Jump to content

Router or Router Company with Best Security


Computer_Security
 Share

Recommended Posts

This is a tough question because router companies are not consistent in security between different models. To tell you the truth I have no idea which one is better. My guess would be NETGEAR only because when I was performing a pen-test I was impressed that it was fairly hard to crack with a WPA2-Psk, but WPS was enabled so when I tried reaver I had a lot of errors and it kept timing me out after trying a few pins and I think it even stopped sending out beacons and I think I saw it change channels! IDK that is my own personal opinion based on very little experience and I know that a lot of routers have the same security precautions so I would love to have some feedback on what the community thinks!

-Thanks

Link to comment
Share on other sites

Never trust a company.

Ever.

What you can do is understand that certain companies are more likely to do the right thing, but evaluage each and every item separately. Sometimes even the best companies produce complete and utter stinkers. When it comes to routers for personal use, I'd highly recommend taking any router supported by OpenWRT, flashing the one you get with that firmware and use it like that.

Link to comment
Share on other sites

Are we talking routers or wireless access points? I try to stay as far away from the all in one pieces of shit as much as I can. We deploy either Rukus or Ubiquity access points at client sites, and either use an in house built bsd firewall/router or pfsense firewall/routers. Occasionally we have to use Cisco routers for our physician sites because of hospital vpn requirements. The nice thing with the bsd boxen is if you get a power surge through the dsl or cable modem you can usually just replace the network card and you're up and running again. Pfsense also has the ability to reinstall any extra packages you may have installed if they're in the backups.

Link to comment
Share on other sites

So I was looking at NETGEARS and under the more expensive line I saw this...

  • Double firewall protection (SPI and NAT)
  • Denial-of-service (DoS) attack prevention

So my question is how reliable is the DDOS prevention? and how does it work does it like block ip's that send too many pings to it?

​And how reliable is the double firewall?

-Thanks

Link to comment
Share on other sites

We tried one of those at a client site. Wicked unstable. Would randomly reboot all the time. Replaced it with a cheap dell mini desktop. Only time it reboots now is for software updates.

Still need to do more testing on it. But for my intentions it seems stable. ( no longtime test yet ). Also i'm not running it with wifi.

So I was looking at NETGEARS and under the more expensive line I saw this...

  • Double firewall protection (SPI and NAT)
  • Denial-of-service (DoS) attack prevention

So my question is how reliable is the DDOS prevention? and how does it work does it like block ip's that send too many pings to it?

​And how reliable is the double firewall?

-Thanks

Your saying DoS prevention not DDoS. Big difference there. And yes it will probably just drop all packets it receives from that ip. Kinda loled they call a NAT a firewall. Even a home and kitchen router for 30$ got NAT and spi

Link to comment
Share on other sites

Still need to do more testing on it. But for my intentions it seems stable. ( no longtime test yet ). Also i'm not running it with wifi.

Your saying DoS prevention not DDoS. Big difference there. And yes it will probably just drop all packets it receives from that ip. Kinda loled they call a NAT a firewall. Even a home and kitchen router for 30$ got NAT and spi

Yea I was asking the same thing! Why did they add NAT as a firewall lol!

So what exactly is the difference between a DOS attack and a DDOS i know that DOS either stands for denial of service or disk operating system and DDOS stands for distributed denial of service but I never understood the diference between the two could you explain it to me?

Link to comment
Share on other sites

Yea I was asking the same thing! Why did they add NAT as a firewall lol!

So what exactly is the difference between a DOS attack and a DDOS i know that DOS either stands for denial of service or disk operating system and DDOS stands for distributed denial of service but I never understood the diference between the two could you explain it to me?

They're basically the same thing, but a ddos is a shit-ton of people doing a dos attack to a single host. They're harder to stop since they're from multiple ip addresses. If you get a system in place like the anonymous morons had, you can have several hundred thousand machines hitting a single site. That little netgear device would crap itself from that kind of attack.

Link to comment
Share on other sites

They're basically the same thing, but a ddos is a shit-ton of people doing a dos attack to a single host. They're harder to stop since they're from multiple ip addresses. If you get a system in place like the anonymous morons had, you can have several hundred thousand machines hitting a single site. That little netgear device would crap itself from that kind of attack.

Yea, and thanks for the clarification! So a DDOS is like a BOT NET in a way!

Link to comment
Share on other sites

A DDoS does its work by clogging up your lines with traffic. If at most X packets per second can be processed by the router and some dolt finds a way to get 10*X machines to continuously send packets to that device, even when the packets get dropped immediately the legitimate traffic will have a hard time reaching your device, neverind getting dealt with by whatever lies beyond.

Link to comment
Share on other sites

  • 2 weeks later...

As Cooper said "Never trust a company. Ever."

On the job I have been moving away from using Cisco products as of late (NSA hardware additions make me a little weary...), however, I just started working with AeroHive APs, their enterprise web portal gives you a far wider set of options to fine tune security for your AP. (VLan tagging, etc) Any one that uses one of their products, I highly recommend switching over to the Enterprise Level Web portal, oh and it's a free upgrade!

Also if anyone in here knows of any security issues with AeroHive APs, etc please post. Thanks!

Link to comment
Share on other sites

Like with financial investments, the trick is to diversify. If you use firewalls everywhere (say), but they're all Ocsic SAS 5055's then when an attacker discovers a flaw in that system your entire network security falls apart like a house of cards.

To prevent that you should at the very least use different models at different layers, but that increases the maintenance burden as now you need to be aware of how to properly secure at least 2 potentially vastly different systems. Security is never free...

I also firmly believe that you should base your trust on your ability to monitor a device. Do you get alerts when things go down? Did you notice them? If not, why was that? What can you do to improve that?

As an example, I have one of those cablerouters at home. It's a fairly cheap Wifi-enabled router and I've already found that when I call up the cable company to resolve some issue I have with the device, they have full access to the device. That means I DO NOT TRUST that device. Not because it's a piece of shit (even though it probably is) but because I can't prevent people not explicitly authorized by me from accessing that device and doing whatever they want. They also upgrade the firmware on there automatically (which locks up the device sometimes).

My solution was to assume that device is simply an extension of the internet coming into my home. I've configured the Wifi to use the very lowest value for transmission power (turning it off means they dial down my speeds somewhat) and the only network cable coming out of it goes straight into another device I've equipped with 2 network ports and a powerful wifi adapter which is the REAL router. I have full control over that, interesting events get logged to my logging server and processed from there.

Everybody knows the quote "just because you're paranoid doesn't mean they're not out to get you". I use a variation:

Just because they're probably not out to get you doesn't mean you shouldn't be paranoid.

Link to comment
Share on other sites

I have my provider put my modem in bridge mode. It then forwards the external ip address to my pfsense box. From there I have two networks. One is my home network, which is shared with my wife's office. The other is my testing network which is in the same network space as the pineapple. I even have the gateway address set at .22. The pfsense box will allow traffic from internal to testing, but not the other way. It's much easier to work on the pineapple from my 23" monitors than my little 15" laptop. I don't have the firewall send notifications because if it's not working, it won't be able to send them anyway.

For client sites we use various network monitoring applications to keep track of the servers and firewalls.

Link to comment
Share on other sites

In the ADSL days I had the router in bridged mode aswell, but this device must retain its wifi otherwise i lose a few MB/s throughput.

Link to comment
Share on other sites

In the ADSL days I had the router in bridged mode aswell, but this device must retain its wifi otherwise i lose a few MB/s throughput.

Weird, I still get 50/5mbps either way.

Actually just a tad better!

3639192942.png

Edited by barry99705
Link to comment
Share on other sites

No, you misunderstand. The cable company has this thing where they offer free wifi access to all subscribers by letting them use a small chunk of the wifi from other subscribers. So if both me and my neighbor are with the same cable company, I can use up to a few MB/s of his bandwidth (it's intended for wifi roaming using your mobile) when my own AP is out of range. Both me and my neighbor were 'compensated' for this potential drop in available bandwidth by an increase in bandwidth by the maximum amount that can be used by other people. I think I went from 20 MB/s to 25 MB/s and this excess is available to you, the paying subscriber, when nobody's around to use it however if you deactivate Wifi on your router or otherwise disable the roaming feature, they will drop you back to the original 20 MB/s. Since I'm high up in an appartement building, other people would have to sprout some very impressive wings to make use of this feature using my AP so effectively I just got a speed boost for free... so long as I retain the machine's ability to provide a Wifi signal to the outside world. When I put the device in bridge mode, Wifi would obviously be disabled and when they discover this (which I'm sure they will) I lose the additional 5MB/s.

Link to comment
Share on other sites

No, you misunderstand. The cable company has this thing where they offer free wifi access to all subscribers by letting them use a small chunk of the wifi from other subscribers. So if both me and my neighbor are with the same cable company, I can use up to a few MB/s of his bandwidth (it's intended for wifi roaming using your mobile) when my own AP is out of range. Both me and my neighbor were 'compensated' for this potential drop in available bandwidth by an increase in bandwidth by the maximum amount that can be used by other people. I think I went from 20 MB/s to 25 MB/s and this excess is available to you, the paying subscriber, when nobody's around to use it however if you deactivate Wifi on your router or otherwise disable the roaming feature, they will drop you back to the original 20 MB/s. Since I'm high up in an appartement building, other people would have to sprout some very impressive wings to make use of this feature using my AP so effectively I just got a speed boost for free... so long as I retain the machine's ability to provide a Wifi signal to the outside world. When I put the device in bridge mode, Wifi would obviously be disabled and when they discover this (which I'm sure they will) I lose the additional 5MB/s.

Oh! I see now. There's no way in hell I'd share my WiFi, even if it is separate from your network.

Edited by barry99705
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...