Ask HN: What does your “Router Security Checklist” look like?
What does your "Router Security Checklist" look like? i.e. What actions do you take to ensure your wireless router is secure as possible?
http://routersecurity.org/checklist.php is really great, but kind of verbose. My attempt to boil it down to a simpler checklist: https://github.com/jonmbake/router-security-checklist.
13 comments
[ 2.7 ms ] story [ 41.3 ms ] threadDon't check for updates. Find a router that updates itself automatically.
It's a marathon, not a sprint. Find a company that writes their own firmware and uses the same firmware for multiple generations. This shows that they are willing and able to invest in security.
Or just check if the brand is Google or Apple.
Can you elaborate on that? I've never seen a router that doesn't use passwords. Does this mean to use WPA2-PSK vs WPA2?
I worked as a wireless router firmware developer for a while and as a result... I don't use them anymore. The whole industry is just producing unfixable tire-fires.
Different level of caring, but if security is important to you, put cable/dsl/fiber ntu in bridge mode.
Get a pcengines apu (or your favourite sbc), install your favourite os (ubuntu or debian for me). Don't bother with ui, just use a few nftables rules.
It actually worked out cheaper for me than the netgear thing shaped like a stealth fighter.
The other thing which really annoyed me was my ISP periodically updating settings on their stock router. Yeah, they can do that remotely if you use their unit and there's usually no good way to turn it off.
Is this setup (the linux APU in bridge mode) so that the NTU could get hacked but your internal network would still be secure behind the APU?
What protects the APU from getting hacked like a traditional router would? Just easier to secure yourself?
Did you just purchase wireless access points separately? Did you buy a seperate switch?
I've wanted to do something like this for awhile but I wasn't sure what all was involved, or if it was that much more secure.
It doesn't mean that it's the best. An x86/x64 ssh bug hurts everyone. But it means that everyone in the world gets fucked, more or less, and you don't have to worry as much.
Relying on random companies to secure your gateway puts you in the hands of random companies who not only do not care but also do not make theor own stuff and now lack the basic competence to do so.
including hardware and specific OS used?
I just don't trust the local network in the first place.