Advice for novice on home network security

[aps]

So I’m a newbie who has landed here in an effort to get some advice as to how to design a secure home network with seamless Wi-Fi coverage. I’ve got a little bit of IT knowledge but am fair from an expert so the biggest constraint will likely be my capabilities and please assume that “I know nothing”.


Our home network has a mix of Windows 10 laptops (running s/w firewall and anti-virus), tablets + smartphones (iOS), A/V devices (AppleTV), NAS (Synology) and IoT devices. The access to internet at the front of the house with a consumer Wi-Fi Router-Modem and then an unmanaged switch that connects Ethernet cabling to most rooms. Wi-Fi plays an important role but is problematic as the old double-brick walls mean that a single Wi-Fi router at the front of the house doesn’t achieve coverage throughout the house. To date, we’ve never accessed the home network when away from home nor do we use BitTorrent. We would like, though, to provide guests with Wi-Fi access and this needs to be secure / separated from our data etc.

My goal isn’t that well defined but think I’d like to restrict access to bad web-sites (at present use OpenDNS), stop malware, stop intrusions as well as loss of data etc. It’d also be good to ensure that guests can access the internet without compromising the network. I’m sure that there are lots of other security related objectives that should be included on this list so don’t hold back – the goal is to have as secure a network as possible given my limited skills in networking and desire to not adversely impact network performance. A related objective is that I’d like to get seamless Wi-Fi through the house and parental controls to control access for kids. The main question seems to be the relative merits of

1. consumer Wi-Fi router,
2. consumer “mesh” Wi-Fi router (e.g., Amplifi, Netgear Orbi)
3. business router (e.g., Edgerouter)
4. dedicated firewall (e.g., Sophos XG)
5. dedicated UTM; e.g., Sophos XG + Add on.

It’d be good to get input as to the right path for someone in my situation. A couple of related points.

1. I’m after a true appliance that just runs-and-runs. (I’m not afraid to build a machine to host Sophos XG or pfSense etc. but don’t have the time or inclination as to tinker with this in an ongoing fashion once set-up.) S
2. Wi-Fi seems to be relevant to the answer as option a) requires adding a second access point most likely with a different SSID to allow switching between networks but this isn’t that great. The implication is that this might force me down the path of option b, running something like Netgear Orbi as an access point behind the firewall-router or a set of Ubiquiti Access Points tuned to allow seamless roaming.

Open to all and any advice - including letting me know that I’ve misunderstood situation / requirements.

 

[thiggins]

TLDR; I'd look at Wi-Fi /mesh systems.

You seem to be the target consumer for the Wi-Fi systems that manufacturers are pumping out these days. These are basically multi access point systems using wireless connection between APs (backhaul). They, and most consumer routers today, have guest network features that keep that traffic isolated to internet access only.

Also supported are basic parental controls, mostly focused on controlling when and how long users and devices "assigned" to them, can access the internet. eero, Luma and others have introduced paid subscription plans that add more parental controls like site/domain filtering.

The requirement to "stop malware" bumps you into a next category that isn't generally available in consumer stuff. This involves some level of traffic inspection which must be fingerprinted against some database(s) that must be constantly updated.

Finally, you should know "seamless roaming" depends very much on your devices. The newer they are the more likely they will not stick to the first AP/mesh node they see and refuse to move.

Some Wi-Fi systems have some mechanisms built in to try to help devices move smoothly. But again, success depends on your expectation and devices. If you just want your devices to move to an AP that provides a stronger signal and it's ok if it takes seconds to do it, you are more likely to be happy. If you are expecting sub-second transition with nary a packet lost, you are more likely to be disappointed.

 

[aps]

Much appreciated.

The requirement to "stop malware" bumps you into a next category that isn't generally available in consumer stuff. This involves some level of traffic inspection which must be fingerprinted against some database(s) that must be constantly updated.

Is this, in your experience, a real requirement for the home user? We are running A/V on the Windows 10 computers but nothing on the iOS devices or other appliances.

Finally, you should know "seamless roaming" depends very much on your devices. The newer they are the more likely they will not stick to the first AP/mesh node they see and refuse to move. Some Wi-Fi systems have some mechanisms built in to try to help devices move smoothly. But again, success depends on your expectation and devices. If you just want your devices to move to an AP that provides a stronger signal and it's ok if it takes seconds to do it, you are more likely to be happy. If you are expecting sub-second transition with nary a packet lost, you are more likely to be disappointed.

Our issue is that the Wi-Fi from the modem router just reaches around the house but isn't good enough to hold a FaceTime call (even on a new device) and a second access point in the remote room has to be a different SSID. I'm thinking that something like Netgear Orbi just for Wi-Fi running in AP mode behind a better firewall might be the answer

 

[RMerlin]

Check if Asus's Lyra supports the Trend Micro-powered AiProtection (I don't remember). Otherwise, you'd have to wait for them to finalize their AiMesh technology.

 

[thiggins]

IMO you should be running good AV software on everything that can download email or surf the web. The free version of Avast has saved my butt many times by blocking drive-by downloads from websites, which are all too common these days.

For example, lately, I've been getting the fake "your computer has been infected.." redirect when I hit my MyYahoo page (don't judge ). While this one is harmless, as long as you're not naive enough to all the 800 number for "help, it's an example of the crap that manages to temporarily bypass the automation that powers ad bidding systems today.

The other thing is to at least try to educate all household members about phishing and how to protect themselves.

Beyond that, protecting ioT devices is secondary. The big risk there are IP cams. Make sure you have changed the default password and don't buy cheap no-name systems.

If you like the router you have, you can get a NETGEAR EX8000 or Linksys RE9000 extender. If you want to rip and replace you could do as you suggest with Orbi, Linksys Velop and other Wi-Fi systems.
Check our Ranker. Be advised Google WiFi does not support AP/bridge mode.

 

[RMerlin]

While this one is harmless, as long as you're not naive enough to all the 800 number for "help

I got a phone call last week from "Microsoft"'s tech support. No need to say the call didn't last long...

I second that: everyone should be running at least a basic security software on their computers. I know some people claim that they're tech-savvy enough to not require one, but truth is, some major legitimate sites have been infected in the past. That means just visiting those legitimate sites can potentially infect you without you clicking on anything suspicious. It's a good thing that Windows 10 comes with Defender built-in, as it does offer a decent layer of protection.

This does pose a problem for mobile devices, where having perimeter security might be a good idea. That's the main reason why I keep Trend Micro's malicious website blocking enabled on my router, even tho my computers already have local security solutions installed.

 

[aps]

Finally, you should know "seamless roaming" depends very much on your devices. The newer they are the more likely they will not stick to the first AP/mesh node they see and refuse to move. Some Wi-Fi systems have some mechanisms built in to try to help devices move smoothly. But again, success depends on your expectation and devices. If you just want your devices to move to an AP that provides a stronger signal and it's ok if it takes seconds to do it, you are more likely to be happy. If you are expecting sub-second transition with nary a packet lost, you are more likely to be disappointed.

Our current situation sees a Wi-Fi modem-router at the front of the house and a cheap access point at the back of the house. These have different SSID (i.e., Front 2.4GHz, Back 2.4GHz, etc.) and devices have been set-up such that most fixed devices that just have Wi-Fi (e.g., Wii U) use the 2.4GHz channel. Our iOS phones and tablets use the front and back 5.0GHz channels and it is with these that we have a problem. Specifically, the iOS devices tend to stick to the first network seen and don't switch even when one moves to the other end of the house with this resulting in poor performance especially on FaceTime calls.

I guess that I could use a single mega Wi-Fi router in the middle of the house so I'm after a solution that allows for good performance across the entire house without the need for users to manually switch networks. A good performance metric might be that a FaceTime call isn't obviously impacted by the switch. I don't really understand the potential solutions but thought that these included a) UniFi AC Pro AP that has tools to allow tuning of output power etc. to allow for better integration of multiple AP and b) Netgear Orbi or similar that replaces this with a single network (but I'm not sure if this is in fact the case).

Re Orbi: Does this solve the issue of hand-over between networks or does it just have the same problem in disguise; i.e., hand-over between satellites?

 

[thiggins]

Again, it is the device that decides when to roam. Where it roams to depends on many factors.

Apple devices are notoriously "sticky". But then I have heard many reports that Apple devices roam fine. I suspect it depends on the device generation and OS used.

Wi-Fi systems are essentially a wireless router and access points connected via Wi-Fi. Whether the boxes are called nodes, mesh points, satellites, etc. is just marketing.

 

[aps]

Check if Asus's Lyra supports the Trend Micro-powered AiProtection (I don't remember). Otherwise, you'd have to wait for them to finalize their AiMesh technology.

Thanks. Just looked at ASUS AiMesh and the marketing literature seems to indicate that it'll do what I need in that the routers work together to figure out the best connection point for the end device. Any idea when this will be available? And will it work with existing routers? (If so then I could get something like ASUS RT-AC86U and add another unit down the track when AiMesh is supported.)

 

[RMerlin]

Any idea when this will be available?

I don't know. The first ETA I had received from them was "October". It's now January and they are still pushing new beta releases to the public, so I don't know what's their next ETA.

You can follow the discussions here on the forums where Asus engineers are posting betas and gathering user feedback:

https://www.snbforums.com/threads/o...r-rt-ac68u-rt-ac86u-rt-ac5300-rt-ac88u.40745/

Keep in mind that this is all still beta, so I'd wait until it's out of beta AND there's some real-world feedback about it before investing in purchasing multiple routers with the intent of using it.

 

[aps]

I don't know. The first ETA I had received from them was "October". It's now January and they are still pushing new beta releases to the public, so I don't know what's their next ETA.

You can follow the discussions here on the forums where Asus engineers are posting betas and gathering user feedback:

https://www.snbforums.com/threads/o...r-rt-ac68u-rt-ac86u-rt-ac5300-rt-ac88u.40745/

Keep in mind that this is all still beta, so I'd wait until it's out of beta AND there's some real-world feedback about it before investing in purchasing multiple routers with the intent of using it.

Understand. I've found a few people in the same city with same equipment and location who have bridged their old (Billion) modem-router and used AC86U as a modem router that covers the entire plot / house with faster Wi-Fi. All sounds good before I came across this review https://www.ctrl.blog/entry/review-asuswrt#section-asuswrt-privacy which, whilst I'm not qualified to assess, has given me pause for thought - not so much the "may" share data but the firmware updates or lack thereof. Is this a real concern and/or one addressed with ASUSWRT-Merlin?

Edit: Got to that site from https://www.routersecurity.org/ which, as above, seemed to pour cold water on a secure consumer solution but I don't have any facts as to which of the issues are real for which router etc.

 

[RMerlin]

The RT-AC88U got the first official AiMesh-enabled release today from what I've seen (firmware releases 384.xx will be the ones adding AiMesh).

So the official rollout has started. No idea when each specific model will be released.

 

[RMerlin]

I came across this review https://www.ctrl.blog/entry/review-asuswrt#section-asuswrt-privacy which, whilst I'm not qualified to assess, has given me pause for thought - not so much the "may" share data but the firmware updates or lack thereof. Is this a real concern and/or one addressed with ASUSWRT-Merlin?

That post is making a lot of assumptions based on the EULA rather than technical evidence. At a technical level, the router will NOT send any information to Trend Micro if you just use Adaptive QoS for instance. The Malicious Website protection does, as it leverages their cloud-based WRS service. This being said, they send data related to the URL being analyzed. The EULA will be far more large than what is actually being sent just to protect them legally in case additional info might be sent embedded in this URL data. It's standard with any EULA.

Personally, I don't think there's anything to worry about there. Note that the same things would also apply to Microsoft's own SmartScreen...

BTW, that article contain a fair dose of BS, so take it with a grain of salt... That "router goes down 1 minute before midnight" for instance makes zero sense, and nobody has ever reported anything similar.

Edit: Got to that site from https://www.routersecurity.org/ which, as above, seemed to pour cold water on a secure consumer solution but I don't have any facts as to which of the issues are real for which router etc.

He mostly gives basic advice that would apply to any router, not just specific ones.

 

[sfx2000]

Apple devices are notoriously "sticky". But then I have heard many reports that Apple devices roam fine. I suspect it depends on the device generation and OS used.

I haven't found them to be better or worse than anything from Google (Android/ChromeOS) or Microsoft - in a common SSID environment, most issues are not due to the client, but due to AP placement - e.g. the AP's are too close together, so the threshold to trigger a handover is not met...

In multiple SSID setups - that pretty much guarantees that a client is going to prefer the current associated SSID until the connection either drops, or the user intervenes and manually chooses another SSID.

 

[aps]

Thanks for the all the responses. I've taken an incremental step of bridging my old ADSL2+ modem router and adding a RT-AC86U as a modem-router. The Wi-Fi on the RT-AC86U has much better coverage so no need for a repeater or separate access point which is great. I've locked down the ASUS in terms of security but, ultimately, might try to tinker with pfSense. One question is whether from an architecture perspective I'd be better to a) put IoT devices on the RT-AC86U "guest" network with AP Isolation or b) to run two routers with the IoT devices on the old modem-router and all important devices on the subnet behind the RT-AC86U?

Edit: Also, most of the IoT devices require operations via a smartphone so it'd be good to get a perspective on how to manage this in either model a or b. Are people just connecting to the secure IoT network temporarily or using an old purpose configured device or is there a smarter solution?

Edit: Another question is that we've got a bunch of A/V devices (e.g., Apple TV etc.) that access a combination of local and streamed media. My assumption is that these devices are on the main network so that they can access the local media but some (e.g., smart TV, etc.) might fit into the category of being less secure so should really fit on the IoT network. What is the right way to think about these devices?

 

[aps]

Thought I'd summarise my questions:

1. Is it better put IoT devices on a "guest" network with AP Isolation or run the IoT devices on a different sub-net; i.e., 3-routers?
2. How does one manage IoT devices via a smartphone without comprising security? (Or is it best to use an old smartphone for this role?)
3. How does one think about A/V devices that might have less than perfect security but need access to local media stored on a network NAS?

 

[degrub]

1) put them on their own vlan with no access to the internet. change the admin account name and password if possible. "guest" is a usually a vlan, but it may still get internet access by default and you may not be able to change that. The manual may describe.
2) keep a separate dedicated vlan and allow the phone wireless mac address on it as well. you will have to manually switch between wireless networks on the phone.
3) dedicated vlan without access to the internet.

 

[coxhaus]

Just for clarification I have 3 wireless Cisco access points running only 5 gighz only using Cisco's 1 point access software and our Apple iphone's roam fine through out the house.

They do not seem to be sticky using Cisco's built in one point access software in my three WAP321 devices.