Advice Request Router hardening

[ForgottenSeer 2567]

Hi
there is a lot tips on router hardening....when there are implemented "properly" how do the router compare to a default pfsense,opensense,untangle box....if we stay with in the same skill level (to follow guides to hardening routers) ??

 

[Sunshine-boy]

Eset has a good guide:Router configuration the most secure way with these five steps

 

[ForgottenSeer 2567]

Thanks
but that is not the way i looking for itś more when i have used all of the tips/guides to improve router security how do the router then compare to a default install of pfsense.....the skill level required to configure a pfsense box properly higher the following guides for routers
do the router with all the security tip implemented still cut is in todays home network or do we need to go for better pfsense,shopos,untangle and so on

 

[Sunshine-boy]

Idk about Pfsence and don't like to learn how to deploy it(before wanted but not anymore) I don't need a UTM/Hardware firewall cuz its just waste of money, time and Effort
Any cheap router like tp link archer series or Asus(like Asus RT-N10U )are more than enough for me. I just use a cheap router+Eset firewall+VPN.that's all.
Maybe @ForgottenSeer 58943 can help you.

 

[ForgottenSeer 58943]

A router isn't a firewall, a firewall isn't a UTM. You cannot make a router/firewall into a UTM appliance like Untangle or a Sudo-UTM like PfSense/OPNSense in the general sense. The horsepower is there, the underlying software isn't. Untangle CAN be installed on some home routers though, you'd have to look into that.

To configure a home router to be 'somewhat' secure is painfully simple as there are few options to do it properly.

1) Turn off Admin from WAN.
2) Enable HTTPS admin.
3) Change admin account from admin to something else, such as: 3XkU7Lwe and give it a complex password.
4) Disable UPNP, WSD, SSH, etc. (any un-needed services/protocols)
5) Setup your WiFi networks as GUEST rules. This creates a sort of VLAN with your router, putting tags on your WiFi so they cannot communicate with your internal subnets.
6) Enable SSID Segregation (if option presents), this prohibits inter-SSID communication.
7) Update firmware regularly. If it won't update - factory reset it. If it won't update after factory reset it's compromised, throw it out.

That's about all you can do to a home router to lock it down. Remember, a home router won't protect you much, it's purpose is to DNS Resolver/Forwarding, DHCP Scope Management/ARP Tables, and NATTING internal traffic. About all you are doing above is keeping a threat actor out of your gateway and locking down WiFi a bit.

 

[Deleted member 178]

And home users don't needs UTMs because no one will be interested in wasting time and resources to hack your machines to get your family photos...

 

[ForgottenSeer 69673]

My router must have false advertising then. notice 3rd item up from the bottom.

 

[ForgottenSeer 58943]

A UTM serves far more purpose than just keeping a hacker from your family photos. An analogy would be, nobody needs locks on their doors because you only have a cheap no-name TV to steal. The entire router industry disagrees with you as every major home router vendor in the world has UTM solutions either out, in the works, or coming soon. Just a few off the top of my head;

Trend Routers
ASUS w/Trend
F-Secure Sense Router
Bit Defender Box and Box 2.0
Bullguard Dojo
Cujo
RATtrap
Fingbox
Keezel
Luma
Norton Core
the list goes on and on. Tenda and Netgear are also in talks for UTM solutions from major vendors.

The reason is, a router (NAT) isn't considered protection any longer. A firewall with SPI is woefully obsolete. Blended deployments within homes are creating a deep, blended threat layer that can't be secured at the device level. Great, you have an AV Suite w/a GOOD firewall on your PC. You'll be 'reasonably' protected. But what about your NAS/WD Drive? Your thermostat? Your printer, smart plug, robot vacuum, TV, DVR, Smart Phone, Tablet, Kindle, Instapot, Firestick and everything else? That's the point of a UTM and that's why in under a decade every home will probably have one, you might as well start now. The nature of BYOD is also facilitating this, devices are coming and going, from secure to insecure networks constantly, and getting hijacked.

Also, let's not neglect the single pane of glass management/awareness UTM's offer. It's easy to spot an infected/hijacked device with ANY of the above home UTM's. Most of those UTM's have anti-DDOS outbound protection (SHIELD) as well.

 

[ForgottenSeer 58943]

My router must have false advertising then. notice 3rd item up from the bottom.
View attachment 182156

This looks like a GUI for a standard router with an SPI firewall. Website filtering on that is just a place to enter a few URL's to block.

 

[Deleted member 178]

What the industry pushes (for more incomes) and what a home user really needs is debatable

 

[ForgottenSeer 69673]

This looks like a GUI for a standard router with an SPI firewall. Website filtering on that is just a place to enter a few URL's to block.

Yes the firewall section has 4 settings. off, low, medium and high and if switching to three of the settings a person can check or uncheck inbound and outbound on many ports and services.

 

[ForgottenSeer 58943]

Nice custom block page, is that you waving? LOL

Sophos XG?

 

[ForgottenSeer 2567]

Hi all
thanks for all the response and ForgottenSeer 58943 for great answer to what to keep in minde

 

[TairikuOkami]

Additionally virtually all UTM devices include a ATP detection and will warn/block a system (phone, PC, ) that attempts to connect to C&C or any other recognized rougue network.

Setting up a secure DNS will do the same though, since all those services share the same database.

 

[TairikuOkami]

It's for the infections that are allready rooted and you don't have to visit the site so you don't know.

Infections also use DNS for downloads and etc. Very few use IPs, because IPs tend to change, once it is discovered and that would make the malware short-lived.

 

[TairikuOkami]

are you aware that you are infected when no warning is present?

A dormant malware is harmless. It is following the set of instructions: A - B - C. If you block it at B, it can not do anything, it is just a dumb malware. I do not care, if I get infected, as long as malware is unable to steal passwords, encrypt data, etc. Like blocking outbound stopped CCleaner. As you said, it is about the viewpoint.

 

[ForgottenSeer 58943]

Infections also use DNS for downloads and etc. Very few use IPs, because IPs tend to change, once it is discovered and that would make the malware short-lived.

Err.. A huge percentage use IP based communication precisely so they can bypass DNS protection and increasing their survivability in the wild. This is why most UTM's have settings to block 'IP Only Requests', it's actually precisely why. Also, DNS filtration relies strictly on KNOWN entities, UTM's do not rely on this for all of their technologies. For example many UTM's are now blocking 'Newly created domains' and 'Newly seen domains', which both are designed to protect you from ATP threats, ransomware, and zero day outbreaks. Add to that the flow inspection, traffic heuristics, sandboxing and other ATP units it's pretty exciting.

But granted, MOST people here wouldn't even be able to setup or configure the SOHO appliances.

The good news is - the dozens of home-ready UTM's coming out require almost no knowledge to work effectively. We're in an exciting, huge transition period.. Router--->Firewall and now UTM. The product matrix is exciting and we're even seeing home units with Rogue AP Detection/Suppression. All of this is driven by real need for security in the home and the understanding that a simple router isn't sufficient in the modern age.

 

[woodrowbone]

Does anyone here know how Asus/Trend handles https?
I cant find any info how/if they scan https.
Or for that matter, does any brand on Sly:s list do this?

I know Untangle does this (scan https traffic) if you enable SSL Inspector, but then you have to set up a root certificate that was not very easy to do. (For me at least)
On top of that install the certificate on all clients computers.
And what about all IOT devices in this perspective? You cant install root certificates on them...

/W

 

[woodrowbone]

If you want HTTPS scanned you need local root certificate, no ifs buts about it. That's the only way to have it scanned. Be aware that since Android 7+ you might have issues including local root certs.

And from my experience Untangle 10+ (now on 13), Sophos UTM 9.5.x and Sophos XG17 all are able to scan HTTPS if you install their root certs..

For IoT's I setup a VLAN and send them via a different path away from my network...those don't get HTTPS scanned but they are separate from the net.

In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.
As you say a VLAN will help to separate your IoT from your network, but what happens if some of them get infected and starts communicate with a command server over https, or is this scenario unreal?

/W

 

[ForgottenSeer 58943]

In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.
As you say a VLAN will help to separate your IoT from your network, but what happens if some of them get infected and starts communicate with a command server over https, or is this scenario unreal?

/W

The root CA on Untangle is already created once the SSL inspector is installed (1 click), after that an installer is generated for the RCA to be downloaded. Execute the installer on Windows Machines to install the RCA in a couple clicks. Very easy.

However, Untangle WITHOUT SSL Inspection still knows about C&C server because of IP Address, Header, and SNI information and hence, still blocks them, with or without the RCA installed.