on in the kernel, and using either IPTables or firewalld, depending on your flavor. I then use my "router" to serve me web content and handle my VPN for me while I'm away from home. Oh, and I would highly recommend something like this: tiny PC [solid-run.com] with multiple 1GB NIC ports, Wifi, BT, etc... so you can have a WAN and a LAN port. It is easier to configure it this way.
A self made/installed Linux box probably the least secure solution for most people. Unless you really know how to secure and lock down your Linux box AND keep it up to date on weekly basis, your "router" is far from secure. There are few people who really know what they're doing in this domain. Just because you can't hack it, doesn't mean it's safe. Misconfiguration is the most common cause for security holes (do you really know each and every piece of software you have running on it, every kernel module, driver, server, etc?), but even if you do manage to lock it down, security vulnerabilities in Linux and other open source software that Linux uses are discovered all the time and need to be patched fast as scripts exploiting them come just as fast. It's a full time job to keep a Linux box secured on the open internet.
Mikrotik are also offering SOHO routers loaded with features. One needs to know how to configure them though.
The hAP is a really neat box.
The unplugged one.
Not necessarily [amazon.com].
You should always follow safety practices appropriate for each type of tool.
Not trying to be overly pedantic here, but do you mean firewall? Routers aren't necessarily security devices.
Many routers let you add rules for various packet types and features, which can add security.
Number one feature: No upnp available on the device
Can get one for $200 or less if you shop around
This is what I did, HOWEVER you are miss-representing the cost as you must also get a license and a support contract to keep it up to date.
A "secure" router won't help you. What does "hacked twice recently" actually mean?
This is a critical question - in what way was your system compromised? What vulnerability was exploited that allowed someone to access your machine? No single firewall or router can prevent all forms of compromise.
The Russians are the experts in this. I'd buy one from them.
...plugging directly into the modem is worse than no router.
https://www.ubnt.com/edgemax/e... [ubnt.com]
Just a happy customer. Firewall, VLANs, scheduling, logging, etc. Can't beat the price either.
Have several and do like them, but buyer beware that you actually need to configure it to be secure and it is just an iptables firewall. The Unifi Security Gateway is supposedly going to offer some intrusion protection services, but I am not aware of the details.
I meant to add that the UBNT community is full of people willing to help...perhaps the best asset.
Go usg, switch and access points and cloud controller That's all unifi, and is easy to setup and configure. Edgerouter has more options but less user friendly.
Unifis real advantage is the access points, and configuration. They are slowly updating usg to edge level of options.
Owner of edge router, usb8 150 w 1 indoor and 1. Outdoor AP.
They're good for a few hundred megabits. I had one at it was great when I had a 100/20 connections.
I upgraded to 950/450 and it could only manage ~300Mbit.
I don't think I'd name that for "safest" in terms of security. I could be wrong, but I don't remember it having a whole lot of security features, e.g. web filtering, IPS, antivirus scanning.
http://purplebark.net/maffew/scissors.pdf
It is a time proven solution to network woes.
In my opinion the safest router is one that can continuously be updated with the latest patches. About a year ago I used an ARS Technica guide to building your own router (Link below). Ordered a very inexpensive mini PC from china with 4 1 Gigabit ports and put Umbuntu on it. You can set it up to auto update, but I do it manually. Every week I log in and Ubuntu tells me in the login if there are any updates, and if any are related to security.
Besides being a much better performing router with full firew
one to which you have the source code:
https://www.dd-wrt.com/site/index
one to which you have the source code:
https://www.dd-wrt.com/site/in... [dd-wrt.com]
This AC is exactly right actually. If you don't want to deal with some god awful proprietary firmware or go commercial grade, pick up a Netgear router with good hardware and load DD-WRT on it. Been using it for years and it is the best decision I ever made for my home setup.
I'm double NAT-ing/routing my kids traffic (only way I can do any kind of traffic control to reserve me some bandwidth for my school work and job) with a Raspberry Pi running Raspbian, handles that load fine. Wonder when we'll see something similar meant for routing and wifi AP setup, etc.
If you don't care about power consumption, then an older PC and a few network cards and your preferred flavor of Linux or one of the BSDs.
In the mean time, double ++ to a decent piece of commodity hardware and a Free OS t
OPNsense, a fork of pfSense, which is a fork of m0n0wall. It is based on Hardended BSD, with a ton of additional security extensions not available in normal FreeBSD or pfSense.
But really, security isn't just one device. Secure ALL of your shit.
You can run OpenBSD on an Ubiquiti EdgeRouter (fanless, SSD). Maybe not necessary, but gives you some more features and options. No hardening required. Simple updates via a cron job.
APU(2) with pfsense is fantastic. Mine runs on a memory card, only down time was before I had it on a UPS. Handlers my 150/150 internet connection and probably 30+ devices at very load load. Click "update" now and then (or cron it) to keep it updated.
Add in pfBlockerNG for some basic blocking of ads/malicious sites as well.
I chose it mainly for security. As a former Google engineer, I feel that Google's security expertise is top notch.
I had to work with a google home router a few weeks ago and it's a total piece of garbage IMHO. Not having a standard web interface meant I had to handle someone else's cell phone. It also doesn't do anything to prevent double nat or duplicate IPs. It's still green with no warning and allows other simple mistakes that much lesser routers point out instantly.
I'm sure it will improve, but what I saw was total crap.
linksys and 'mcdebian' (google it)
good stuff and pretty much, pure debian on a 'plastic router'.
after that, its all up to you. but the guts are there and its updatable more than most.
The truth is, nothing is secure unless you can educate yourself a little bit. However, if time to do so is not a problem, the most secure device to remote hacking is probably something running OpenBSD on some single-core CPU ancient enough to be immune to stuff like the recently discovered spectre/meltdown vulnerabilities.
pfSense running on WANBOX [amzn.to]...
pfSense because its open source and free and "just works". WANBOX, because its reliable and supports AES-NI crypto onboard.
A Netgate SG-1000 if you want a packaged solution;
https://www.netgate.com/soluti... [netgate.com]
Else load up PfSense on an old PC or search ebay for pfsense... You'll find also repurposed appliance from other people loaded with PfSense.
Then have a computer just for "internet" on it as the only computer on the network.
An OS some bookmarks and what apps are needed.
Have all long term data well away from any networked computer.
Find a fast router with a good CPU that can support the best VPN protection.
Make sure the loss of the VPN will not revert to any ISP ip.
Should any malware get into a computer, they get nothing. Some bookmarks, some productivity apps.
Everything can be restored and be back online quickly.
Stay away from wifi, big brand devices with "helpful" always on microphones, webcams.
It depends on your needs and your budget. If you're a typical home user that doesn't have people specifically targeting them then your needs are very different than a corporate executive who is regularly hit with espionage attempts.
I'll answer for a typical home user: Turris Omnia [turris.cz]. It's a bit pricey ($339 on Amazon [amazon.com]), but it runs a modified version of OpenWRT. It's easy-to-use, reasonably powerful in terms of features and capabilities, and is updated frequently.
The Cisco/Meraki devices are phenomenal.
They are not cheap by any means, but you can a short stack of a Router (MX series security appliance, MX64 was given when I took the class,) POE 8-port switch, and Wireless Access Point for free if you attend a Cisco CMNA class.
Unless you are talking about your netgear or dlink box getting back doored, I think you are looking in the wrong places.
Any NAT device is sufficient.
Patch all your stuff
Don't download crap
Don't execute the crap you download
Don't play web games
Don't use internet explorer
uninstall flash
uninstall java
If you are really looking for a good firewall, go grab a little pfsense box from netgate. But I think you have many other places to look at first.
I use a cheap Pentium motherboard (also low power), and a quad intel Ethernet card (a used PRO/1000 for ~$50). It has all the bells and whistles of commercial units (captive portal, easy web ui, etc), but has the advantage of being based on FreeBSD.
https://www.pfsense.org/ [pfsense.org]
If you were to prefer Linux, it would be possible to use openwrt instead.
Went with Google WiFi for security reason (Score:2)