|Router Security||Suggested secure routers||
Website by |
Configuring a router for security can only take you so far. You also need to chose the right router initially.
Many people use the device given them by their Internet Service Provider (ISP), which I think is the least secure option for a number of reasons. Understandably, many non-techies prefer this because they can call their ISP when things go wrong.
Slightly more secure, would be a consumer router, but that is not the best option either. To bolster this opinion, see the page on router bugs. It is not an exhaustive list of bugs, but it illustrates the poor state of software on consumer routers.
The most secure option is a business class device or perhaps a pro-sumer model.
Which router do I recommend? The Pepwave Surf SOHO router from Peplink. It is a low-end business class router, not geared to consumers. Its cost has been a fairly consistent $200 which is a bargain for a business grade router, especially one that does Wi-Fi. The user interface is, in my opinion, simpler than that of other business oriented routers. You can see for yourself, by kicking the tires of a much higher end Peplink router here. My description of the router, with its pros and cons is quite long. The Surf SOHO may not be a fit for you, but after reading about it, you should have no doubt if it meets your needs or not. My only relationship with Peplink is that of a customer.
My second choice would be the $300 UniFi Dream Machine by Ubiquiti. That said, I have no hands-on experience with it all. The Dream Machine was introduced in November 2019 and, like the Pepwave Surf SOHO, it is a bottom-of-the-line device from a high end company. It is reasonable to expect the Dream Machine to be fairly secure, having not used it, I don't know for sure.
The Wire Cutter (thewirecutter.com) is a popular review site. However, do not take their advice on routers. Like most, they focus on speed, speed and speed. They completely ignore security in making their recommendations. They are also only aware of consumer routers, a very small sub-set of the real world.
NOTE: Any router can only be made as secure as its included features allow. For a list of router security features see my Security Checklist.
NOTE:Buying a used router from a stranger (think eBay) can be dangerous, as the firmware may have been maliciously modified. To protect against that, download new firmware using a different router. If possible, switch the firmware entirely, that is, if it came with stock firmware, try switching to DD-WRT, OpenWRT or anything else. Asus owners can switch from Asus firmware to that offered by Merlin.
By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router. Plume is perhaps the ultimate example of monitoring your network and they are forming partnerships with ISPs.
Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router.
Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.
Initially, I did not include outbound firewall rules in this list. However, with the January 2020 release of the Cable Haunt vulnerability in Broadcom cable modems, it has become much more important. For my take on Cable Haunt see the Bugs page. In short, if a device on your LAN can access a vulnerable cable modem, then it can attack the modem. If the modem is part of a gateway (combination router/modem) that makes the danger even worse. In the US, we can not update the firmware on our cable modems, our ISP must do this. Since most ISPs are virtual monopolies, they have no motivation to bother with something that will cost them time and money and that few customers are aware of. So, this vulnerability is likely to remain with us for decades.
The only defense is blocking LAN side access to the modem (it is usually available at IP address 192.168.100.1). There are two ways to do this. The hard way is defining a custom route in the router, something many routers do not support. The easier way is to block IP address 192.168.100.1 with an outbound firewall rule. Again, many routers do not offer outbound firewall rules. The Pepwave Surf SOHO, that I recommend, does support outbound firewall rules and configuring it to block modem access looks like this. I blogged about this back in 2015: Talk to your modem and Using a router to block a modem.
On a related point, if you need to open a port, perhaps to allow for remote control, a router than can limit access to said port by source IP address is almost a necessity.
Ubiquiti has many fans and their UniFi line is a step up from consumer routers. However, their AmpliFi and Alien line are both for consumers.
Getting started with UniFi has always been both too expensive and too complicated. For example, you need to buy their router, their switch, their Access Point(s) and then deal with their server software, yet another headache. You have to run their controller software somewhere, perhaps on one of your computers, perhaps in a virtual machine or perhaps on a small hardware device (UniFi cloud key) they sell just for this purpose.
Their Dream Machine made it both cheaper and easier to get started with the UniFi line from Ubiquiti.
As a business/professional system, the Dream Machine supports firewall rules, VLANs, 2FA, Intrusion Detection, Intrusion Prevention, GeoIP Filtering and has an extensive web interface (in addition to a mobile app). It self-updates and supports 4 SSIDs. However, it only supports one WAN connection, there is no provision for fail-over. Another problem is that it requires you to have an account with Ubiquiti. Peplink does not require this.
Of some concern is the fact that remote access is enabled by default - no one does that. Also, remote access seems to be through Ubiquiti (unifi.ui.com), not sure if offers direct access to the router. Also worrying is that when the router was released, many features were in Beta or Alpha. Peplink would never do that.
Another concern with Ubiquiti is that sometime in October 2019 they started spying on their customers, did not tell anyone about it and offered no way to opt out.
I first noticed this November 3, 2019, in this Twitter thread by Royce Williams. It links to a Reddit discussion: Ubiquiti adds phone-home to the access point firmware and an official response from the company. Quoting it: "We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch ... The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61."
In other words, they screwed up the AP phoning home and created a memory leak that crashed their devices. Even if their intentions are not bad, their software quality seems poor. The Access Points phone home to trace.svc.ui.com which Ubiquiti says you can block in the router. However, it keep re-trying which is where the memory leak came from. That bug has been fixed.
More official response on Nov. 3, 2019: Update: UniFi Phone Home/Performance Data Collection. They gave in and will let customers opt out of this. This article: Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? by Shaun Nichols of The Register (Nov 2019) adds nothing but there are 107 comments as I write this.
Ubiquiti also has a line of Edge Routers. They are a step above consumer routers but I have not used one, so I have no opinion on how secure they are. None of the EdgeRouters do Wi-Fi, so you would need to add wired access points. The user interface may be too difficult for anyone that is not a networking techie. Some have said that the documentation is almost non-existent. The three cheapest models are $59, $99 and $109 (as of Sept. 2019). The Operating System is called EdgeOS and the User Guide is online. Many have spoken highly of the Ubiquiti EdgeRouter Lite that sells for about $100. It has a console port and three Ethernet ports, none of which are dedicated. Doug Reid reviewed it in June 2017 for SmallNetBuilder.com and warned that: the GUI is still a work in progress, it is not plug and play, tech support is only available from a community forum and QoS kills the performance. On the upside, it is highly configurable, if you know what you're doing.
Peplink does not offer a mesh Wi-Fi system (at least not as of Oct. 2019) so if you use a Peplink router that does not do Wi-Fi the question is what to pair it with. Although I have not used them, one excellent (and relatively expensive) option is Ruckus. Ruckus specializes in Wi-Fi and their Access Points are universally praised. They can also function in Mesh mode, where one AP talks to another wirelessly.
An issue with all Access Points is the software to control and manage them. The Ruckus"unleashed" line of Access Points have their controller software built into the APs. Ubiquiti will sell you a $70 gizmo to run the controller software for their APs. Peplink Balance routers include AP controller software so if you just need Access Points (no mesh) then buying Peplink APs means not having to deal with controller software from a different company. The cheapest Ruckus AP is the R310. Higher end models are the R510 and the R610. For home use the R310 is probably fine. The 9U1 models are "unleashed," other variations require separate controller software.
As a high end company, Ruckus does not sell directly to consumers, you have to buy through an authorized reseller. Do not buy their hardware on Amazon.com, they will not support it. I do not know the rules for tech support or for ongoing firmware updates to the Access Points. Ruckus APs are designed to be powered from the Ethernet cable. If you don't already have a switch that offers electricity via Ethernet, you will need to buy either a power-over-Ethernet adapter or an AC adapter to power each Ruckus AP.
It is hard to tell how much a router vendor really cares about security - until you submit a bug to them and see how the deal with it. On the October 19, 2019 episode of the Cyberwire podcast (Hoping for SOHO security) someone from ISE was interviewed about their recent report SOHOpelessly Broken 2.0 that found multiple flaws in routers and NAS devices. When it came to dealing with the problems that ISE reported, Asus and Netgear were drastically different. Simply put: Asus good, Netgear bad.
Quoting ISE: "Netgear exhibited severe communication issues, resulting in our finding being patched long before our reports were even confirmed. This was the longest and most arduous disclosure of this research project. Nearly 5 months were spent waiting for Netgear to respond to the BugCrowd reports, and an additional 3 months were spent attempting to get CVEs from Netgear, and then MITRE. After contacting MITRE, Netgear was removed from the official CVE numbering authority list." In contrast, they said "Asus promptly responded to our vulnerability submission. They worked closely with us to ensure they were mitigating the reported vulnerabilities appropriately.".
Below are the bugs that ISE found. Both companies have been making routers for a very long time. This seems like quite a lot of bugs for software that should be mature at this point.
CVE-2018-14710 – Reflected Cross-Site Scripting via appGet.cgi
CVE-2018-14711 – Missing Cross-Site Request Forgery Protection on appGet.cgi
CVE-2018-14714 – Command Injection via load_script Hook in appGet.cgi
CVE-2018-14713 – Uncontrolled Format String via nvram_match Family in appGet.cgi
CVE-2018-14712 – Stack Buffer Overflow via delete_sharedfolder() in appGet.cgi
Netgear Nighthawk X10-R9000
CVE-2019-12510 – Authentication bypass via X-Forwarded-For header
CVE-2019-12511 – System command injection via SOAP API
CVE-2019-12512 – Cross-site scripting via X-Forwarded-For header
CVE-2019-12513 – Cross-site scripting in logs via malicious DHCP request
An experience of mine points out how much tech support cares. If they don't care, then it is impossible to consider the router secure. Peplink cares, AmpliFi does not.
In October 2019 I had a problem that I don't understand: TCP port 53 appeared to be open on the WAN side of an AmpliFi router and on three Peplink routers. The problem itself is not relevant here, just how each company dealt with it.
AmpliFi ignored my first email for a week. A second email was responded to and they said it was needed and pointed me to an irrelevant article about a Linux system needing port 53 open on the LAN side. A couple back/forths made it obvious that the person I was in contact with either didn't know or care. I had given them the public IP address of the AmpliFi router and the nmap output. They did not try to replicate the nmap result. In contrast, Peplink did try to replicate the nmap scan. The first and obvious step from a company that cares.
In addition, AmpliFi has a poor record with WPS. You can appear to disable WPS in the mobile app, but it is not fully disabled. Network scanning software shows that WPS is still enabled. Their tech support told me not to worry about it. But, I do. And, it is not clear to me at all how remote control of an AmpliFi works. So, I can't tell if it's secure. Their remote control system is unlike others I have seen, it requires you to use a Google account.
Also, the AmpliFi mesh points (candlesticks) can be used as Wi-Fi extenders for any network. The bad news is that when used with non-AmpliFi routers they enable WPS with no way to disable it. AmpliFi is a typical consumer product and should be avoided.
When it comes to Router Security and/or Privacy, Consumer Reports is as wrong as wrong gets. I am referring to this August 2019 article: Many Wireless Routers Lack Basic Security Protections, Consumer Reports' Testing Finds which says:
CR's router testing includes the companies' privacy policies, because so much sensitive data flows through the devices. Our privacy experts analyzed every router manufacturer’s documentation. We gave better scores to routers—including some models from Eero, Google, and Netgear—that spell out what information their manufacturers might collect from users, such as network speeds, the name of the internet service provider, and how much data you're transmitting to the web.
This is as wrong as wrong gets. For one thing, it assumes all router vendors spy on you, which is NOT true. There are routers that can be used without the router company knowing a damn thing about your network. And, without having to create an account with the router manufacturer. My favorite router company, Peplink/Pepwave is one such company. So too is Ubiquiti which makes the AmpliFi. Each can be used with total privacy.
That said, to use AmpliFi privately means giving up remote access to the system. AmpliFi only allows remote control using a Gmail or Facebook account. Peplink offers two systems for remote access to their routers, one system goes through them (InControl2), the other does not. Specifically, thet still offer remote access via an open port. The port can be anything, access can be limited to HTTPS and you get to change the userid too, so it is as secure as this type of system can be.
In contrast, there is no opting out of Eero/Amazon or Google with their routers. Each requires you to have an account. But worse, they are the last two router companies anyone concerned with privacy should use. Yet, Consumer Reports gives them high marks for privacy. Lunacy. Both companies want to spy on you and a router is a perfect place for this spying.
Another indication that Consumer Reports is clueless, comes from the last few words in the quote above. A router offers access to much more than just "the web".
My final indication of their incompetence comes from their approach - reading privacy policies. If a router is phoning home, this can be detected. But, that requires technical competence.
- - - - - - - -
This page is still being worked on ....