Router Security

[Smedley]

Is there a difference in the level of Firewall protection provided by an Asus AC88U vs a business-class router from Fortigate, Watchguard, Cisco, etc. (without all the AV, IPS, and other subscription services running)?

How about as compared to a Netgear ProSafe box (the blue metal case routers)?

Is the AC88U firewall as effective?

 

[coxhaus]

NAT is the big firewall feature for all. The business class routers are more refined and have more options.

 

[RMerlin]

Indeed. Firewall-wise, they're all pretty much the same: nothing comes in unless it's a tracked connection, or there's a forwarded port.

Where it makes a difference is in the hardening of the rest of the OS, and advanced features.

 

[System Error Message]

Dividing it into classes you have the consumer class and business class in where you set things up by entering some details and checking some boxes (the only difference would be features and quality), than theres a totally different class where you get configurable routers that can do a lot better but requires more work to set up.

RMerlin's firmware brings the router into configurable. Im not sure about tomato but openwrt is a configurable router as well (ddr-wrt isnt). Some routers like juniper, professional cisco, mikrotik, ubiquiti, pfsense, a linux/unix server all go into configurable. Even windows firewall also operates the same way but windows firewall isnt effective otherwise windows wouldnt be user friendly. By configurable it means that every function has to be crafted from rules so NAT would have rules for it and everything you want to do. While it may be very difficult for some it is also very effective since you could configure upnp and not worry about console compatibility, you could do all sorts of fancy port forwardings and filtering, you could also do QoS in a fancy way as well and if the router has layer 7 you could do something fancy like manipulating skype traffic if you ever got a hold on the hash of an application or if the router knows the protocol of an application already.

Configurable routers are less prone to OS security problems since you can just use the firewall filters to get around the problem but if you dont configure it properly you could be more exposed than a non configurable router.

Firewall from internet is just part of the function, the other is LAN or layer 2 protection such as from the famous pineapple hack in which cisco actually has tutorials on this security that is more than a decade old and non configurable routers dont have this protection. That means that if someone can connect to your network than you are vulnerable.

 

[Smedley]

Thanks! Does the discussion change if we're just talking about protecting a home network, with no servers, DMZ, port forwarding rules, and with UPNP, Download Master, Time Machine, Asus Cloud, etc. disabled? In this context, would a Business Class router provide any superior protection over a consumer grade device?

To Merlin's point above, if WAN access to the router is disabled, is the OS on the router still vulnerable (assuming there are no threats from authenticated LAN attached devices)?

 

[RMerlin]

Thanks! Does the discussion change if we're just talking about protecting a home network, with no servers, DMZ, port forwarding rules, and with UPNP, Download Master, Time Machine, Asus Cloud, etc. disabled? In this context, would a Business Class router provide any superior protection over a consumer grade device?

To Merlin's point above, if WAN access to the router is disabled, is the OS on the router still vulnerable (assuming there are no threats from authenticated LAN attached devices)?

Security is often about preventing the unexpected. Authenticated LAN devices could still be used by malicious users. Take the typical case of a router at home, where the parent implements Parental Control on the router, and the crafty teenager can bypass the router's security to get around Parental Control limitations.

Business-type devices tend to be more thoroughly thought through during their design to reduce the risk of such gaps in their security.

And don't forget that once any client device has some sort of Internet access, it becomes potentially vulnerable. An unpatched OS or browser flaw could allow a malicious website to take control of either the client, or its infrastructure. Cross-site vulnerabilities such as frequently fixed by Asus over the past year are such examples.