7

A colleague asked me to recommend a router for her small business. I asked her for a specification list, and on her list, she specifies secure.

Well, we all know that nothing is completely secure in the tech world, but I started researching router security for her. My first stop was the CERT Vulnerability Database. I typed in the names of router manufacturers, and was (somewhat) surprised to see how many routers have serious vulnerabilities.

Besides searching CERT, what other specific methods are available to help accomplish this task?

Here are the types of things I'm thinking about:

  1. Additional online resources or databases. From what I gather, CERT intentionally keeps some of their reports hidden.
  2. Public results of exploit and penetration testing.
  3. Software to perform testing.
  4. Online tools to perform testing.
  5. A list of criteria to consider.
  6. Anything else.
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • 1
    Whew, my RT AC56U router (popular router choice by the way, I could fully recommend it, or a higher end make, asus has pretty great router firmware and also tends to have support for open source firmware like dd-wrt in case there are any doubts about their security, I'd think this router would be decent for a small business, then it's just a question of how far she wants to take security beyond the router). But good question, I wonder how to make an informed decision on router purchases (I guess one besides what you've done would be to check for dd-wrt support) – Cestarian Apr 25 '16 at 23:40
  • 2
    Perhaps instead of just asking for methods of research (which is really just asking for reliable sites...), perhaps you might want to try phrasing the question more along the lines of "what criteria are important to consider?", eg which security features are important, specifics of vulnerabilities, etc. E.g. check how some of the questions in the [tag:vendor-selection] tag are framed. It's not about which is "best", its about how to compare, and how to find the right trade-offs. (e.g. custom firmware might be great for somebody technical, but others would need secure defaults...) – AviD Apr 26 '16 at 00:05
  • 1
    PFSense, OpenWRT or a custom Linux/BSD box. Extremely cheap, no vendor lock-in, reduced attack surface (many services running on conventional routers increase the attack surface needlessly, like the web interface for example). – André Borie Apr 26 '16 at 01:38
  • 1
    While you did not ask for a specific product directly the question was understood as a question of product recommendation by many and this is off-topic here. For more information on router security with some recommendations and lots of information how to select and which vendors have problems see http://routersecurity.org/. You might also follow AviD's recommendation and rephrase your question so that you don't get explicit product recommendations from users which don't even know the rest of your requirements. – Steffen Ullrich Apr 26 '16 at 04:54
  • For anything ASUS, better check the list of 40 posted here: https://security.stackexchange.com/questions/183251/how-to-find-a-router-that-is-less-likely-to-get-hacked - meanwhile, my question was based on an Cox ISP-issued Linksys E2500 that is getting hit repeatedly. Power off and on brings it back, and it only happens at night. I need to find a better unit than this one. – SDsolar Apr 08 '18 at 22:34

2 Answers2

3

Besides searching CERT, what other methods are available to help accomplish this task?

  • Look for vendor specific patterns and penelize any vendors which
    • have lots of vulnerabilities
    • take a lot of time for fixes
    • expire products too quickly, i.e. make them obsolete after only few years and stop supporting them
    • make it hard for you to find the updates
  • Check if the router can auto-update itself.
  • Check if it comes with sensible and secure defaults.
  • Make sure it is hard to be configured insecure, i.e. warns users when switching off WiFi security, disabling password... .
  • Make sure that there are no commonly known admin passwords, WPA keys or similar, i.e. the user should be forced to change any such default settings.

If these things show that the vendor has the right mindset regarding security then the systems will probably be more secure too. routersecurity.org has lots of information which will help you with this research.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

I strongly disagree that devices or software with lots of published vulnerabilities are therefore less secure than those with few. And advocating that as means of determining quality is to endorse practice of keeping vulnerabilities secret.

While this does not apply to end-user maintained systems: A large proportion of vulnerabilities can be mitigated with basic IT skills (if the problem is known). Further such secrecy allows the vendor to gain commercial advantage at the cost of the customers security.

I would agree that those devices with lots of unpatched, published vulnerabilities are a risk.

Apart from that key point, I agree with Steffen's answer.

symcbean
  • 18,278
  • 39
  • 73
  • Indeed, small business or no, you should have at least one capable networking guy on hand, even if he's outsurced or just your friendly neighborhood IT guy. – Cestarian Apr 26 '16 at 13:46