Network Security – Part Deux

Your network probably is comprised of the modem/wifi router provided by your Internet Service Provider.  Most people I know are configured this way.

This is the ABSOLUTE, WORST POSSIBLE security scenario there is.   It is typically extremely old, and unmaintained in terms of software / firmware.  And you probably lease the equipment from them for $10 a month or something.  That $50 hunk of hardware has already netted them hundreds of dollars from you……..if not thousands.

So the smart play is to go buy your own router and modem.  Walmart and Target sell them and it’s more than likely that is where you will go.  Or Amazon.   First of all you cannot just hook a modem to your home.  You have to call the cable company and ask them to “provision” it.   They have to apply the settings to it to allow it to work on their network.  There is NO WAY for you to do this.  They have to do it.   if there are firmware updates for your modem you have to call the cable company and tell them to apply them or “re-provision” your modem.   You can have a secure router (HA!) and have a crappy modem which will allow you to be compromised.

So anyway the goal here is to add security to your network.  And let me tell you up front ……… it will cost you money.  More than most are willing to spend.   I just did a router search at Walmart for available models at my local store.   They have an E2500 version 4 for $30

Walmart Shit Router

They have several other routers but most are way over $100.   Anyway, lets look at this router on Linksys’s own support page.

BWAHAHAHAHAHA

Last update – July of 2019.  Now look at Linksys’s Security Advisory Page.First of all this is a HORRIBLE updated page.

Double BWAHAHAHAHA

Second of all…………They don’t give a flying fuck about your $30 router.  There are known exploits that they themselves published and they aren’t providing patches for them on your BRAND NEW, SHRINK WRAPPED ROUTER.  I guarantee there are a lot more vulnerabilities since CallStranger in 2020.

The only people who get updated firmware are people that SPEND SOME MONEY on the fancy routers.   In fact the ONLY router I saw with an update since June 2020 on the Linksys page was for the MR9600 Version 2 and it was last updated in December.  And it costs over $300!  NOTE:  I did not do an exhaustive search.

MR9600

I think the conclusion we can draw here is that Linksys has TERRIBLE router firmware support.  This report kinds of sums up what I’m trying to convey.  Basically this report says every single home router on the market today contains CRITICAL FLAWS.  Vendors know about some exploits and simply don’t do anything about them.

I seriously cannot recommend ANY off the shelf router for Home use.  You simply have to live with the fact there is NO real level of security.  And the cheaper you go, the worse it seems to get.  That being said if a $300 router and a $30 router have the same flaws……….what’s the difference, really?

When faced with this scenario your options are fairly limited.   Do you have sensitive emails?  Do you store your passwords in a plain text file on your computer?  Videos or pics of you and your wife at the island hotel getaway?  Credit card numbers?  Bank Account Numbers?  Maybe someone just wants to hack you and use your IP address.  Rule number one of hacking.  Never originate your attack from your own machine.  What if the bad guys are attacking government servers FROM YOUR COMPUTER?  Or what if they drop kiddie porn on your computer and sell links to it on the dark web?

What if them using your bandwidth causes you to have data overages which COST YOU MORE MONEY?

First and foremost you should encrypt any and all files that you deem to be sensitive.  Or move them to removable media.  Some folks turn their computers off when they aren’t using them.   Can’t hack it if it is off?  Or can you?  Ever heard of Wake On LAN?  Turning your computer off may not be effective. Unplugging the network cable would be but most of us are on wifi these days.

Another option, and this one is my favorite, and what I personally do………buy a computer appliance and install a hardware firewall such as pfSense or OPNSense.   Hook the firewall directly to the modem.  While the software is free and OPEN SOURCE, the appliance of course is going to set you back a couple hundred dollars at least.   Or you can actually use an old PC, and add a second ethernet port to it and load up pfSense or OPNSense.  The only reason I don’t use an old PC is that they use a lot more electricity than one of these modern appliances and they are on 24/7. And the appliance has no fan or no noise at all.

Protectli appliance

But make no mistake, if you have an old computer in the closet it is just begging you to install a firewall OS on it.   Again though, it must have 2 ethernet ports.  A new Intel card will not set you back much money at all.  Probably get one on eBay for almost nothing these days.

So now you have a cable from the modem and one LAN port ready for something.   Also there are 2 other ethernet ports.  I use a Smart Switch so my LAN cable goes to the switch.  I can then configure every port on the switch to be either a VLAN port or just a connection to the hardware firewall.

At this point you can much more safely add a wifi router and maybe the safest way to do that is to add it to a Virtual LAN (VLAN).  That gives you another layer of security.  Also you can segregate your VLAN from just your regular traffic.  In my case I have 2 routers.  One wifi router is mine and the other is my guest network.  Come to my house and you’ll be on my guest network which cannot interact at all with my network.

Or you can just plug a wifi router into your LAN port and you are good to go.  I do strongly recommend finding a router that will run OpenWRT or DD-WRT or ASUS Merlin firmware. I simply DO NOT TRUST firmwares that are not Open Source.   While Open Source firmware might not be bulletproof it is WAY BETTER than manufacturer OEM firmware.  DD-WRT is updated seemingly WEEKLY.  Some builds are reliable, and some updates will turn your router into a brick.

Your best strategy here is to poke around in the Forums and ask “What router?  What build version is stable?”

DD-WRT and OpenWRT will typically have the latest kernel version of the Operating system (Linux) which means it is basically up to date with Linux security bugs and flaws mitigation.  It will also have the latest version of software such as OpenVPN which would allow you to tunnel into your network from anywhere.  I run my VPN on my firewall, not on my router.

Anyway, I digress and I ramble on a lot, I know.  To summarize:

  1. Router manufacturers do not provide timely updates, or patch all known flaws.
  2. The cheaper the router, the more likely it is they won’t spend money keeping it updated.
  3. This makes OEM firmware susceptible to hacking.
  4. Use a hardware firewall such as pfSense or OPNSense.
  5. Or use a router with Open Source firmware such as DD-WRT or OpenWRT.
  6. Or do both 5 and 6.

Finally, the best routers for DD-WRT and OpenWRT support seem to be the Netgear R7000, R7800, and R9000, all of which cost a few bucks.   You can find old Nighthawk R7000 routers used pretty cheap but if you are running a VPN your throughput may not be the greatest because of the less powerful CPU present.  I personally have an R7800.

Don’t feed the bullshit monster either.  Go to the store and they talk about super fast WiFi6 that you NEED!  No you don’t.  None of the devices you own are WiFi6 compatible and even if they are the speed increases are THEORETICAL, not real world.   And besides if you get a WiFi 6 router I don’t think there are any Open Source firmwares for them yet anyway.  You are back to hoping the manufacturer doesn’t abandon updates.

Speaking of that………..How old is your router?  When is the last time you. updated it?  When is the last time you rebooted it.  Rebooting will kick the bad guys off and likely you’ll get a new IP address from your internet service provider.  Hackers like always on connections.  Having an unreliable connection is a good security measure as well.

More to come on the subject.  This is one of my favorite subjects.

 

 

 

 

One thought on “Network Security – Part Deux

  1. G

    i personally prefer the performance of ipfire, tested pfsense and opnsense and while they are good options i find the core feature set of ipfire to simply work and perform better also

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *