Router Security Router Resources Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests Resources Stats DNS Search Popular Pages
My new website: DefensiveComputingChecklist.com is a list, both of things to be aware of, and specific defensive steps that we can take in response to the computer threats of 2019.
 
Table of Contents
Security AdvisoriesEmulators
My blogs about routersSelf Updating Routers
Consumer Router Alternatives Third Party Firmware
TOR and VPN Client RoutersVPN Client Routers
TOR RoutersJust Released Routers
Coming soon. Maybe.Default Router Passwords
Other Router Security AdviceAdding a router to a gateway
Addon Security DevicesAddon Security via Firmware
Supposedly Secure RoutersAssorted Resources

Security Advisories from router vendors

Emulators - kick the tires on a routers web interface  top

My blogs about routers  top

Self-updating Routers   top

Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.

Consumer Router Alternatives   top

Third Party Firmware   top

One way to avoid consumer router firmware is to install alternate, third-party firmware.

TOR and VPN Client Routers   top

VPN Client Routers   top

When most consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. Much more interesting, to me, are the few routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware. Very few routers, running the software they shipped with, can function as a VPN client. However, alternate firmware, such as DD-WRT and Tomato, do include VPN client software. Complicating things, however, are the multiple types of VPN. The most popular seem to be OpenVPN, L2TP/IPsec and PPTP, with PPTP being the least secure.

HowToGeek wrote about using VPN client software on a router in July 2016. PC magazine has their opinion of the Best VPN Routers of 2018 (last updated Nov. 2018) but they only consider consumer devices from Asus, D-Link, TP-Link, Trendnet, Linksys and Netgear. And security is not a strong point: 9 of the 10 support WEP encryption and only 4 support WPA2 Enterprise. Wayne Rash wrote If You Don't Use a Business-Class VPN Router, Here's Why You Should for PC Magazine (November 28, 2018). He argues that while a consumer router may support a VPN, it can not match the capabilities of a business-class router.

TOR Routers   top

A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."

Just Released Routers   top

Hot off the router presses.

Coming soon. Maybe.   top

A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.

Default Router Passwords   top

Other Router Security Advice   top

This topic was moved on January 1, 2018 to the new Other Router Security Advice page.

Adding a router to a gateway   top

Add-on Security Devices   top

Many devices are sold that claim to add security to an existing network. This section was added Sept. 26, 2017 and is surely incomplete.

The Fingbox is networking device that you plug into a LAN port on your router. For it to babysit all the devices connected to the router, it has to be futzing with ARP and making itself the default gateway. If you use VLANs, you need one for each VLAN. Some routers block some features. It collects data about your network activity and sends it to Fing. So, people who want security get more surveillance. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block new devices by default, notify when a device leaves the network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on WAN side open ports in router. Notifications are by an alert on a mobile device running the Fingbox app and/or by email. No texts. It also has a network vulnerability test. It can detect whether UPnP or NAT-PMP are enabled in the router, and, if so, it reports on the ports that were opened by UPnP and can also close these ports. It was discussed on Episode 745 of the Mac Geek Gab Podcast (Jan. 21, 2019). See the June 2018 User Guide and the March 2018 User Guide.
History: It first became available in October 2017. It was reviewed in Dec. 2017 by Doug Reid for SmallNetBuilder.com. As of Jan. 2019, it cost $99, in Dec. 2017 it cost $129.

Perhaps the first such home network security appliance was the Bitdender box. David Strom reviewed it in June 2015. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at SmallNetBuilder.com. The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router. Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. It also scans the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.
Sometime in 2018 they released a second generation, the Bitdefender BOX 2, that sold for $180 to $200 with a 1 year subscription (still $99/year afterwards). The company offers 24/7 Setup and Tech Support for free at 800-804-4602. You must create a Bitdefender account. It includes their antivirus/security software for an unlimited number of Windows, MacOS, Android and iOS devices. Also includes Bitdefender VPN to use on Windows, Android, macOS and iOS. The free vpn offers 200MB of daily traffic per device. They sell a higher end VPN product for an additional fee. Three configurations are supported: with an ISP-supplied gateway, with a modem and an existing router, or, with just a modem, in which case the Box functions as the only router. They prefer using it with a modem and existing router in which case the Box does DHCP. It works with most routers, not all. It will notify in the mobile app when a new device connects to the LAN and it can control what that device can do. It self-updatess and re-boots in the middle of the night to install new firmware. It offers Parental Controls, blocks bad URLs, scans for network security flaws and alerts about malicious activity. See their comparison with Cujo, F-Secure SENSE and the Norton/Symantec Core router. As of Jan. 2019, it was available in the US, Canada, Japan, France, Germany and Romania.

Firewalla plugs into a router via Ethernet to offer security, monitoring, ad-blocking and parental controls. As of Jan. 2019, there is a single model that sells for $110. A higher end model is expected to ship in Feb. 2019, see the differences. There are no monthly fees. The current low-end model maxes out at about 100Mbps, the faster model is rated for 400-500Mbps. You can squeeze some more performance out of it by picking which devices are monitored. It claims to protect your network from viruses and malware, and if so, is a rare product offering that for free. It does intrusion prevention, both IDS and IPS. It does both internal and external vulnerability scans and self-updates. It runs a full Linux distribution and includes an OpenVPN server for when you are away from home, saving the cost of a paid VPN service. It looks for unusual uploading behavior and has hourly, daily and monthly bandwidth usage reports (for each device?). It can track bandwidth by domain. It can show every single IP connection for a monitored device. It offers outbound firewall rules. As for privacy, it continuously monitors your network and phones home about what is going on: Quoting: "Firewalla uses deep insight and cloud-based behavior analytics engines to actively detect and automatically block problems as they arise." Parental controls show what kids are doing, lets parents cut off all net access, or block just gaming or social networks. It can block adult websites. It uses either ARP poisoning or DHCP to intercept Traffic. It is not compatible with all routers. It is administered with a mobile app that can be used anywhere. It is from a new company started by former executives at Cisco. As of Jan. 2019, the last firmware release was July 2018, which seems like a long time for new startup.

Cujo sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. Then May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior. It has been reported that Spectrum will start using Cujo sometime in 2019. In March 2019, Talos found 11 bugs in the device.

Dojo plugs into your router and watches your network for security issues. There is a companion smartphone app, of course. Dojo is a rock/pebble looking thing that glows different colors to indicate current status. On June 1, 2017, TechCrunch wrote: "All traffic on a home network has to be routed via the Dojo for it to be able to see what's going on ... and perform its anomaly detection function ... You'll also need to be comfortable providing a third party company with data stream visibility of your home network."
History: Pre-orders started Nov. 2015 for $99 with a year of service. The estimated price then was $199 with a year of service. The first devices were expected in March 2016. As of May 8, 2016 there was no expected ship date. In August 2016, Dojo Labs was purchased by BullGuard. On Oct 15, 2016, Amazon.com said it was unavailable. In January 2017 it was reported that Dojo would be available in the US in mid-April 2017. By May 2017, there was a new Amazon page that on Jan 21, 2019 was selling it for $99. On May 31, 2017 Wired did a puff piece about it saying it went on sale that day for $200 (including the first year of service). The ongoing charge, after the first year, will be $99/year. As of Jan 21, 2019 it was being sold by Bullguard for $200 with a free lifetime subscription service.

Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Their press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. It begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter. It is only available directly from the company.

Add-on Security via Router Firmware   top

In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. As of Jan. 2019, it was slated to "soon" be available on the Orbi AC3000 model RBK50 and the Orbi Voice AC3000 model RBK50V. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at armor.netgear.com. I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.

Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more. It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the encrypt.me VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).

Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.

Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.

Likewise, some TP-Link routers also include Trend Micro software, marketed under the name HomeCare. The software adds antivirus and malware protection, and malicious site blocking to the firmware. It was initially released for the Deco M5 mesh system and the Archer C5400, C3150 and C2300. They also claim it will quarantine a previously infected device that joins the network.

Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.

Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.

Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.

Dovado, a router manufacturer based in the United Arab Emirates has integrated a SafeDNS filtering module in one of its routers.

For the most part, I avoid Parental Controls on this site, but what the heck. Netgear has partnered with Circle to include Circle's parental control software in some NETGEAR routers. Specifically, Circle is available in the Orbi line and 7 different Nighthawk routers (see here and here). You create profiles for each family member and then assign devices to each person. For free you can pause the Internet for specific people, filter what is and is not allowed and view a history of visited websites for each profile. Premium features cost $50/year (as of Jan. 2019) or $5/month. This lets you set time limits, create OffTimes when the Internet is blocked and offers more detailed usage statistics. Circle has to be activated first, then it is managed with a mobile app. They claim all data is kept locally, that nothing is sent back to Circle.

Supposedly Secure Routers  top

These routers are marketed as being secure, I have not tried any of them (other than Turris).

Assorted Resources   top


Top 
This page was last updated: May 23, 2019 4PM CT     
Created: March 29, 2015
Viewed 74,611 times since March 29, 2015
(49/day over 1,518 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2019