Remote Router Reader?

[JT Strickland]

Is it practical or feasible for an IT Network Tech to access an AsusWrt-Merlin router remotely and examine the settings, check the network, evaluate the Security, and make recommendations for improvements and changes to a small home network?

 

[fryedchikin]

Is it practical or feasible for an IT Network Tech to access an AsusWrt-Merlin router remotely and examine the settings, check the network, evaluate the Security, and make recommendations for improvements and changes to a small home network?

Absolutely, I have assisted users in this way multiple times. Just use the remote support tool of your choice (RDP, Skype, LogMeIn etc) to establish a remote session so you can access the GUI securely from a browser on their machine and you are good to go. Another option is to walk the user through allowing Web Access From WAN but IMO this typically requires the user to be somewhat technically minded and is certainly not secure, but it is an option providing you ensure the change is reverted once analysis is complete.

 

[ColinTaylor]

Is it practical or feasible for an IT Network Tech to access an AsusWrt-Merlin router remotely and examine the settings, check the network, evaluate the Security, and make recommendations for improvements and changes to a small home network?

I'm not sure I understand exactly what you're asking. If you're simply asking for methods of connecting remotely to a router then see the reply above (also consider Team View or a VPN server).

The part that confuses me is where you say "examine the settings, check the network, evaluate the Security, and make recommendations for improvements and changes to a small home network". If this is the thrust of your question then that would depend entirely on the skill and knowledge of the "IT Network Tech" and their understanding of the network layout and equipment being used.

For example, having a Cisco guy look at an Asus router interface and making changes that he thought might be a good idea is not desirable. Especially if he's making changes that effect things that he is unaware of, like home automation, security systems, NAS's, etc.

 

[JT Strickland]

I'm not sure I understand exactly what you're asking. If you're simply asking for methods of connecting remotely to a router then see the reply above (also consider Team View or a VPN server).

The part that confuses me is where you say "examine the settings, check the network, evaluate the Security, and make recommendations for improvements and changes to a small home network". If this is the thrust of your question then that would depend entirely on the skill and knowledge of the "IT Network Tech" and their understanding of the network layout and equipment being used.

For example, having a Cisco guy look at an Asus router interface and making changes that he thought might be a good idea is not desirable. Especially if he's making changes that effect things that he is unaware of, like home automation, security systems, NAS's, etc.

I suppose I wasn't clear. I was trying to be discrete, kinda. I would like to hire someone who is familiar with and uses AsusWRT-Merlin + add ons to check out my settings on my router and my network from a security perspective, but wasn't sure if it could be done without me exposing it to the WAN or other problems, and then make recommendations for security, stability, and speed. It would depend on, among other things, how much the fee would be, if it is even a possibility. I suppose the fee would depend on the skill and knowledge of the "IT Network Tech" (may not be the correct label).

This is the only place I know to look and ask. The population of my county is less than 20k, and I'm at least an hour in any direction from a town with a population greater than that, and don't know of anyone within 60 miles who is using said firmware, although there probably is. It would need to be someone that I felt like I could trust.

I probably spend too much time worrying about these things.

 

[ColinTaylor]

That's going to be a big ask. Your typical network tech guy (even a highly skilled one) is not going to be familiar with AsusWRT-Merlin, let alone add-ons like Diversion, Skynet, Scribe, Connmon, SpdMerlin, etc. I doubt there are many (if any) members of this forum that would be familiar enough with all of those things and their interactions with each other to say definitively that your network was secure and operating at peak performance.

I guess if there was someone you knew from these forums that you trusted, had the same model router, that used all of those add-ons and was willing to help you could setup VPN or Team Viewer access for them. They could then offer a "second opinion" on your network setup and highlight any obvious problems.

 

[L&LD]

@JT Strickland, I don't believe you need the 'service' you're asking for.

Using an RT-AC86U with current (stable) firmware and the features and scripts you indicate (specifically; AiProtection, Skynet, Diversion, scribe, uiScribe, and ntpMerlin), I think you're more protected than 99% of other Asus users, let alone other brand router users who are running stock firmware with their highly outdated and insecure code.

The only thing I would consider is running Unbound and being your own authoritative DNS server (instead of 'third party', DoT). But that is debatable (and I'm preparing to duck for the responses that may come from my statement here!).

To make your IPS connection as bombproof as possible; consider using a UGreen external SSD enclosure (easily found in a search here on this site) with an SSD to prevent issues from USB drive failures. In the same vein, you may want to get your network infrastructure (modem/ONT + router + AP's or AiMesh nodes + switches, etc.) on a quality UPS that protects not just for surges, but has Sine wave output, blackout, brownout, and surge protection too.

Given the above items are 'done', and you regularly keep up with the latest (stable) RMerlin releases, any 'testing' done for you on a paid-for basis would be dubious, at best.

Enjoy your network knowing that unless you move to enterprise levels of controlled internet access, there is nothing more secure right now in the consumer market.

 

[JT Strickland]

Yea, I just worry that I might have a back door open that I didn't shut, or something noob related. Like I said, I probably just worry about it too much. I'm not an IT guy like I assume most here are, and I'm not real comfortable as system administrator.

However, I am waaay ahead of what I was a few short years ago, with a blue router from walmart that I turned on and never thought about again until it wasn't working. I couldn't see all the attacks from unfriendly nations bombarding my network like I can now with skynet. Granted, I don't have much for them to get, but it is still mine. I got a call from my bank the other morning that someone from the UK had tried to access my bank account. Thankfully I still have my couple of dollars in there.

L&LD, I have considered unbound, and if I understood it better I would probably already be using it (but that hasn't stopped me so far). And, I have a new sandisk max endurance 32GB SD card and usb plug that I plan to substitute for my current usb drive when I upgreade to 386. It's not an SSD, but I've read that it does a pretty good job.

I appreciate the help.
jts

 

[cptnoblivious]

@L&LD I think it's a valid questions though. And it actually goes hand-in-hand with your point on DNS.

Fundamentally, the issue with security is, and has always been, that you have to decide who to trust.

Let elaborate a little bit as it seems relevant to the OPs question:
First, it's important to understand who the threat is we're trying to protect ourselves from. Right up front, if it's nation states, well we're done, don't have the resources or skills (for 99.99% of users most likely) to prevent anything. They have attack vectors (like threatening developers or finding folks inside organizations) to forcing companies to comply *ahem*China*ahem*.
So if focusing on the more criminal element, then some of those go away. So let's say we trust the folks that write software for our routers, we need to do that for both the vendors (Asus, partners like Trend who provide software / services and 3rd party developers, like RMerlin, Adamm etc).

Second, we already know that some of those folks are not trustworthy, like Trend Micro. They've had numerous issues in the past and I would personally not turn on anything that would submit a significant amount of my data to them. Others, like the folks writing 3rd party software, are most likely trustworthy, but I don't know their background. I have no concerns but am simply expanding on the thread vector here.

Third, communicating across networks we will always expose information about ourselves to someone, though we get to decide who we expose what to using technology.
Ex. Who see what you are searching for on the web, the sites you visit and, to some degree, what you access on those sites.
DNS being the starting point. Without doing anything, our ISPs know exactly what we visit and how often (to a degree). Even if we choose not to utilize their DNS servers, by default all queries are in clear text and very easy to pick up.
The fact that now DNS functions over encrypted paths has certainly done a fair bit to reduce the ISP aspect, but we still need to trust someone (i.e. the recursive resolver we use) as they can see all queries.
Next step would be to use our own DNS server to handle all the queries (whether on the router or using some other tech on our networks, like pihole etc).

Not to delve to deep, the key point is, we need to decide whom we trust. Is it google, or 1.1.1.1 or quad9? Or, depending on location, folks like CIRA who run the Canadian Shield DNS servers with different levels of filtering.

And we're still at the Network layer. Haven't even gotten to Certificate Authorities. Then, it's time to tackle the applications, probably starting with OSs and moving onto browsers in short order. And the fact that many of us live in 5 eyes nations...

TL;DR: Security is tough because somewhere you need to trust people, organizations (governments?!), it's inevitable.

So, who do you trust?

Sorry for the long post.

 

[L&LD]

I trust myself.

I also acknowledge that I only know what I know 'now'. I'm not averse to changing my mind if I'm presented (or find on my own) better information to base a past decision on, today.

As for TrendMicro, (always a touchy subject here), I don't consider them as 'getting' my 'data'. My browsing habits are boring, they are not data. Of course, others may feel differently.

I could have suggested that AiProtection may be considered to be disabled (to further harden 'security'), but if I'm not mistaken, Skynet intercepts things before AiProtection (and therefore TrendMicro) does, so it is just a 'just in case Skynet goes down' kind of backup plan to me.

At the end of the day, I still trust myself.

Not because I know it all. But because I am the one responsible to put any safety/security measures in action, within my networks.

And I'm doing all I can (to stay informed) by reading these forums daily, in full.

 

[cptnoblivious]

@L&LD I referenced you, but didn't mean to imply that my post was directed at you.

In general:

• I think when people start to learn about 'security', that's excellent. The tricky thing is that it really is complex and there aren't a lot of sure things, it's all 'grey' just different shades.
• The best thing people can do is understand what they're comfortable with doing themselves, getting as much information as they can, and then knowing where it's "a bit much".
• But, keep asking "what's in this for the other party, why are they doing this, can be be trusted, who owns them and what is their business model?"

Always an interesting discussion

 

[Yota]

DNS being the starting point.

Even if you use encrypted DNS and only access https pages, you will be tracked by the ISP. Almost every https link contains the domain name information in plain text, which is called an SNI leak (https://en.wikipedia.org/wiki/Server_Name_Indication). Even if you use a VPN, you cannot be sure whether your VPN provider is trustworthy.

We live in an era without privacy, and the best way is to cut the ethernet cable.

 

[cptnoblivious]

Even if you use encrypted DNS and only access https pages, you will be tracked by the ISP. Almost every https link contains the domain name information in plain text, which is called an SNI leak (https://en.wikipedia.org/wiki/Server_Name_Indication). Even if you use a VPN, you cannot be sure whether your VPN provider is trustworthy.

We live in an era without privacy, and the best way is to cut the ethernet cable.

I think you're taking a tiny part of my post out of context, to make basically the same point the longer post made

For a good read, check into what the journalists did that got the Snowden info. Airgaps, buying laptops randomly from large stores with cash etc.

 

[Yota]

I think you're taking a tiny part of my post out of context, to make basically the same point the longer post made
For a good read, check into what the journalists did that got the Snowden info. Airgaps, buying laptops randomly from large stores with cash etc.

Sorry, I think I missed the wonderful discussion.

 

[Bill Woodcock]

we need to decide whom we trust. Is it google, or 1.1.1.1 or quad9?

As always, we (Quad9) encourage you to rely on trust as little as possible, and self-host everything that makes sense for you.

And, as always, I'm happy to answer any questions you may have. We have some big announcement regarding privacy coming up on the 28th, Data Privacy Day.