Serious Home Firewall and Router Solutions (pt. 1)

Recently, AT&T Alien Labs has been following a new piece of malware called BotenaGo. With the new threat, it’s a good time to re-assess some of your security practices for your home network. This new threat is a lot like the old ones, but security researchers are warning that the amount of infections and attacks could go up with the release of this malware since its source code is now public. The real questions, though, are: how much do you know about your current router’s security settings, how much can you do with it to stay ahead of attackers with it, or does it need to be replaced with a router and firewall that you have full control of?

Top Ten Home Network Security Tips

In this post, you’ll find an in-depth discussion about home router security, but first, here is Crown’s Executive Top Ten List for home network security:

1. Use a router/cable modem/firewall that is less than four years old
2. Check your firewall or cable modem to see if it has the latest available firmware
3. Get and use antivirus protection; if you need a free or cheap solution, try Sophos’ Free Tools page
4. Keep your home computer software up to date, or make sure your home computer is on a Peace of Mind Plan from Crown Computers
5. Use a complex WiFi password for your wireless network
6. Never click unexpected links or download unexpected attachments in your webmail
7. Consider using a hardware firewall that is a separate device from your internet provider’s cable modem or modem/router combo
8. Instead of playing around with wireless mesh networks, run Cat6 cable to each Wifi access point that you need; this eliminates repeaters, hops, and “conga line” Wifi connections
9. Consider getting Ubiquiti networking gear, which can be managed and updated in one easy-to-access interface; Crown Computers can help with the installation and show you how to keep the system up to date
10. Know the difference between cable modem firewalls and dedicated firewall devices; if the advantages to using a firewall appliance are unclear, Crown can help you understand how to meet your security needs for your home networks

Provided Routers May Not Be Up To Date

If you’re using a router that is supplied by your service provider, it’s possible that it’s running older software than you would like it to, or that the software is totally unmaintained at this point. Typical users don’t really think too much about the router once it’s set up (unless it stops working) and service providers can provide some less-than-stellar routers because there isn’t any pressure to supply end-users with powerful tools to manage their network. Besides, customers who take their security and privacy seriously are already likely using their own router (which we’ll discuss below), or even building their own from an older computer that’s running pfSense or OPNsense.

Let’s just say, for a moment, that your model of router happens to be one that is exploitable with BotenaGo. If it is, then the only real way for you to safely use the router now is to update its software once the manufacturer’s developers release a patch. But if your router is supplied by the cable or phone company, you’re not able to make that decision, and instead, they will push an update whenever they want to update the software. This situation puts consumers in a tricky spot: to achieve adequate security, you have to take matters into your own hands and make sure that your router and firewall solutions are protecting your data and devices.

Getting to Know your (Router’s) Firewall

If you haven’t taken a look at your router’s settings, you should take some time to get comfortable with its web interface. On Windows, you can find your router on the network with these simple steps:

1. Open Command Prompt (by searching “cmd” or “command,” or by using Win+X and opening PowerShell)
2. Type the command “ipconfig” and hit enter
3. Take note of the Default Gateway for the adapter that is connected to the router (it will be a number from a private IP block, like 192.168.1.x)
4. Enter this address in a browser of your choice
5. If you are prompted for a password, look at the router device, which may have an “Access Code” printed on it; if you can’t find any, do a quick search online for the router’s manufacturer and/or model, and “default login” to find it

This web interface is where you can change settings related to WiFi (such as SSID name, passkey, radio channels, etc.) or the built-in firewall. By default, the router should be set up to refuse connections from “WAN” or outside of your home network. Rules are written for what kind of connections are allowed, and usually look like this:

There are some cases, however, where ports need to be open (usually for online gaming and other practices that require a direct connection over the internet). If this has been done in the past on your device, and you no longer use the game or service that a port was opened for, then you should close it immediately.

The exploits for routers included in BotenaGo, to take one example, give hackers access to these controls, as well as all of the other settings in the router. With that kind of control over your network, they could simply log on to your router and start gathering data, or use your devices as part of their own network to launch an attack on a target.

Bridging, Passthrough, or Cascaded Routing

If you’re comfortable with the concepts involved in managing a firewall, and interested in managing your router without relying on your service provider, you can use your own router, even if you still use a DSL or cable modem to terminate the line from the internet (provider). Most modem/router combos have settings for bridged mode, ip passthrough, or cascaded routing which are all ways of passing off the routing job to another device.

When setting these up, it’s important to see which functions the provider’s router still serves when choosing between them. For instance, using the modem/router in bridged mode usually means that it would still handle DHCP server functions; IP passthrough mode turns off the modem/router’s firewall, and assumes that you are putting one behind it (but would create a “DMZ node,” unprotected by a firewall, unless a firewall is implemented).

Run Your Own Router

This setup may be a little more involved, but the advantage here is that the router for your home network is supplied by you, meaning that you can be the one to update the software to protect yourself from the newest exploits and vulnerabilities. When the manufacturer makes a patch available, you can be sure that you have the best protection possible, instead of waiting for someone to make the decision for you.

Some good choices for a new (wireless) router are the Netgear Nighthawk, and the ASUS RT-AX3000. They boast quite a few desirable features, but, most importantly, are WiFi 6 routers (802.11ax), making their top speed more than 10 Gbps with “WiFi 6 ready” clients (like the iPhone 11 and Galaxy S10). These types of speeds help support streaming on your home network, especially for devices that need low latency for games and video calls.

While these routers offer the latest in WiFi mesh network technology (which is designed to help you achieve better coverage in your home), the success of your wireless network setup depends on a lot of factors that you may not have control over. Join us next week for a discussion on the limits of WiFi and the advantages of running wired connections to as many devices as possible.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team