1
A friend of mine requires tight security on her home network to deal with a child protection and safeguarding issue. As a trusted friend of the family, I was asked to help.
After some risk analysis, I have identified that the family would benefit from a router with the following features:
- Wildcard blocking of domains (e.g. "*proxy*", etc.)
- Blocking of specific domains (e.g. "torproject.org")
- Firewalling of specific ports (e.g. 1194, 1743, 500, 4500, 1723, etc.)
- Mac address filtering
A bonus would be ease-of-disassembly so that the factory reset switch and WPS button can be physically-disconnected. (This was easy with Homehub 5.)
While I do not expect the first item on the list to be available on any consumer router, I was disappointed that the other three were not available with Homehub 5. Which of these features (if any) are available with Homehub 6?
DMCoding
Posted 2018-11-22T14:40:32.097
Reputation: 193
That is ultimately the plan, yes: in the long-term we would like to move from a system of fully-monitored access to a system with a scanning proxy and dedicated AP, where the proxy will perform deep packet inspection up to and including SSL unpacking so that we can monitor social media usernames and passwords, etc. The main network (with mac filtering) will still be avaialble unmonitored for the rest of the family.
In the meantime, I'm worried that all of this can be circumvented by just plugging an ethernet cable directly into the hardware as in the system which you describe. – DMCoding – 2018-11-22T15:24:11.527
Removing the WPS button and reset switch proved extremely easy: all that was necessary to physically secure access was to remove the plastic button assembly, exposing the bare metal of the circuit which we then taped over. Thus it is still possible to access this functionality, but only by opening the case and shorting the circuit electronically. Super-gluing the case shut would be the next logical mechanism to reduce the attack surface further, but for now we don't think that's needed. – DMCoding – 2018-11-22T15:26:23.127
I'm not too concerned about liability. The ISP does not usually ask for these devices back when service is terminated as they are mass-produced so cheaply that they are not typically worth refurbishing. These things suffer weird failures all the time, often due to tripped cables, spilled liquids, pets, etc. I doubt BT are going to care very much about some plastic being removed. – DMCoding – 2018-11-22T15:31:10.777
Writing this with the assumption that the BT Home Hub 5 is a no-go due to the FR/WPS buttons being physically unconnectable, and/or that the HH5 doesn't meet the security features listed on the software level.
DD-RWT: https://dd-wrt.com/support/router-database/
This is a community database of hardware support for commercially available routers. Find a router without the buttons, and see how well it supports DD-WRT; if it seems like a good match, see your favourite outlets for pricing.
OR, you could build your own FreeBSD supporting PC without the hw buttons and install pfSense.
pfSense: https://www.pfsense.org/products/#requirements
List of router software solutions: https://en.wikipedia.org/wiki/List_of_router_firmware_projects
Edit: above comment should read "BT Home Hub 6"/"HH6"
If you're going to go the route of 'BT Hub in modem mode' [assuming it will do that, the Virgin one does] the I'd certainly have a look at Sophos UTM [contd...]
– Tetsujin – 2018-11-22T20:54:58.413[cont'd...] [horribly long url, sorry, but they hide it quite well from searches] which is free for 50 seats & includes the main structures available to corporate customers. Well worth a look at. I've used it here for many years. You need any old spare computer & 2 NICS. It will also run in VM, but I've never tried that. – Tetsujin – 2018-11-22T20:55:13.993
@Tetsujin that looks really ideal, thank you so much. I believe we will be using it in time. For now, I'm concerned that any modem-mode solution can be mitigated by plugging in an ethernet cable. For now it looks like Homehub is not the way forward and that we need a gateway device with a MAC-based access control. Would you say this is true? – DMCoding – 2018-11-23T17:16:06.447
idk the BT hub, only the Virgin one - but on there in Modem mode, only one ethernet socket works & anything plugged into that must 'know how to be a router' it's not a plug'n'play structure at that point. Any pressing of the reset button will basically 'fail' the entire system & it will need setting up from scratch again [which requires the admin pass]. That, in my book, would be worth a "month's grounding with no devices" & a stern "Don't do it again!!" – Tetsujin – 2018-11-23T17:36:44.897