Router Security Router Resources Website by     
Michael Horowitz 
Home | Site Index | Bugs | News | Security Checklist | Tests | Resources | Stats | About | Search |
New page on learning what your current DNS servers are: Test Your DNS Servers
Table of Contents
Security AdvisoriesEmulators
My blogs about routersSelf Updating Routers
Consumer Router Alternatives Third Party Firmware
TOR and VPN Client RoutersVPN Client Routers
TOR RoutersJust Released Routers
Coming soon. Maybe.Default Router Passwords
Other Router Security AdviceAdding a router to a gateway
Addon Security DevicesAddon Security via Firmware
Supposedly Secure RoutersAssorted Resources

Security Advisories from router vendors

Emulators - kick the tires on a routers web interface  top

My blogs about routers  top

Self-updating Routers   top

Since many router owners do not update the firmware, a router that self-updates is, almost always, a good thing. Not that it doesn't leave other problems, but one less is one less. This list is, no doubt, incomplete. And, the view that self-updating is always good is overly simplistic. The Security Checklist page has the details on what to look for. The Routers with Self Updating Firmware page has details on how some vendors compare to this checklist.

Consumer Router Alternatives   top

Third Party Firmware   top

One way to avoid consumer router firmware is to install alternate, third-party firmware.

TOR and VPN Client Routers   top

VPN Client Routers   top

When most consumers encounter a VPN router, they are dealing with a router that can function as a VPN server. Much more interesting, to me, are the few routers that can function as VPN clients. That is, the software necessary to connect to a VPN server, is built into the firmware. Very few routers, running the software they shipped with, can function as a VPN client. However, alternate firmware, such as DD-WRT and Tomato, do include VPN client software. Complicating things, however, are the multiple types of VPN. The most popular seem to be OpenVPN, L2TP/IPsec and PPTP, with PPTP being the least secure.

HowToGeek wrote about using VPN client software on a router in July 2016. PC magazine has their opinion of the Best VPN Routers of 2018 (last updated Nov. 2018) but they only consider consumer devices from Asus, D-Link, TP-Link, Trendnet, Linksys and Netgear. And security is not a strong point: 9 of the 10 support WEP encryption and only 4 support WPA2 Enterprise. Wayne Rash wrote If You Don't Use a Business-Class VPN Router, Here's Why You Should for PC Magazine (November 28, 2018). He argues that while a consumer router may support a VPN, it can not match the capabilities of a business-class router.

TOR Routers   top

A word of warning about running Tor on a router from Matt Casperson: "Tor is only as secure as those applications whose data it is transferring, and one of the benefits of the Tor bundle is a browser that has disabled a number of plugins that are known to leak identifiable information."

Just Released Routers   top

Hot off the router presses.

Coming soon. Maybe.   top

A number of security devices are planned. Some are routers, others sit between your router and modem and yet others can plug into a router. These upcoming security devices are getting some press attention. See These Devices Are Trying To Secure The Internet of (Hackable) Things by Lorenzo Franceschi-Biccheirai (Jan. 8, 2016 at Motherboard). This list is in no particular sequence.

Default Router Passwords   top

Other Router Security Advice   top

This topic was moved on January 1, 2018 to the new Other Router Security Advice page.

Adding a router to a gateway   top

Add-on Security Devices   top

Many devices are sold that claim to add security to an existing network. This section was added Sept. 26, 2017 and is surely incomplete.

The Fingbox is networking device that you plug into a LAN port on your router. For it to babysit all the devices connected to the router, it has to be futzing with ARP and making itself the default gateway. If you use VLANs, you need one for each VLAN. Some routers block some features. It collects data about your network activity and sends it to Fing. So, people who want security get more surveillance. Features: block kids from using the Internet during dinner time, notify you of new devices on your network, block new devices by default, notify when a device leaves the network, block any device from accessing the Internet, it detects any nearby WiFi device, even those not on your network (is Billie home yet?), bandwidth analysis, Wi-Fi signal strength analysis, test Wi-Fi and wired speeds, detect evil twin networks and report on WAN side open ports in router. Notifications are by an alert on a mobile device running the Fingbox app and/or by email. No texts. It also has a network vulnerability test. It can detect whether UPnP or NAT-PMP are enabled in the router, and, if so, close router ports they may have opened. It first became available in October 2017. As of Jan. 2019, it cost $99, in Dec. 2017 it cost $129. It was reviewed in Dec. 2017 by Doug Reid for See the June 2018 User Guide and the March 2018 User Guide.

Perhaps the first such device was the Bitdender box, a home network security appliance. David Strom reviewed it in June 2015: Bitdefender Box Review: Pandora Had Fewer Problems. At the time it cost $199 to purchase and $99/year to own. In August 2017, it was reviewed by Doug Reid at The box has two 100Mbps Ethernet ports and 2.4GHz Wi-Fi and includes a Bitdefender software subscription. However, it only inspects outbound traffic and is hard to install. It needs to be the DHCP server for the LAN and it sets itself as the default gateway, even when working with an existing router. Outbound connections are checked by the Bitdefender cloud. If a URL is considered malicious, it is blocked and a message appears in the mobile app. The thing also scans the LAN for devices with security flaws. The box does not detect DoS attacks either incoming or outgoing. At the time, it sold for $130.

Like Dojo, the Cujo also sits between your router and modem (logically or physically) and offers security protection (but no privacy protection). It is billed as a smart firewall. The original plan was for it to offer firewall, anti-malware, antivirus, deep-packet inspection and machine learning protection. Only some of these features were in the first release. Steve Gibson pointed out in July 2016 that it can run in either Gateway mode or Bridge mode. The new mode lets it plug into a LAN port of your router. So, how does it then intercept LAN traffic? It does an ARP spoofing attack on your LAN. Quoting the company "We send packet header data (but not full packets) to our cloud to analyze device behavior, compare your traffic to commercial threat intelligence feeds, and to make sure that unauthorized IP's do not connect to your network." And, this: "CUJO analyzes your local network traffic data locally and in real time. It then sends statistics on that data to the cloud for further analysis ... we don't send the contents of those packets to the cloud. If a threat or suspicious activity is detected, CUJO will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it." The pre-order price was $99 and the first models were expected to ship in March 2016. As of April 19, 2016, the expected ship date was end of May 2016. The devices actually shipped in July 2016 for $99 with 6 months of service included. Afterwards, service is $9/month. SmallNetBuilder first reviewed it in Sept 2016, then again June 2017. See CUJO Smart Internet Firewall - Second Look by Doug Reid. In the cloud CUJO keeps tracks of bad IP address. It is also aware of normal device behavior. It has been reported that Spectrum will start using Cujo sometime in 2019.

This press release: Cigent Announces Availability of Recon Sentinel, Allowing Small Office and Home Office Users to Fight Back Against Cyber Attacks (June 11, 2018) is all fluff. Recon Sentinel is a small box that plugs into a router and "automatically finds everything that is connected to your network." Then, the fluff begins: it "adds a layer of detection and defense above and beyond traditional antivirus, antimalware, and firewall solutions ... adds endpoint security that keeps users from losing their data once a breach does occur ... detects and block nefarious behavior ... constantly looking for signs of intrusion or other cybercriminal activities ... uses sophisticated deception technology to identify hacking activity." Its costs $150 for the first year and $100/year thereafter.

Add-on Security via Router Firmware   top

In January 2018, Netgear announced a forthcoming security subscription service for their routers called Armor. Basically, it is Bitdefender antivirus running in the router. There is a 90 day free trial, thereafter it will cost $70/year. As of July 31, 2018, it was available for only two Netgear routers, the R7000P and the R6900P. As of Jan. 2019, it was slated to "soon" be available on the Orbi AC3000 model RBK50 and the Orbi Voice AC3000 model RBK50V. The number of features is long, perhaps too long. My favorite feature is that it dings the router administrator when a new device joins the network and lets the admin block the new device. It also claims to block viruses, spyware, spam, phishing and bad websites. Netgear claims it will scan your LAN and report on connected devices with vulnerabilities and weak passwords. We'll see. The subscription lets you install Bitdefender security software on your Android, iOS, Windows, and Mac devices. Your network can be remotely managed at I have not seen a single review of the service. Note that a similar service from Trend Micro and used inside Asus routers had been found to spy on you.

Owners of the Eero mesh router system can pay an extra $10/month for added security called Eero Plus. They have partnered with a few companies to offer assorted security features. From Zscaler they get a database of threats to protect you from malicious websites with viruses, phishing scams, and more. It claims to block everything bad: ransomware, malware, viruses and ads. It also watches out for unknown or suspicious domains. It lets you download Malwarebytes on up to 3 devices. It can control what your kids can access. They partnered with the 1Password password manager. Paying for the service gets you VIP tech support from Eero. Finally, it lets you install the VPN (formerly known as Cloak) on your devices (it does not run in the router). Eero Plus costs $99/year the same price as the VPN service by itself (assuming unlimited bandwidth).

Press release: D-Link Wi-Fi Router Powered by McAfee Will Automatically Protect Connected Home Devices January 8, 2018. The D-Link AC2600 router is expected to be released in the second half of 2018 at an unknown price. It will feature security by the McAfee Secure Home Platform that will monitor the network for malicious activity, whatever that means. It will also monitors the network activity of individual devices for threats such as visits to malicious sites. It will notify you when a device on your network does not have antivirus software installed. It will have parental controls that can restrict activities by device, including the types of websites visited and times of day that Internet access is allowed. Parents can monitor their kids' online activities.

Some Asus routers include security software from Trend Micro. I wrote Asus router warnings on privacy and security on May 5, 2017. This was based on Review: ASUSWRT router firmware by Daniel Aleksandersen (created in May 2017, last updated: Nov. 2017). It focuses on the data leakage to Trend Micro by their software running in Asus routers.

Securifi's Almond Routers Get Subscription-based IoT Device Security Service by Ganesh T S at AnandTech Jan 4, 2017. A subscription-based cybersecurity thing for routers that focuses more on traffic rather than viruses. It claims to report on connected devices with ports open to the Internet (nothing new here) and/or weak login credentials. Also claims to analyze the traffic pattern of connected devices to ensure that popular IoT devices are communicating only with their vendors' servers. It should detect devices whose traffic pattern is indicative of being a botnet member. I can also monitor the websites browsed by selected devices (parents watching kids). My favorite feature: notifications when a new device joins your network. An issue with all these systems is data leakage and the article says: "It must be noted that some of the above captured data is stored in Securifi's servers because they need to send push notifications to the user's smartphone even if it is away from the primary network." After a free trial, price will be from $4 to $10/month.

Millions of Routers are about to Get a Lot More Secure a Press Release. May 9, 2018. Many IoT devices lack basic security and privacy protection capabilities. F-Secure is trying to secure them by offering its F-Secure SENSE product directly to router makers and operators as software. They call it their Connected Home Security solution. It is said to integrate network and cloud security, router security and endpoint protection into a single experience for end users.

Minum, in their own words, "is an IoT platform that enables and secures a better connected home." They will offer an add-on to router firmware that they hope to get ISPs and router vendors to incorporate. Quoting again: "Minim’s self-learning platform employs Quantum Fingerprinting and behavioral models to detect threats before they become problems." They are also partnering with IoT device manufacturers.

Dovado, a router manufacturer based in the United Arab Emirates has integrated a SafeDNS filtering module in one of its routers.

Supposedly Secure Routers  top

These routers are marketed as being secure, I have not tried any of them (other than Turris).

Assorted Resources   top

This page was last updated: January 17, 2019 9PM CT     
Created: March 29, 2015
Viewed 66,631 times since March 29, 2015
(48/day over 1,391 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2019