router question for skuzzy

[eagl]

Skuzzy,

I'm faced with the reality that I can't make my home computers "safe", nor can I guarantee the "safeness" of the users because one of them is not me.  My wife is reasonable smart about computers and she has not once gotten tricked into installing malware (she always asks me before clicking, smart girl) but I don't want to take chances.

What sparked this question is a report on CNN that some hackers have managed to crack into a number of consumer-grade routers, making a bios hack or replacing the bios altogether (like the easily available and customizable linksys wrt54G bios hacks) and turned the routers themselves into botnet nodes.  It's a bit scary even though I have supposedly turned off the back doors on my router by changing passwords and disabling external admin access...

So, any advice on home routers?  I've read you scoff at home broadband routers, even though I've had good luck with them.  Do you have any alternative that doesn't require a lot of admin time or cost much?  I don't have time to learn enough about those special purpose stripped down *nix variants people use for routers, and I doubly dont' want to install one without being able to spend time configuring it.  And I don't have time.  I also don't have loads of cash to spend on an expensive commercial router.  What I DO have is a spare computer I could probably use.

In the meantime, I'm just using a generic linksys broadband router that also has 802.11G wireless.  The security setup in us is that I have changed all the passwords, disabled WAN router admin access, and am using WPA or WPA2 with a non-trivial access key.  I have no ports punched through the router at this time however I think I have it set to open up a few random ports for bit torrent transfers and sometimes I experiment with punching through the ports that AH uses (from a howto you posted about 8 years ago)...

Recommendations that don't require much geekery or too many $$$?

[RTHolmes]

I have changed all the passwords, disabled WAN router admin access, and am using WPA or WPA2 with a non-trivial access key.

disable ping from WAN and snmp if its available too and you're good to go

[Skuzzy]

I "scoff" at consumer grade routers for many reasons.  The lack of proper security is one of the them.

I got so frustrated after going through 6 or 7 of them, that I built my own.  Maintenance wise, it does not require any attention at all.  My router/firewall have been running for years.  It does take a bit of effort to configure though.

I have threatened to do a white paper on configuring one.  I just never seem to have the bandwidth available to get it done.

[eagl]

You built one yourself...  Did you use one of those "tinyrouter" (or whatever they're called) stripped down linux configs?  Or something else?

Yea the consumer routers are scoffable, but I haven't seen even one haxor get through even though the router logs show the usual attempts...

[Skuzzy]

I started with a version of Slackware Linux, then built a special purpose kernel, wrote new Ethernet drivers, wrote real-time stack management filters/rules which hook in at the Ethernet hardware level.

My router has been running for over 12 years.  Except for the occasional power outage reboot, it has worked very well.  It is an old 550Mhz Pentium III box with 256MB of RAM.  4 Seagate Cheetah HD's allows it to be a file server on our network.

Over the years I have fine tuned it, but pretty much just leave it alone.  No LISTENERS are exposed to the Internet so there is nothing in the logs to look at.

This is one of the failings of most consumer routers.  They insist on actually snooping on all ports so they can log any activity.  Dumb.  Stupid really.  You only want to log intrusions attempts on ports that can actually be exploited.

[llama]

Eagl,

It sounds like what you want is some sort of device that you can remove from the box, plug into your network, and with less than 15 minutes of configuring or effort, will be significantly better than an off-the-shelf linksys router, BUT you don't want to be bothered with a "custom Linux firmware" for a router.

I'm afraid I know of no such device.

First, it sounds like your current strategy and configuration of your linksys router is excellent. Unless you are aware of some problem with your setup, I would suggest leaving it alone.

But suppose you really want to tinker with things. Next step is a consumer-grade router that supports one of the Linux-based firmwares you were badmouthing, such as DD-WRT. I really like DD-WRT, use it at my place, and have it installed with some clients too. Installing it is really no different than updating the firmware with something from Linksys: you download the firmware file, log into the linksys router and go to the firmware update screen, browse to the new firmware, and click "Update." Within 60 seconds the DD-WRT firmware file uploads to the router, gets read into the chips, and then the router reboots. Goto 192.168.1.1 (or whatever) with your web browser, and start using the new GUI to configure things.

Not only do you get TONS more options, but since it is open-source, there are lots of eyeballs looking at the code and fixing things as they are found. DD-WRT recently found a serious security flaw, (the first major one in several years), but a workaround fix was immediately posted and a new firmware available in 1 or 2 days. Linksys would never release a replacement firmware that quickly, let alone announce there was a problem at all, let alone even finding the problem quickly. Do you really think there's someone at Linksys checking old firmwares for old devices for security flaws?

Next step up are "pro-sumer" routers called Unified Threat Management (UTM) devices from companies like SonicWall. They run between $200 and $1000 and claim to be able to scan all packets for malware and viruses before your PCs even see them. I reviewed 4 of them last year and found them all to, in a word, suck. They are fine routers and firewalls, but their antimalware definitions were minuscule and let most of my test malware zoo through easily. As firewalls they had less options than DD-WRT (though better content filtering for childproofing your connection), but they were easy to configure and most had wireless built in too.

Next step up is a standalone PC with two network cards and a Linux distro acting as a firewall. The easiest ones to use are dedicated to this job, like ClarkConnect (http://www.clarkconnect.com/index.php), which have lots more features than a router but are only slightly more complicated to configure. Or install a standard distro like Ubuntu and roll your own firewall from scratch, though this is really more like a new hobby than you probably want.

I've gone the latter route too, and it was enjoyable to tinker with things but annoying to have a large computer constantly running, making noise, consuming 100 watts (versus 5 watts for a linksys router), regularly backing it up, replacing failed components, and then having a separate wireless access point for my notebooks (the linksys has wireless built-in, recall).

I think DD-WRT (or one of its cousins) is probably the best middle ground for what you want.

-Llama

[Fulmar]

I've been using linux based firewall boxes for quite some time.  I became frustrated with going through cheap routers for what they were worth and they'd frequently lock up during heavy traffic, plus the lack of options wasn't always there for me.

I started out using Smoothwall and quickly moved over the off-shoot IPCop.  Basically you're taking an old PC (you can run these on something as slow as a 386 in some configurations).  Anything above 100mhz should be fine.  I've used PC's in the 400-550mhz range and they worked great.  I recommend finding a Micro-Atx box if possibl as they take up little space wherever you keep this thing.  The interfaces for these guys are pretty user friendly.  There is a good community to help you set up these rigs and I didn't have any problems for being QUITE green at Linux.  For the power friendly person, I'd recommend one of these builds.  I had a P3 550mhz IBM Micro ATX box use only 35W-40W and it ran solid for months (unless I had to reboot for an update).  Also check out Monowall.


Currently, I'm running Clark Connect which seems to have a little bit bigger following.  It's more of an all in one box.  You can keep your Firewall, FTP, Email, Data Backup, etc all in one computer.  I currently use it for Firewall, FTP, and File Sharing.  Since its an old box, I don't trust it as a primary data back-up server.

For ClarkConnect you need at least a 500mhz CPU, but you need a recommended 512mb of RAM.  For my IBM Aptiva box (max of 256 ram), I had to upgrade.  I started out using an XP1600, then a 2000+, and now a 2600+ with 1.25gb of RAM.  It uses a bit more power at idle (120W IIRC) but I have 4 hard drives with a number of fans.

Install with all these firewalls are about the same in difficulty, but ClarkConnect's web interface is nicer IMO, especially with installing addons like FTP, Email Server etc.

My Network is setup like this:
Cable Modem -> ClarkConnect Box -> D-Link Wireless Router (DHCP/Firewall off, acts as a switch/wireless access point) ->  Internal network

[Vulcan]

Eagl Sonicwall released two baby boxes recently.

The TZ-100 and TZ-200. This should bring some decent security features down into the SOHO market. They beat the pants off anything else mentioned in this thread so far. llama and I disagreed over his analysis of sonicwall - and the new models bring a lot more functionality into the low end. Anyhoo, worth checking out. remember that though they cost you don't have to fluff around building a linux box

[eagl]

Thanks everyone!  I'll look into all of your suggestions.  Llama, I think I might have an old linksys router that I could use as a testbed to see if I like the interface and feature set better than the factory one that's worked so far.  I think I already decided that I can use a second router internal to my LAN for childproofing, and just have my kid (he's only 16 months old, but we're planning ahead eh?) connect only through that router instead of through the lan proper.  That way I can restrict access through his access point and not have to run my and my wife's connections through the kiddy filter.

Again, thanks for the suggestions. 

[Skuzzy]

Eagl Sonicwall released two baby boxes recently.

The TZ-100 and TZ-200. This should bring some decent security features down into the SOHO market. They beat the pants off anything else mentioned in this thread so far. llama and I disagreed over his analysis of sonicwall - and the new models bring a lot more functionality into the low end. Anyhoo, worth checking out. remember that though they cost you don't have to fluff around building a linux box

Oh really

My little box will pass all the firewall suites as well as any Sonicwall product.  Come on Vulcan, you had to know I would not do anything half-ass. 

[Vulcan]

Oh really

My little box will pass all the firewall suites as well as any Sonicwall product.  Come on Vulcan, you had to know I would not do anything half-ass. 

Has your box got a purpose built cavium octeon network processor   (with realtime l7 packet inspection)

[Skuzzy]

Has your box got a purpose built cavium octeon network processor   (with realtime l7 packet inspection)

Hehe.

It does have realtime packet inspection.  That is why I had to write the drivers for it.  The inspection occurs on the Ethernet card parallel to the CPU.  Bad guys never see system RAM.  I always felt that was a fault of many firewall boxes.  If the primary CPU has to deal with a bad packet, then you are at risk.  Might as well get a Cisco PIX.

Like I said, it will pass every firewall suite any Sonicwall will.

Raw throughput is wire speed, regardless of the number of open connections.  For my usage, it really would be a waste of processing power to have any faster hardware.

[Vulcan]

Like I said, it will pass every firewall suite any Sonicwall will.

EAL4+?

Muahahahahaha