router security

Hi! Wow, look at this new forum software.

Anyway, some program I use — maybe free Avast, maybe Dell-installed McAfee — periodically gives me a security assessment, and it always says my router is weak. It doesn’t give much explanation of this pronouncement, and one of the possible solutions it offers is to replace the router. I use a cheapo gateway provided by my ISP.

I look at routers and gateways on Amazon and see little to differentiate them on security issues — just advanced networking features I’m sure I don’t need, since all I do with it is connect my desktop to my ADSL line and my various devices to the Internet via WiFi.

So I Google “router security” to learn about security issues and maybe inform a guess about what’s supposedly weak about my router. The first and most coherent result is an interesting DIY website that advises not to use a consumer router at all and to avoid VPN entirely:

http://routersecurity.org/

The author seems to be bucking conventional wisdom, but to my layman’s ear what he says seems sensible. Is it? Is he perhaps being alarmist, and none of this is actually such a big deal? Is my software being alarmist when it says I should replace my gateway?

Thanks for any and all informed guidance.

Holy balls, hey JMJ!

I have never, ever bothered with such things. One of the more technical folks here may say differently, but IME the vast majority of attacks come from infected ads or browser security holes rather than active attacks aimed at your router.

Some of his tips are common sense, but others are based on rumor about bad manufacturers and some (the last few especially) venture into tin foil hat territory. Turning off the router at night, for example. Yeah. You COULD and it technically would be more secure, but come on! Connected home stuff makes that a virtual impossibility anyways.

In general I’d say avoid the crap given or rented to you by an ISP since you have no control over it. Buy a brand / model that is well rated and has a good history of updates. The wirecutter has a decent run down of models and the article is updated a few times a year.

Diego

How old is your router? What’s the newest standard it supports? G? N? AC?

I think commercial routers are fine. DIY seems like overkill. The main problem is that most people don’t bother changing the default passwords on the router, or choose really crappy WiFI passwords. A lot of newer routers now come with unique passwords (instead of “password”) by default.

Make sure you have the latest firmware from the manufacturer. If it’s an older router, you might want to get a newer one, as the manufacturer might have stopped updating the firmware. (On the plus side, if your router is that old, you can probably benefit from an newer, faster, more powerful router; besides my experience is that routers usually burn out after 2-3 years). If you don’t want to buy a new router but it’s got old firmware, you can see if you can flash it with an open-source firmware like Tomato or DDWRT.

Firmware is critical because security holes in routers come up every now and then, and the vast majority of them are left unpatched because the manufacturer stopped supporting the router with new firmware or (in most cases) the average consumer has no idea about firmware and routers and that you have to update them.

The other thing I suggest is that you use a password manager and generate a really secure password for router administration. Again, one issue is that a lot of manufacturers have a default password (literally “password”) out of the box. Most consumers have no idea that they should actually change the default password to something that actually is hard for hackers to guess.

And third, make sure that you’re using really strong passwords for WiFi. What I like about my Netgear R7000 router is that it lets me have a guest WiFi in addition to my private network WiFi. I printed out the guest WiFi ID and password and if family or friends are visiting and they want to use WiFI on their phones, I point out the paper on the kitchen cabinet with the guest credentials. The guest WiFi does not give them access to any of the computers or devices that are connected to my network, so they have WiFi access, but they can’t snoop around. And I’m not sharing my private WiFi password with everyone I know; that’s if you’re like most people and you throw a few parties, inevitably people ask to get on your WiFi and before you know it you’re giving away the keys to your kingdom to dozens of people.

You should absolutely be using a router, with updated firmware, and it should not be listening on the internet side (WAN). So if you go to http://192.168.100.1 to get to the router’s admin interface, going to http://whatever.your.public.IP.is/ shouldn’t respond at all.

You’re running Avast and McAfee? Remove McAfee. It’s shit and they will conflict with each other.

I recommend getting a router that’s about a year old (but not more than two years old), from a reputable manufacturer, and make sure you update the firmware to latest.

More here: https://blog.codinghorror.com/welcome-to-the-internet-of-compromised-things/

Ah shit, I was blissfully unaware of stuff like this and now, it looks like I have to replace my 8 year old router that’s installed by the ISP. Damn!

Yeah, that guy willfully ignores that it’s not particularly hard to find whitepapers on the shortcomings of various commercial grade routers, nor that they too can have bug lists pages long and slow responsiveness to patch. He reckons their ain’t exploits or attacks out there for CISCO8xx series routers et al. Yeah, right. ROFL!

Maybe you might be safer from the script kiddies testing the latest remote exploit on whatever consumer brand because it was on the front page of twitter, but the alternative equally exposes you to the swathe of exploits out their targeting commercial enterprises (who, btw, are just as typically bad at keeping firmwares and security policies up to date).

Just get a good quality, well regarded (Wirecutter is good for this) consumer grade router and you will fine. Follow the advice on controlling what you can control - change passwords, WIFI security settings, changing SSID, firewalling, disabling UPNP, keeping firmware updated, etc.

I do concur that moving off the ISP provided router is a sound policy. Too old/feature limited/locked down/poorly configured/not patched, etc, etc.

Thanks @sharaleo. My ISP installed two things. A modem to connect the fibre cable into and a router which connected to the modem. Now, I’m not familiar with the latest router tech but is there one (wifi router) which has fiber modem built in so I have one less device to power?

Thanks, everyone. I see good recommendations on Wirecutter that are repeated on wumpus’s blog discussion, so I will go with those. I appreciate the help.

Hey guys. Question about internet security at home: Currently I’m on Virgin Media broadband that enters my house via cable and then desseminated via wifi by their own proprietary modem… but I can also plug in via LAN cable, as per age old standard, and get much faster download speed, and more importantly for me, good skype quality.

I’ve heard that the wifi broadcast from these boxes have their own firewall or security system that prevents hacking or intrusions or whatever bad people might do, but that by plugging in directly, you are bypassing that layer and might be exposing your PC. Is this the case? Sounds odd.

Also, does Win10 by default have good firewall-y type measures built in? If I’m not doing anything extraordinary on my machine, should I be doing anything other then free version of (name your security software, mine is Avast I think. Or AVG.)

Typically you can log into your Superhub on 192.168.0.1 with password “changeme” and have a nosy about to see what the security settings are if you’re curious. There’s nothing special that I’m aware of. It’s made by Netgear and there’s no special tech in it.

The router sits between the Internet and your device so should be equally secure regardless of connection, WiFi or Ethernet. But, there are obviously MORE security measures over WiFi to keep the WiFi connection secure, ie to stop someone accessing your network wirelessly - but if you’re using a cable this isn’t an issue.

A cable connection is the way to go if speed matters, and if you want to be a little more secure turn off WiFi altogether, or set it so it doesn’t broadcast the SSID, but honestly that’s a pain in the bum, and again doesn’t really offer much security if someone is determined to hack you.

I don’t personally have any special firewall software, just Avast and Malwarebytes Premium, and if someone is coming after you they’re going to get you. You worried about DDOS attacks while gaming or something?

Oh, you can also set the Superhub (1 and 2 anyway, is 3 out yet?) into “cable modem” mode which turns off all the router functions, including WiFi, then you can plug your own router into it and use that for routing.

Cool, thanks Anton. Honestly, not really afraid of much, just checking to make sure I’m not doing anything stupid. It was a throwaway line in one of those rudimentary articles about security (aka "don’t use free wifi in a cafe without double checking if it’s actually the cafe) and said something like “ironically, those not using a wifi connection in the home might be the most at risk”, because being wired didn’t give you the wifi firewall benefits or something. I dunno.

If your computer’s address is 192.168.anything, you’re behind the router and not exposed to the internet.

Unless you put that address in the DMZ, of course, but I don’t see why you would do that.

The idea that you’d be more secure with a wireless connection has me baffled, and all I can come up with is a situation where someone gets physical access to your router or a switch on your network - not out of the question but it’s difficult for a hacker to be surreptitious with a hundred metres of Cat5e dangling out your window and down the garden to his black van.

Ha ha, this was a whole year ago! Well, I bought that modem and router right away, but I put off opening the box because I’m a lazy bum…Until today. When I found out “cable modem” isn’t just a general term. I have ADSL! hoo hoo hoo

Anyway, I look around on Amazon and Newegg for DSL modems (since I still wanna use this nice router) and hardly find a thing. Any recommendations? Besides getting cable, which I won’t do because cable companies suck and because my ISP (Sonic.net) will offer gigabit fiber service in my neighborhood sometime “soon”?

If you plan on upgrading soon, hold off. Each of those routers, as you’ve found out, has a different media type on the WAN side. The gigabit service will most likely require an ethernet based WAN port.

If you’re set on keeping ADSL for a while, I would start with contacting your provider for approved 3rd party vendors and modem/router models.

This is an example for what I’m talking about, this one is from Spectrum:
http://www.spectrum.net/support/internet/compliant-modems-charter-network/

What can happen is you might get something that will not work, so then you’re in twice for hardware you can’t use. :( Even worse, if you call in for support and it isn’t an approved vendor, they -might- give you a bit of a run around, or blame things on your gear, despite where the problem might actually lay.

Thanks — that makes perfect sense, and the part about ISPs blaming conveniently unauthorized equipment certainly rings true.

I did this with Time Warner Cable a couple of years ago and I’ve been extremely happy not to be paying for their piece of crap since then. I went from needing weekly reboots on their gear to not having to touch mine at all in two years time.