Make vs. Buy for new router

[maxxjr]

After reading a slashdot post / several articles about security issues on "consumer" routers, I am re-considering my setup.

I currently have a Netgear N600 wireless router. I spent some time when originally setting it up to get security where I wanted it. But I will take another look since it has been awhile.

If "properly configured", should I have concerns?

Should I consider either

1) Looking at a more "professional" solution? Does the Netgear Prosafe line count?
2) Using a PC-based router, running Linux or pfSense. (I have an old Atom-based PC that would be good for this, only requiring purchase of a PCI Ethernet card)

For either of the above, I would likely keep the N600 behind the firewall for wireless connectivity.

Suggestions or comments?

Thanks!

 

[saulos]

I recently build my first router,
I got an alix board with a case and installed ZeroShell, I have to admit it was hard as first time, but the result is superb.

I can do all the setting I have dreamed for years and have the same small size, no noise, low power as I will have with a very expensive Cisco or Fortinet.
So I dropped my Zyxel USG 100 and demote my Asus WIFI - router to AP only and I'm very happy.

For the cost I spend 158,00 Euro for the Hardware and some time to build and understand how it works

I my build a bigger one later on this year, with a Atom , just to use the Antivirus on the router.

So if I was you I will go with a home made, use your hardware and drop in pfSense or ZeroShell, save money and have a better result.

 

[Nerre]

One thing to consider is: How fast can you get a replacement up if it crashes?

I used a homebuilt router for years, BUT it booted from a CD and had all configuration on a floppy disk. With a spare CD and a copy of the floppy I could get a replacement machine up in 5 minutes.

It also had a power consumption of 35 W (without a hard disk).

My Asus RT-AC66U (with Asuswrt-Merlin and Entware) together with the fiber converter and an extra switch draws 18 W. That's more than 150 kWh a year in saved electricity bill (because those 35 W did not include the ADSL modem or the switch).

 

[thiggins]

After reading a slashdot post / several articles about security issues on "consumer" routers, I am re-considering my setup.

I currently have a Netgear N600 wireless router. I spent some time when originally setting it up to get security where I wanted it. But I will take another look since it has been awhile.

If "properly configured", should I have concerns?

Can anyone speak to his security concerns. Why would a DIY router be more secure?

 

[jlake]

If you're worried about security on consumer routers, one of the easiest things to do (and least expensive) is to have two consumer routers (from different vendors) and therefore two NATs.

You can disable wireless on the first one and just use it as a firewall/NAT. And then connect all of your home devices to the second router so as not to have file/printer sharing problems and thus keeping all devices behind two NATs/firewalls.

If you have the first router at 192.168.1.1, then you just cascade the second router and give it an IP address of something like 192.168.7.1

You will greatly reduce your risk of consumer router vulnerabilities with two NATs.

The greatest risk you have to your security is accidentally downloading malware on to your computer. So having a good antivirus software on your computers is really important too. Most consumer routers only firewall unsolicited traffic. They don't firewall outbound traffic, so again, making sure you don't have any malware on your computer(s) is very important. If you want a router that firewalls both inbound and outbound traffic, you'll have to spend more money and buy business class or build your own.

The link below describes good practices for securing your network.

http://www.us-cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf

 

[arias]

After reading a slashdot post / several articles about security issues on "consumer" routers, I am re-considering my setup.

I assume you're referring to this slashdot post:

http://it.slashdot.org/story/14/02/...me-networks?utm_source=rss1.0&utm_medium=feed

There's actually a simpler solution if you want to go the consumer router route, just simply disable the offending services that leave an outside port open for manipulation. Always keep uPnP disabled and just config manually, and do you really need to be using a protocol as patently insecure as HNAP? Even if you installed that crap on your DiY router it wouldn't necessarily make an inherently insecure protocol more secure. There are more proven methods to remotely access your LAN.

 

[jlake]

I assume you're referring to this slashdot post:

http://it.slashdot.org/story/14/02/...me-networks?utm_source=rss1.0&utm_medium=feed

There's actually a simpler solution if you want to go the consumer router route, just simply disable the offending services that leave an outside port open for manipulation. Always keep uPnP disabled and just config manually, and do you really need to be using a protocol as patently insecure as HNAP? Even if you installed that crap on your DiY router it wouldn't necessarily make an inherently insecure protocol more secure. There are more proven methods to remotely access your LAN.

It's not that simple. Certain vulnerabilities would need an extra NAT to lessen the risk.

Disabling UPnP, disabling services you don't need, and disabling remote administration are all listed in the link I provided in my previous post. You've just repeated them.

Example: Most people didn't even realize for 2 months that the asus AC68/AC56 was opening up port 445 on the WAN when using Samba server. Double NAT would have eliminated or greatly reduced risk along with list in link I provided above.

Another example: a double NAT would greatly reduce risk from the vulnerability described in link below (a Linksys vulnerability)

Lastly, Asus recently added an ipv6 firewall (Merlin's firewall) to their stock firmware. Prior to that, many people didn't realize that ipv6 wasn't firewalled. A double NAT would have eliminated that risk.

The severity of Vulnerabilities and/or flaws can be dependent on user level, but sometimes it makes no difference.


http://forums.smallnetbuilder.com/showthread.php?t=15572

 

[Terry Kennedy]

There have been reports of some routers having a backdoor port open on the WAN side, where all sorts of mischief can happen, including changing the router config (subtle: changing the DNS servers used; heavy-handed: erasing the firmware and bricking the device). So it doesn't matter what additional NAT or firewall protection is configured on the inside. If the insecure device is the only router the telco / cable company / whatever supports, you're stuck.

I get lots of surplus Cisco gear when we decommision it at work. Right now I'm running a 2821 router with a variety of other cards in it (4x T1, 16 VoIP ports, VPN / crypto accelerators, etc. in addition to the 2 GigE ports built-in). I got the cable company to bring out a dumb cable modem-only device (no routing, etc.) and it is in bridge mode. Hopefully, the only way that changes can be made from outside is the cable company using the DOCSIS provisioning channel to talk to it.

If you go the home-built route (no pun intended), you need to keep track of vulnerabilities in its OS and whatever ports / packages / etc. you have installed. If it is the same OS / packages you're using on other systems, that may help you keep up-to-date. But it definitely isn't a setup-and-forget solution. And then there's the case of what to do if the hardware breaks - you don't want to be dead in the water, unable to order replacement parts online because your net connection went through the router and is now unusable.

 

[YeOldeStonecat]

There are many reasons to roll your own open source router...but for the home user, I wouldn't consider security to be one of them.

When you look at the vulnerabilities of many residential routers (STinksys, Nutgear, DStink...those home grade ones)...many of those are addressed with simple measures.
*Disable WAN access (should be by default)
*Use a good Administrator password...so many people leave the web admin password the default one. Change it!
*When vulnerabilities are brought out to the media...often a firmware fix was recently released to fix the bug, so update firmware. I'd say it's a good idea to keep an eye on firmware releases and update whenever a new ones comes out, but for many home users that don't live and breath networks and routers for a living it can do things like "reset to defaults" and create havoc and confusion for them.

I hate double NAT...lowers performance, and when not done properly (which is 99% of the time) it creates unreliable networks. Not to mentions "breaks" some applications that need to run through it, because they do not like being molested by NAT. Putting double routers in a home network to intentionally create double NAT often creates triple NAT, lots of folks don't realize that "modem" from their ISP is technically a gateway, a combo modem/router already doing NAT.

But yeah...for those that like to fiddle, many *nix router/firewall distros are a lot of fun. Years ago I was huge into trying them, back when PFSense was first coming out, and the old days of IPCop and m0n0wall, tons of others..used to download/build new ones every couple of months. Great features, solid performance, one could argue better security...but many *nix distros also have security exploits. Since they're not widely used, you just don't hear about them, they don't make the media. I used to build them and test drive them "just to play"..since networking is my career. But these days I just don't have the time at home anymore (or I'd rather leisure at home) so I don't, I just have a Stinksys e3000 flashed with Tomato, serves me fine.

Another alternative, many "off the shelf" residential routers can be flashed with 3rd party firmware like DD or my favorite...Tomato.

 

[stevech]

I agree about double-NAT which comes from using two routers in cascade.
Really to be avoided.

 

[jlake]

If you guys have trouble running a double NAT, you should start a new thread. I don't have any problems with a double or even a triple NAT. You're never too old to learn and I'd be glad to help you.

A double NAT is certainly not the most convenient. That's for sure. But like I said in my previous post, in addressing the OPs security concerns, a double NAT will reduce the risk of using a consumer router. It's probably the cheapest option to reduce risk. Definitely not the best option.

 

[stevech]

If you guys have trouble running a double NAT, you should start a new thread. I don't have any problems with a double or even a triple NAT. You're never too old to learn and I'd be glad to help you.

A double NAT is certainly not the most convenient. That's for sure. But like I said in my previous post, in addressing the OPs security concerns, a double NAT will reduce the risk of using a consumer router. It's probably the cheapest option to reduce risk. Definitely not the best option.

No trouble. Just a loss of throughput (each router can do only so many packets/sec via WAN) and PITA to manage port forwarding for inbound, if that's used.

 

[saulos]

No trouble. Just a loss of throughput (each router can do only so many packets/sec via WAN) and PITA to manage port forwarding for inbound, if that's used.

Add also more "lag", with more hardware the time a packet need to go from PC to Website is increased .

In any case security on both type of router are the same bug happen on both but the most common problem is misconfiguration.

A good rule to start is close all, then start open service by service until all is working.

 

[jlake]

Yep. When I test a double NAT, it adds between 0.5 ms and 1 ms latency. Excellent point there saulos.

:sigh:

It takes me about a minute to forward a port on a router. Takes me 2 minutes to do both routers. Go figure. I get zero loss of throughput.

I'm done with the myth busters on double NAT. Good luck guys.

 

[Nerre]

How well does UPnP work with double NAT?

 

[jlake]

How well does UPnP work with double NAT?

If you need UPnP for something, you can connect to router 1.

I don't use UPnP and disable it.

I use port forwarding.

http://portforward.com/help/doublerouterportforwarding.htm

Keep in mind, I don't always run a double NAT. But I would definitely recommend it for someone who is wanting to reduce risk from consumer routers (cheaply).

It's not for everyone. I've seen a lot of people struggle forwarding a port for a mine craft server with just a single NAT. I can't imagine how they would ever grasp forwarding thru two NATs.

But for a large chunk of mainstream consumers that only use internet for surfing,email,Facebook,YouTube,Apple TV, eBay, Netflix, amazon, a double NAT works as smooth as silk.

I game behind a double NAT with a popular FPS and am ranked 67th in the world. I notice zero difference between single NAT and double NAT when gaming. So all those myths about double NAT are pretty silly. But like I said......I'm done with myth busters.

 

[stevech]

UPnP is widely considered imprudent due to security vulnerabilities.

 

[stevech]

Yep. When I test a double NAT, it adds between 0.5 ms and 1 ms latency. Excellent point there saulos.

:sigh:

It takes me about a minute to forward a port on a router. Takes me 2 minutes to do both routers. Go figure. I get zero loss of throughput.

I'm done with the myth busters on double NAT. Good luck guys.

Double NAT too complex for most.

 

[jlake]

Double NAT too complex for most.

Most people don't need port forwarding or UPnP so actually what you're saying is not true.

I see there's no end to your trolling.

 

[stig]

I have never heard anyone else advocate double NAT. What I have heard is avoid double NAT if at all possible. NAT was invented as a hack to extend the limitation of the IPv4 address space. It was not invented as a security feature. Note that IPv6 was designed from the beginning to NOT need NAT. Todays biggest security risk comes from inside your LAN when someone clicks a link and get malware, spyware, virus, key loggers, etc. Double NAT does nothing to help there. Do a google search for "nat security" and you'll find hundreds of debate whether NAT provides any real security.