Advice Request Router hardening

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 2567

Thread author
Hi
there is a lot tips on router hardening....when there are implemented "properly" how do the router compare to a default pfsense,opensense,untangle box....if we stay with in the same skill level (to follow guides to hardening routers) ??
 
F

ForgottenSeer 2567

Thread author
Thanks
but that is not the way i looking for itś more when i have used all of the tips/guides to improve router security how do the router then compare to a default install of pfsense.....the skill level required to configure a pfsense box properly higher the following guides for routers
do the router with all the security tip implemented still cut is in todays home network or do we need to go for better pfsense,shopos,untangle and so on
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
Idk about Pfsence and don't like to learn how to deploy it(before wanted but not anymore) I don't need a UTM/Hardware firewall cuz its just waste of money, time and Effort:D
Any cheap router like tp link archer series or Asus(like Asus RT-N10U )are more than enough for me. I just use a cheap router+Eset firewall+VPN.that's all.
Maybe @ForgottenSeer 58943 can help you.
 
Last edited:
F

ForgottenSeer 58943

Thread author
A router isn't a firewall, a firewall isn't a UTM. You cannot make a router/firewall into a UTM appliance like Untangle or a Sudo-UTM like PfSense/OPNSense in the general sense. The horsepower is there, the underlying software isn't. Untangle CAN be installed on some home routers though, you'd have to look into that.

To configure a home router to be 'somewhat' secure is painfully simple as there are few options to do it properly.

1) Turn off Admin from WAN.
2) Enable HTTPS admin.
3) Change admin account from admin to something else, such as: 3XkU7Lwe and give it a complex password.
4) Disable UPNP, WSD, SSH, etc. (any un-needed services/protocols)
5) Setup your WiFi networks as GUEST rules. This creates a sort of VLAN with your router, putting tags on your WiFi so they cannot communicate with your internal subnets.
6) Enable SSID Segregation (if option presents), this prohibits inter-SSID communication.
7) Update firmware regularly. If it won't update - factory reset it. If it won't update after factory reset it's compromised, throw it out.

That's about all you can do to a home router to lock it down. Remember, a home router won't protect you much, it's purpose is to DNS Resolver/Forwarding, DHCP Scope Management/ARP Tables, and NATTING internal traffic. About all you are doing above is keeping a threat actor out of your gateway and locking down WiFi a bit.
 
F

ForgottenSeer 69673

Thread author
My router must have false advertising then. notice 3rd item up from the bottom.
ScreenHunter_90 Mar. 11 12.08.jpg
 
F

ForgottenSeer 58943

Thread author
A UTM serves far more purpose than just keeping a hacker from your family photos. An analogy would be, nobody needs locks on their doors because you only have a cheap no-name TV to steal. The entire router industry disagrees with you as every major home router vendor in the world has UTM solutions either out, in the works, or coming soon. Just a few off the top of my head;

Trend Routers
ASUS w/Trend
F-Secure Sense Router
Bit Defender Box and Box 2.0
Bullguard Dojo
Cujo
RATtrap
Fingbox
Keezel
Luma
Norton Core
the list goes on and on. Tenda and Netgear are also in talks for UTM solutions from major vendors.

The reason is, a router (NAT) isn't considered protection any longer. A firewall with SPI is woefully obsolete. Blended deployments within homes are creating a deep, blended threat layer that can't be secured at the device level. Great, you have an AV Suite w/a GOOD firewall on your PC. You'll be 'reasonably' protected. But what about your NAS/WD Drive? Your thermostat? Your printer, smart plug, robot vacuum, TV, DVR, Smart Phone, Tablet, Kindle, Instapot, Firestick and everything else? That's the point of a UTM and that's why in under a decade every home will probably have one, you might as well start now. The nature of BYOD is also facilitating this, devices are coming and going, from secure to insecure networks constantly, and getting hijacked.

Also, let's not neglect the single pane of glass management/awareness UTM's offer. It's easy to spot an infected/hijacked device with ANY of the above home UTM's. Most of those UTM's have anti-DDOS outbound protection (SHIELD) as well.
 
F

ForgottenSeer 69673

Thread author
This looks like a GUI for a standard router with an SPI firewall. Website filtering on that is just a place to enter a few URL's to block.
Yes the firewall section has 4 settings. off, low, medium and high and if switching to three of the settings a person can check or uncheck inbound and outbound on many ports and services.
 
  • Like
Reactions: upnorth
F

ForgottenSeer 2567

Thread author
Hi all
thanks for all the response and ForgottenSeer 58943 for great answer to what to keep in minde(y)
 
  • Like
Reactions: vtqhtr413

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,453
Additionally virtually all UTM devices include a ATP detection and will warn/block a system (phone, PC, ) that attempts to connect to C&C or any other recognized rougue network.
Setting up a secure DNS will do the same though, since all those services share the same database.
 

Attachments

  • capture_03112018_205323.jpg
    capture_03112018_205323.jpg
    80.9 KB · Views: 554
  • Like
Reactions: Sunshine-boy

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,453
It's for the infections that are allready rooted and you don't have to visit the site so you don't know.
Infections also use DNS for downloads and etc. Very few use IPs, because IPs tend to change, once it is discovered and that would make the malware short-lived.
 
  • Like
Reactions: Sunshine-boy

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,453
are you aware that you are infected when no warning is present?
A dormant malware is harmless. It is following the set of instructions: A - B - C. If you block it at B, it can not do anything, it is just a dumb malware. I do not care, if I get infected, as long as malware is unable to steal passwords, encrypt data, etc. Like blocking outbound stopped CCleaner. As you said, it is about the viewpoint.
 
F

ForgottenSeer 58943

Thread author
Infections also use DNS for downloads and etc. Very few use IPs, because IPs tend to change, once it is discovered and that would make the malware short-lived.

Err.. A huge percentage use IP based communication precisely so they can bypass DNS protection and increasing their survivability in the wild. This is why most UTM's have settings to block 'IP Only Requests', it's actually precisely why. Also, DNS filtration relies strictly on KNOWN entities, UTM's do not rely on this for all of their technologies. For example many UTM's are now blocking 'Newly created domains' and 'Newly seen domains', which both are designed to protect you from ATP threats, ransomware, and zero day outbreaks. Add to that the flow inspection, traffic heuristics, sandboxing and other ATP units it's pretty exciting.

But granted, MOST people here wouldn't even be able to setup or configure the SOHO appliances.

The good news is - the dozens of home-ready UTM's coming out require almost no knowledge to work effectively. We're in an exciting, huge transition period.. Router--->Firewall and now UTM. The product matrix is exciting and we're even seeing home units with Rogue AP Detection/Suppression. All of this is driven by real need for security in the home and the understanding that a simple router isn't sufficient in the modern age.
 

woodrowbone

Level 10
Verified
Dec 24, 2011
480
Does anyone here know how Asus/Trend handles https?
I cant find any info how/if they scan https.
Or for that matter, does any brand on Sly:s list do this?

I know Untangle does this (scan https traffic) if you enable SSL Inspector, but then you have to set up a root certificate that was not very easy to do. (For me at least)
On top of that install the certificate on all clients computers.
And what about all IOT devices in this perspective? You cant install root certificates on them...

/W
 

woodrowbone

Level 10
Verified
Dec 24, 2011
480
If you want HTTPS scanned you need local root certificate, no ifs buts about it. That's the only way to have it scanned. Be aware that since Android 7+ you might have issues including local root certs.

And from my experience Untangle 10+ (now on 13), Sophos UTM 9.5.x and Sophos XG17 all are able to scan HTTPS if you install their root certs..

For IoT's I setup a VLAN and send them via a different path away from my network...those don't get HTTPS scanned but they are separate from the net.

In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.
As you say a VLAN will help to separate your IoT from your network, but what happens if some of them get infected and starts communicate with a command server over https, or is this scenario unreal?

/W
 
F

ForgottenSeer 58943

Thread author
In the Untangle case I was referring to, creating the root cert on the appliance was not a walk in the park. After that was done installing the cert on the computers was easy.
As you say a VLAN will help to separate your IoT from your network, but what happens if some of them get infected and starts communicate with a command server over https, or is this scenario unreal?

/W

The root CA on Untangle is already created once the SSL inspector is installed (1 click), after that an installer is generated for the RCA to be downloaded. Execute the installer on Windows Machines to install the RCA in a couple clicks. Very easy.

However, Untangle WITHOUT SSL Inspection still knows about C&C server because of IP Address, Header, and SNI information and hence, still blocks them, with or without the RCA installed.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top