Which are best most secure routers? Vendors that accordingly issue, release quick security firmware updates after huge CVE, vulnerabilities discovered in their hardware are exposed publicly.
Looking for the most secure router
- Thread starter Takashi94
- Start date
- Mar 2, 2017
- 318
That's too vague a question. Routers have to comply with industry standards and support all devices from all makers that also comply with those same standards. That's good for consumers because we don't have to worry about, or spend extra money on "proprietary" network devices.
That's why NetGear routers work with Linksys switches and D-Link adapters - all at the same security levels.
That's why NetGear routers work with Linksys switches and D-Link adapters - all at the same security levels.
Upvote
0
Routers aren't adequate protection in the modern age. Firewalls are better, but still antiquated. What you probably want is a UTM/NGFW, especially if you have any IoT in your home, those won't have security except for what your edge device can offer.
At the very least ASUS Routers with AiProtection, then switch out to Merlin Firmware.
AiProtection – Commercial-Grade Security for Your Home Network
F-Secure Sense is by far the best home UTM imo that requires little to no IT knowledge. It also comes with an unlimited device license for the F-Secure Sense Application (including for Windows)
F-Secure SENSE — Secure router and app
If you have some basic IT knowledge, Untangle is the way to go.
NG Firewall | Untangle
If you have moderate IT knowledge and some money, Fortigate Appliance or Sophos XG is the way to go.
Next-Generation Firewalls | NGFW | FortiGate
Sophos Next-Gen Firewall: Enterprise Protection with Security Heartbeat | Centralized Firewall and Endpoint Integration
Also follow my router hardening techniques in this thread;
Q&A - Router hardening
Then you won't have to worry since nobody is going to have WAN access to your stuff. The 'proper' way to have remote access to your UTM/Firewall is via VPN. Any other method will burn you, eventually, especially SSH. Don't expose the user space of your router to the WAN!
Last edited by a moderator:
Upvote
0
- Jul 27, 2015
- 5,459
@ForgottenSeer 58943 advice on this is well worth to follow. 
More router security here : Router Security
More router security here : Router Security
Upvote
0
@ForgottenSeer 58943 advice on this is well worth to follow.
More router security here : Router Security
Good tips on that page, I will bookmark that and go over it.
I've personally witnessed, investigated and mitigated a pretty huge number of WiFi and router attacks. Including;
ARP Spoofing.
ARP Poisoning.
Side Channel Attacks.
Rogue AP's
Evil Twin (Quantum)
Pineapples
Xfinity Hops
Rainbows
On and on.. To the point I am extremely cautious with WiFi. WiFi use should be limited as much as possible and almost always home WiFi should be placed on guest restrictions, even for your primary WiFi. Guest Policy is basically a ghetto VLAN, and intra-SSID communication should be turned off so Wireless devices can't communicate to each other. Guest policy will keep WiFi clients from connecting to your subnet other than DHCP polls and routing out WAN, intra-SSID blocking keeps wireless clients from talking to each other.
We haven't seen Rogue AP Detection/Suppression and WIDS come to consumer gear in any major way yet, but it will be eventually. In the meantime, Wireless should be handled very carefully.
Also I strongly encourage disabling Bluetooth and Wireless Sharing on all devices. Wireless should always be OFF when devices are sleeping (there is a reason Chromebooks have this setting). On Windows I recommend using either a hardware switch to disable internet and/or program your UTM/Router to disable the internet from X-hours each night. For Windows laptops, Wireless Auto-Off works quite well and will disable your wireless card when your machine shuts down - automatically.
Automatically Disable Wireless Cards When Laptops Connect to the LAN
PS: Some of these attacks are becoming common and in use against everyday folks in everyday towns/cities.
Upvote
0
- Mar 2, 2017
- 318
I don't think that is a realistic statement. It suggests routers once were adequate protection and that was never true. What routers did, and still do (even basic NAT routers) is add a very significant layer of protection between you and the bad guys. That is why I always recommend use of a router, even with networks of just one computer.
It should be pointed out that 99% of the bad guys out there are lazy opportunists. They go for the easy pickings. If there is no low hanging fruit, they quickly move on. These users include nosy neighbors and such.
It is that last 1% who are the real threat. But who are they? They are the determined professionals who select and target specific people and networks because they know there is something of value in there worth spending their time on. Is that the type target you are? Not likely, unless you run a business and collect a large cache of customer personal information, like credit card numbers or tax records, etc.
Even a NAT router offers some firewall "type" features. UTM typically are bundled software packages, sometime in a separate device. They have been around for years so why aren't they widely known? Because most users don't need it! Who touts their use for home users? The makers! Not the "independent" security experts or tech sites!
The promotion of next generation firewalls is pretty much a marketing gimmick too. Most newer routers already include many next-gen FW features.
Regardless if you have a basic $30 router or a $500 AC3100 router/system, your computer needs to have its own security too, to include an anti-malware solution and software based firewall. I have the $150 Linksys EA7500 that I am very happy with and confident in terms of the provided security I get from it. If you don't need "simultaneous" dual band, you don't need to spend that much.
And as always the user is ALWAYS the weakest link in security. Be sure to change the default passwords and passphrases to something strong that is not your dog's name or your street address. Use the highest level encryption/security your devices support on the wifi side. Keep Windows and your security software current. And don't be "click-happy" on unsolicited downloads, links, popups and attachments - regardless the router you use.
Remember, even the best security is easily thwarted if the user opens the door and lets the bad guy in.
Upvote
0
What I don't get is if a router is not a firewall, why do the manufacturers add a button in the router that saws firewall?
Besides my router I use Fort Knox firewall. It doesn't show in this pic but I currently have it set to medium. It has four modes. Off, low, med and high plus a bunch of manual options. in medium mode it is allowing SSH outgoing only but I can manually stop outgoing also.
Besides my router I use Fort Knox firewall. It doesn't show in this pic but I currently have it set to medium. It has four modes. Off, low, med and high plus a bunch of manual options. in medium mode it is allowing SSH outgoing only but I can manually stop outgoing also.
Upvote
0
- Mar 2, 2017
- 318
At its most basic level a router is not a firewall. All a router does is connect (or isolate) two networks. What you are looking at is added software in the operating system used by the router.
That's why I said above even a NAT router offers some firewall "type" features.
That's why I said above even a NAT router offers some firewall "type" features.
Upvote
0
Router - Routes traffic, NAT's outbound traffic, hands out DHCP and forwards DNS. Largely blind to traffic it is routing. L1
Firewall - Basic security, usually packet observation that helps block unauthorized traffic and malformations but has no idea what the traffic is therefore it can only react to known malformations not unknowns.. L1-L3
UTM - Router+Firewall with the addition of things like IPS, AV, Web Filtration, packet inspection, application/OSI model. L1-L7 All unknowns become known because of session inspection, presentation observation and appliance process evaluation.
Firewall - Basic security, usually packet observation that helps block unauthorized traffic and malformations but has no idea what the traffic is therefore it can only react to known malformations not unknowns.. L1-L3
UTM - Router+Firewall with the addition of things like IPS, AV, Web Filtration, packet inspection, application/OSI model. L1-L7 All unknowns become known because of session inspection, presentation observation and appliance process evaluation.
Upvote
0
- Mar 2, 2017
- 318
That would be nice if possibly true. But we don't know what we don't know. So we cannot guarantee a defense against every unknown.
Upvote
0
I think Ubuquity, Cisco and other routers which I may have missed did offer next day FW fix when WPA2 exploit was revealed.
So, IMO stick with routers with great and faster SW support.
Personally I am using Netgear R6220 and it was vulnerable to WPA2 for 2 months until Netgear provided a patch. Now Netgear patches most routers ASAP.
So, IMO stick with routers with great and faster SW support.
Personally I am using Netgear R6220 and it was vulnerable to WPA2 for 2 months until Netgear provided a patch. Now Netgear patches most routers ASAP.
Upvote
0
Fortinet Pre-patched theirs for KRACK about a month before the disclosure. Other vendors responded fast as you note, Ubiquiti was very fast out of the slot fixing it. ASUS wasn't too quick, neither was Netgear. But I think MERLIN issued a fix via his ASUS firmware pretty quickly if I recall. You'd wait forever for fixes from Tenda, TP-Link and the others.
Upvote
0
Does TP-Link care for vulnerabilities in it's devices, release fixes to them ASAP accordingly?
Is TP-Link better than Net gear, Linksys?
BTW D-link is very lazy, yet Very very cunning, for my model they'd issued new firmware that makes DNS set in router to ISP by default at reboot no matter what, as well as lot of features, settings can't be changed, 2 years ago.
Is TP-Link better than Net gear, Linksys?
BTW D-link is very lazy, yet Very very cunning, for my model they'd issued new firmware that makes DNS set in router to ISP by default at reboot no matter what, as well as lot of features, settings can't be changed, 2 years ago.
Upvote
0
- Apr 28, 2017
- 326
This is a pretty good thread.
My main fear of router compromise is having someone gain access and doing something illegal that gets traced back to me.
My main fear of router compromise is having someone gain access and doing something illegal that gets traced back to me.
Upvote
0
TP-Link is actually slower at delivering patches. Then Netgear is somewhat faster these days than Linksys,D-link and TP-Link.
Upvote
0
- Mar 2, 2017
- 318
You have a much greater chance of being hacked if you connected your computer directly to your modem without using a router. So even a very basic router is much MUCH better than no modem at all as that puts a very robust security layer between your computer and your gateway device (typically the modem). A router will assign your connected devices a new IP address - a very good thing.
If a basic Ethernet router, just about the only way a bad guy could hack into your network is if he/she physically attached an Ethernet cable to your router. Unless you live in a commune, that would be pretty hard to do unnoticed.
If a "wireless" router, it is easier for a hacker to access and use your network unnoticed. So just make sure you use the strongest security/encryption your connected devices support, and use a very strong wireless passphrase. Don't use your dog's name or street address or anything anyone can easily guess.
Remember, bad guys are lazy opportunists. If they see any security in their way, they will quickly move on to easier pickings - unless they have a personal vendetta against you specifically, and are purposely targeting your specifically. And in that case, you probably have bigger security and safety issues to deal with.
I'm not buying that. Either that specific D-link is defective, or it is ISP provided router that they modified. I suspect the latter.
There is just no reason D-Link would do that. They don't care what DNS servers you use. And if they were not going to let you change settings, they would not include those items in the admin menu. Plus, there would be 1000s (millions?) reports all over the Internet of users complaining of that problem because many users prefer using OpenDNS, Google DNS, or Cloudflare 1.1.1.1 DNS (which is what I use) instead of their ISP's DNS servers.
Upvote
0
Indian model DSL-2750U, D-link (Indian) just upload new 'rogue' 'arrogant' firmwares on site as recommended to update, with absolutely no explanation, changes, less features, as well as very buggy, my $40 Router above model got entirely ruined by updating firmware as they suggest 2 years ago.
Last edited:
Upvote
0
Similar threads
