Signature update failed.

[Tech9]

And then some other measures also.

Your network users basic security education is best. No matter what automatic security you may have and how professional it is, clicking on a wrong link or opening the wrong email may cause you headaches. You and your family members are integral part of your Internet security.

 

[rlunsingh]

Your best fit new router is perhaps RT-AX68U. WPA3 has to be supported by clients and it requires PMF - may cause issues with your older clients. MU-MIMO has no real advantages - clients support required and only to few devices limited by router's radio streams, with reduced to single stream link rates. What you need is newer AC Wave 2 for your existing AC clients and AX for your new clients. RT-AX68U will have about 20% better Wi-Fi range and this is perhaps all you need. Comes with ARMv8 CPU and AES support - about 200Mbps OpenVPN speeds capable. Asuswrt-Merlin support available. The next more expensive brother is RT-AX86U - you get 2x more CPU cores, 2x more RAM and a single 2.5GbE WAN/LAN port. If the budget is enough, get the RT-AX86U. This is the model most folks around will recommend.



You may want to disable automatic updates. Consumer market, Asus had to remove some updates with issues in the past.

Our only Client device that has still no support for WPA3 is our daughters Chromebook for school.
I could set up a guest SSID for that system with WPA2 if it will not work with the WPA3 SSID.
Do you know if the RT-AX68U and or the RT-AC86U allow for multiple non-guest SSIDs per band?
My RT-AC68U only allows for one SSID per band for normal use.
I could set up a guest SSID on the new router for anything that does not work with WPA3 with or without access to the internal network.

As for the updates, I always make a config backup when I change anything.
So I could always factory reset and go back to a previous version and then reload the config.
Anyway thanks for the heads up. I didn't experience any serious issue though in the past 4 years with it.

 

[rlunsingh]

Your network users basic security education is best. No matter what automatic security you may have and how professional it is, clicking on a wrong link or opening the wrong email may cause you headaches. You and your family members are integral part of your Internet security.

That is true indeed.
Awareness is crucial to block phishing and social engineering.
I talk with them about this topic regularly and read a lot of news to stay up to date myself regarding new threats and what starts them.
For our daughter I bought the book called The smart girl's guide to privacy.
Some websites help increase awareness also that can be found searching: safe internet.
Another interesting site is: Free IT Security Tools | KnowBe4

On my phone I use the Security news app as feed.
Certain LinkedIn groups also provide interesting posts to the feed.
For study I have started with Security+ certification.
Some Youtube channels have relevant and interesting info such as NetworkChuck and Professor Messer.

Ps I also removed security questions and phone numbers from crucial accounts for password resets to mitigate SIM hacking, that are used to bypass 2FA.

 

[rlunsingh]

The signature update failed for me as well earlier this week. Yesterday the update worked normally. Who knows?

I found a webpage that reports Trend Micro signature release numbers with dates:
Trendmicro related Technical Updates [Page: 1 of 321] @ TACKtech Corp.
This seems to correlate to the numbers seen in the router.
Another interesting webpage by Trend Micro is:
Securing Home Routers - Security News (trendmicro.com)

 

[RMerlin]

I found a webpage that reports Trend Micro signature release numbers with dates:
Trendmicro related Technical Updates [Page: 1 of 321] @ TACKtech Corp.
This seems to correlate to the numbers seen in the router.

Totally unrelated. The DPI signatures are completely different from their virus signatures (and the numbering scheme isn't even anything remotely close).

DPI signatures are actually published on Asus's own servers.

 

[Tech9]

Our only Client device that has still no support for WPA3 is our daughters Chromebook for school.

Really? You don't have any printers, IoT, devices few years old? Your router is 2013 model year.

My RT-AC68U only allows for one SSID per band for normal use.

You can set a Guest Network with access to internal network, it will create another unrestricted SSID.

I could set up a guest SSID on the new router for anything that does not work with WPA3

Not sure about it. You need to test first. Guest Networks use the same radios as main network.

 

[Tech9]

On my phone I use the Security news app as feed.

Just don't get security obsessed. It will impact your Internet experience. Some people use crazy blocklists and multiple protections each with own bugs and false positives. As I said before - find the balance. Otherwise you'll be limiting yourself only. The best protection from Internet is no Internet access.

 

[rlunsingh]

Just don't get security obsessed. It will impact your Internet experience. Some people use crazy blocklists and multiple protections each with own bugs and false positives. As I said before - find the balance. Otherwise you'll be limiting yourself only. The best protection from Internet is no Internet access.

Indeed,
I only use blacklists that block malicious sites: through DNS provider, ASUS router settings, Pi-Hole and Endpoint Protection.
Privacy controls I set through browser add-ons that are not blocking regular website functionality.

 

[rlunsingh]

Really? You don't have any printers, IoT, devices few years old? Your router is 2013 model year.



You can set a Guest Network with access to internal network, it will create another unrestricted SSID.



Not sure about it. You need to test first. Guest Networks use the same radios as main network.

Almost every other device is wired, including MFP and Nintendo.
I do not use home automation much.
Just the smoke detector controller, but I can assign it to a separate SSID without any issue as it only requires internet access and no local access.
The only device that might cause some issue is the Harman Kardon Citation for which I did not find a statement about WPA3 support.
Not having it in the same network as the phones would limit functionality somewhat.
The Clients all run operating systems that support WPA3, so I think that it should work as it does not seem to be hardware related.

For reference I found these webpages:
Can WPA2 be upgraded to WPA3? (techtarget.com)
What Is WPA3 Wi-Fi? (lifewire.com)

 

[Tech9]

I think that it should work as it does not seem to be hardware related.

It is. The client's radio has to support PMF/WPA3. If you set your router to WPA3 only, expect devices not connecting.

 

[rlunsingh]

Totally unrelated. The DPI signatures are completely different from their virus signatures (and the numbering scheme isn't even anything remotely close).

DPI signatures are actually published on Asus's own servers.

Could you post the link to the webpage you refer to?
I did not find it yet and have googled quite a bit for it now also using advanced search filtering by asus.com and trendmicro.com.
I only found this:
AiProtection – Internet security and WiFi protection | ASUS Global
[AiProtection] How does AiProtection protect my home network? | Official Support | ASUS USA
And that is just general info.

 

[rlunsingh]

It is. The client's radio has to support PMF/WPA3. If you set your router to WPA3 only, expect devices not connecting.

Can it be set to mixed?

 

[Tech9]

Could you post the link to the webpage you refer to?

RMerlin is the developer of Asuswrt-Merlin firmware. Good enough reference.

Can it be set to mixed?

Yes, but there is no point. Your network will be WPA2 compatible, just like WPA2 only network.

 

[rlunsingh]

RMerlin is the developer of Asuswrt-Merlin firmware. Good enough reference.



Yes, but there is no point. Your network will be WPA2 compatible, just like WPA2 only network.

Concerning Asus DPI signatures webpage:
I have known for a long time that he is an IT Consultant / Lead Developer and that he is in charge of this firmware development and I have payed fair attention to his work before I decided to switch to his firmware. Ps I think IT Consultant / Lead Developer is also his fulltime day job.

He has pointed out that DPI signatures are actually published on Asus's own servers, unfortunately he did not provide the link itself.
Not being able to find this information myself, and reading his comments in an older thread about the same topic where he pointed out that someone that also had update issues with the Trend Micro signature, had in fact a router that was infected with malware, has lead me to post on this forum that he uses for communication about this project, in the first place.
So I am very eager to finally learn what the webpage is, that he is referring to, the more so because of his reference.
If anyone could therefore reply or send me the URL that goes with this page, please do so. That will also help anyone else who will look for it.

Concerning WPA3 and mixed mode:
What I have read about it so far, states that the design of WPA3 certifies that every WPA3 encrypted connection uses a separate handshake password, that is changing constantly and is not the same as the password that is used for the initial unencrypted handshake, that uses the SSID password. The design entails that no session can access the information from any other WPA3 encrypted session.
This means, as far as I understand, that in mixed mode WPA2 sessions can see traffic from WPA2 sessions, but never from WPA3 sessions.
So implementing WPA3 should bring the benefits of it to compatible clients directly without impacting clients that can only use WPA2.

This is for instance useful for public Wi-Fi: if your device communicates with WPA3 encryption, you will no longer have to worry about MITM attacks.
But you can of course still keep using your payed VPN connection. Or use the free 1.1.1.1 app from Cloudflare, that gives a free 10Mbit encrypted connection with filtered DNS when you set it to use 1.1.1.2.

I must say that I did not read the official specifications yet. But if anyone thinks that what I understand so far is wrong, let me know and I will do so.
By the way, the URL to the WPA3 specification is:

WPA3 Specification

Wi-Fi Alliance Public File Download

www.wi-fi.org

 

[RMerlin]

He has pointed out that DPI signatures are actually published on Asus's own servers, unfortunately he did not provide the link itself.

There's no link to provide. They are not published on a website, they are published on a server from which your router will download them when notified that a new signature file is available.

 

[Tech9]

If anyone could therefore reply or send me the URL that goes with this page, please do so.

There is no webpage. It's a file on a server Asuswrt firmware is looking for.

What I have read about it so far

Your own experience will tell you. The balance. If in theory it increases security a bit, but in real life it decreases convenience a lot - turn it off. If you do some secret business and no identifiable bit is allowed to leave your network - this is not the right forum for you. You may research where Snowden is killing free time. VPN over VPN on Tor over Tor + coffee maker.

 

[rlunsingh]

There's no link to provide. They are not published on a website, they are published on a server from which your router will download them when notified that a new signature file is available.

Thank you for clearing things up.

 

[rlunsingh]

There is no webpage. It's a file on a server Asuswrt firmware is looking for.



Your own experience will tell you. The balance. If in theory it increases security a bit, but in real life it decreases convenience a lot - turn it off. If you do some secret business and no identifiable bit is allowed to leave your network - this is not the right forum for you. You may research where Snowden is killing free time. VPN over VPN on Tor over Tor + coffee maker.

I have not read so much negative things about WAP3 so far.
Perhaps you can state why it should cause inconvenience?
To me it seems just a one time set and forget thing.
My guests will not use it, they will not use my router anyway.

I do not even use VPN from my router, only to connect safely to my home or from public Wi-Fi. With proper enforcement of https and DoT there is hardly any need anymore.
Privacy is not my main concern. Keeping hackers away is.
Snowden does interest me. He is in IT specialist and he will go into history.
But I follow blue team and red team stuff amongst others.
Following guys like NetworkChuck on Youtube is fun for me.
I am a fan of layered security. Not a network specialist, but more a virtualization and hardware guy, mostly an Infrastructure generalist.
How about you? Are you in IT for work as well or is it just a hobby?

 

[Tech9]

Perhaps you can state why it should cause inconvenience?

What we read online about new technologies is not always what we find working in consumer products. Many examples of advertised, but not working as expected or not working at all features. Get the router you like and test what works for you with the client devices you have. Don't get angry on it too much, if your expectations are not exactly met. Most consumer routers are under $100 hardware, released with software good enough to beat the competition with a new product on the market. Most manufacturers don't bother supporting this hardware for more than 2 years.

 

[rlunsingh]

What we read online about new technologies is not always what we find working in consumer products. Many examples of advertised, but not working as expected or not working at all features. Get the router you like and test what works for you with the client devices you have. Don't get angry on it too much, if your expectations are not exactly met. Most consumer routers are under $100 hardware, released with software good enough to beat the competition with a new product on the market. Most manufacturers don't bother supporting this hardware for more than 2 years.

I think so 2.
Exactly the reason to ask here. This is the place 2b for experience with Asus routers.
Hopefully someone can clear this up?
Anyway I have had a lot of positive experience with other Asus products as well like mainboards, laptops and videocards.
So far they never let me down.
Thank you so far.