Most Secure/High Security Home/Home Business Routers?

[Aspie]

Hello all and thank you in advance for any input you have,

I work in IT and so I am familiar with router/switches/repeaters and etc. however I am familiar with models of said equipment for the enterprise, and need some recommendations (or if you are uncomfortable making a single suggestion, then listing a few that meet these basic requirements):

BEFORE I GIVE MY REQUIREMENTS, I realize that a lot of security has more to do with how a router is configured rather than the router's features. Features are great, but if it isn't configured correctly, then you might as well leave it unsecured. I plant to implement MAC address filtering, WPA2-AES-PSK, WiFi isolation, etc. So my request is not so much how to configure (though any very important things you feel you wish to share are appreciated), but rather what routers are just reliable, high end (having dual core or more, large RAM/cache buffer, minimum of 4 WIRED Gigabit, external antennae, MIMO MU-MIMO, etc.

I am looking for a router that is classed as a Home or Home Business or SMB type router. The router should be a high end model (think Netgear Nighthawk, Linksys WRT1900, ASUS (essentially any current model of ASUS). I am essentially considering the HIGH END models from the big 3 (Netgear, LinkSys, ASUS)...at least the big 3 in my opinion.

Would anyone be willing to give a quick listing of their top two or three "secure" routers. The minimum I ask is just for a list, but feel free to expound on your recommendations. PLEASE, just spare a minute and provide your wisdom.

Respectfully,
J.C.S.

 

[JackMDS]

When using the word Secure and Router there are few unrelated functions that involve security.

You seem to talk only about Wireless.

Wireless security it rather standard in most Wireless Router and there is No diffrences along the line that you mentioned.

Next level involves Servers Log-ins along the line of RADIUS.

http://en.wikipedia.org/wiki/RADIUS

 

[Aspie]

Then if it were you (JackMDS), and you couldn't purchase a SonicWall, Fortinet, WatchGuard, or Cisco Small Business Security Router Series (the Cisco line has reached their end-of-life; otherwise I would go with the Cisco), or another high end Enterprise level router, you would have no preference between the latest LinkSys, Netgear, or ASUS models? If that is the case, then great, as I will probably go with _______ (purposely redacted). But if you did have a preference amount those models, what would it be?


Thanks
JCS

 

[John Connor]

I plant to implement MAC address filtering, WPA2-AES-PSK, WiFi isolation, etc..

Don't use PSK! TKIP I read it's hackable so I changed to straight AES! And use a 64 digit key for your password. Use this. https://www.grc.com/passwords.htm

You really only need say 12 digits in alpha, numeric and symbol, but 64 is what I use and is guaranteed.

I run an old WRT54GL router with the third party firmware DD-WRT and I have IPrables in there for the firewall that block port scans and various hacker crap. I would recommend the RT N66U router flashed with DD-WRT. Read DD-WRT's wiki and read it good! If you chose to go this route I recommend you read this thread. http://www.dd-wrt.com/phpBB2/viewtopic.php?t=171783&highlight=

Comodo firewall is something else I use since it will block tampering with the ARP cache. I would use the older version of the firewall available on oldapps.com or oldversion.com I use version 5.5195xxxxx. The newer version is probably recommend though.

Don't use TKIP: http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol#Security

 

[ccbadd]

I'm tempted to install a Ubiquity EdgeRouter Lite. Then just use AP's, maybe even Ubiquity UniFi AP for easy roaming.

 

[JackMDS]

or ASUS models? If that is the case, then great, as I will probably go with _______ (purposely redacted). But if you did have a preference amount those models, what would it be?


Thanks
JCS

Linksys currently belong to Belkin. Belkin LOL.

In the past I use few Netgear Models and did not care of any of them.

I do not know what is the value of the current "Crop".

My general preference at the Moment is the Asus with external Antennae if you do not have a need for functional 802.11ac the N66U is the preferred choice. I use few of them and I have No complains.

Asus takes DD-WRT and some other 3rd party firmware, my approach is to Flash only if I need a feature that is Not availble in the stock firmware. Otherwise I am Not a fan of Cult behavior. I.e., Flash because it is psychologicaly cool.

 

[Aspie]

Thanks to all for the continuing input! I am taking it all to heart. I prefer a unit with AC protocol, but it isn't necessary, it's just that new/current routers use the latest protocols so they are inescapable. I agree with JackMDS on his last post...I am not a fan of flashing/rooting a router just to be cool; with certain exceptions, the stock firmware is going to be the most reliable as the company would not have an interest in having more customer service issues. Yes, they are not perfect and bugs are found, but they are quickly addressed.

I have serious concerns about Linksys since it merged or was bought out by Belkin. I have NEVER BOUGHT ANYTHING BELKIN, not even a patch cable or surge suppressor. It just always seemed like the cheap way. I am also not big about this Smart-WiFi tech...but it seems inescapable without a custom firmware flash.

Frankly, I wish I could afford to implement gateway AV, sandboxing, IP signature blacklists, know hostile IP's, etc. at a price of 250.00, but just isn't possible. The DD-WRT firmware, that is for keeping your router's outgoing connections anonymous and encrypted...correct? Or am I wrong on that? I don't go anywhere that is illegal or even remotely in need of anonymization. I would like full time encryption (similar to how you can turn on https on all addresses within Comodo's IceDragon browser...). On that note, I feel have a lot of trust in Comodo, even using their secure DNS servers. At this point--and I hope I am not violating any Anandtech rules, but I would love to PayPal someone who has extensive expertise in the home based sector of routers for a complete recommendation.

For instance, it would include what AntiMalware solution they use (software based)....I currently use Kaspersky Internet Security 2015 on all machines, along with Malwarebytes Premium (lifetime keys, not this new licensing scheme), and HitManPro. That last two, MBAM and HMP do not interfere with Kaspersky and MBAM v2.x.x.x is even better than v1.x.x.x.

What does your hosts file look like, for instance I want to block all those damn google analytics page calls!

I'd like all traffic that can be encrypted, to be encrypted (httpS everything).

It seems though what I want is only available in $1,000 routers.

If someone would take, say $20 for an independent consultation on my situation, I would pay.

Respectfully,
JCS

 

[code65536]

I... don't think you understand what makes something secure. Security theater is not real security.

 

[John Connor]

Read post #4 again and get a RT N66U router. You can use DD-WRT and Optware to block China. But it's a process to implement.

I don't use third party firmware to be cool. I have it for utility. I have a built in SSH server and iptables for the firewall. I like the features. The default firmware for the Asus routers was compromised by hackers. Only third party firmware was secure. Now how many people do you think follow tech sites to know that their router has been hacked? Let along updating the firmware. Most people won't update their firmware. Some don't even password protect their WIFI!

 

[drebo]

This thread is funny. None of this matters because "hackers" aren't trying to break in to your home network.

The average home user is far, far more likely to fall victim to fishing or some sort of virus which is way, way easier for the "hackers" to pull off and get relevant data.

The idea that someone from China is going to brute force your home router to break in to your PC is laughable. The idea that people in vans are going to drive around and break into your wifi is even more so.

 

[imagoon]

Generally agree with drebo. Minus drive by hacking because you as the owner failed to patch holes in the gear, no one cares.

 

[John Connor]

Is that why my router logs are full of connection attempts from China and Taiwan?

As a test put your computer in the DMZ, disable any software firewall and run peerblock with China and Taiwan block lists and see what happens. DO IT! PROVE ME WRONG!

http://www.peerblock.com/

https://www.iblocklist.com/lists.php?category=country

You will need to rename the list .p2p and place in peerblock's directory. Add the list using peerblock's add list.

 

[Mushkins]

The idea that someone from China is going to brute force your home router to break in to your PC is laughable. The idea that people in vans are going to drive around and break into your wifi is even more so.

So laughable because it happens daily?

There are god knows how many known vulnerabilities with SOHO routers running stock firmware in the default config that yes, someone from China is pounding as many public IPs as he possibly can attempting to break into home routers.

He's not digging through your word documents trying to steal your social security number for 2004's tax returns, he's creating a botnet to use to brute force his way into things that actually matter.

Security through obscurity is a fallacy, you should never assume you're "too small a target to hack." There's no effort involved, these guys are running automated tools that go right the list and try to get into anything and everything that comes up as a valid IP.

 

[imagoon]

Its called script kiddies. Botnets doing auto scans. Drive by scanning. If you were being targeted, there wouldn't be "logs."

 

[imagoon]

Is that why my router logs are full of connection attempts from China and Taiwan?

As a test put your computer in the DMZ, disable any software firewall and run peerblock with China and Taiwan block lists and see what happens. DO IT! PROVE ME WRONG!

http://www.peerblock.com/

https://www.iblocklist.com/lists.php?category=country

You will need to rename the list .p2p and place in peerblock's directory. Add the list using peerblock's add list.

Your router is going to be full of connection attempts from the entire world. It is part of being on the Internet. If you specifically were being targeted, it is likely that you wouldn't even know that they had already been in and downloaded everything on every device on your network.

I believe that is Drebo's point. Also since by definition it is impossible to prove a negative, no I won't prove it to you. You asked us to do something that by definition is impossible.

 

[John Connor]

Give me a break dude. Do as I said.

How do companies know there was a breach in security. THE LOGS! You can't get in without a log showing the IP address. IPtables have log capability. They are used in servers all the time. I use IPtables.

 

[imagoon]

Give me a break dude. Do as I said.

How do companies know there was a breach in security. THE LOGS! You can't get in without a log showing the IP address. IPtables have log capability. They are used in servers all the time. I use IPtables.

You haven't really given me any compelling reason to do so.

Point being though, if you were targeted, they would just delete your IPtables logs. They likely would even have script for it since attacking Linux is fairly common.

 

[John Connor]

Have a look at this.

 

[John Connor]

http://www.esecurityplanet.com/views/article.php/3827941/Are-Chinese-Hackers-Attacking-Your-PC.htm

http://forums.anandtech.com/showthread.php?t=2143799

 

[imagoon]

I am not quite sure what you are trying to prove here. I didn't say "the Chinese are not hacking your computer," I just find it more likely you are being scanned by any number of things than being target directly. I mean even your articles show what amounts to script kiddies. I highly doubt you are being targeted directly. I doubt anyone wants "John Connor's" porn stash that badly.

Quick glance at the security appliances actually show more junk traffic coming in from Russia right now.

--edit--

Interestingly your picture shows a reserved range as the source of the packet so all that is showing me is that your computer is sending to 106.3.229.200. IE you're infected with something.

 

[code65536]

Have a look at this.

Erm, why are those connection attempts coming from inside your network?

Anyway, drebo and imagoon are correct. This is paranoia and the security theater advocated in this thread will provide little more than a comforting illusion of security.

And yes, I log hundreds of connection attempts per day for at least a decade. These are nothing more than automated bots/scripts trying common things. Like trying to SSH in with a username of "john" and an equally generic password. There's nothing to worry about, and the NAT on any generic router will keep that stuff out, anyway.

This is not the attack vector people should be worried about. The biggest security hole is (and has always been) the meatbag between the chair and the computer. And fixing that security hole requires a good understanding of what actual security is and what is just feel-good security theater.

 

[John Connor]

Those are from my network when I had utorrent on. LOL But If I place my IP address in the DMZ I will be inundated with port scan attacks. There is no activity when uTorrent is off, so I have nothing going on here. I scan the computer with Herdprotect, malwarebytes, ADwcleaner Tdsskiller, Sophos Virus Removal Tool, and malwarebytes anti-rootkit. Not only that but I'm running the browser in Sandboxie and have Bitdefender free installed along with Comodo firewall.

I'm going to deploy Untangle because frankly I'm tired of the China hack attempts. That can't get past SPI and my IPtables unless malware is installed on the machine, but I have no use for the far east.

 

[avos]

I've had great luck with Ubiquiti EdgeRouters. I've been using Vyatta for awhile now so it just made sense. They have really been making strides in the GUI though if that is more your thing. Pair that up with one of their Access points and you have nearly an enterprise grade setup for a consumer price.

I do wish their firewall product that is going to use the UniFi controller was out to test though (Looking at their webpage you'd think it was already for sale). That sounds like it will be much easier for people that just want a quick and easy setup.

Don't get me wrong, I've done a lot over the years with DD-WRT. Stability though always seems to be an issue. Even with devices that advertise being compatible.