Re: Good/secure wireless router?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Good/secure wireless router?
Jason/Steve;

On Mon, Dec 27, 2010 at 10:18 AM, Jason Holtzapple <> wrote:

> On 12/27/2010 10:05 AM, Steve Phariss wrote:
> > Any specific reason for the Asus (not knocking it, just want to hear
> > what made you change brands....)
>
> My favorite 3rd-party firmware is Tomato. I bought the Asus mostly based
> on postive experiences from others on the tomatousb.org forum. The
> RT-N16 has enough cpu, memory and flash to be able to do a lot of
> interesting things (openvpn endpoint, upnp server, torrent client, etc)
>
> One negative is that it does not have dual-band wireless (2.4/5 GHz),
> but that feature seems to push devices that can use open firmware over
> the $100 price point.
>
> > On Mon, Dec 27, 2010 at 8:24 AM, Jason Holtzapple <
> > <mailto:ml@bitflip.net>> wrote:
> >
> >     On 12/26/2010 07:06 PM, Ariel Gold wrote:
> >     > Recommendations?
> >     >
> >     > Small network with 2 wired connections, and at least 1 wireless.
> Using
> >     > mac, windows, and linux....

> >     >
> >     > I'd like to make it as secure as possible (if you can point me to
> any
> >     > special documentation to do so that'd be great).  Fast is good too.

> >
> >     My current favorite is the Asus RT-N16 which recently replaced my
> >     vintage Linksys WRT-54G. It can use 3rd party firmware like TomatoUSB
> or
> >     dd-wrt.

>
>
>

I agree that Tomato (and other WRT tools) makes a fun and powerful linux
firmware network diagnostic device!

*WARNING: The reason one installs Tomato is to be able to control, at a
greater level, the networking IDS/IPS, stack and other settings, including
proxy etc. If you do NOT configure everything correctly (or leave remote
management, RDP/VNC and SSH on) you are opening up yourself to security
issues from the many bots that scan and target home routers.
*
I also like the Cisco Small Business Router series WRVS4400N, since it is based
on two SoCs from Star Semi (9109 + 9202, both ARM9 based), the Vitesse
VSC7385 Gigabit and the Marvell TopDog draft-n WLAN chipset. According to
the GPL sources the 9109 has access to 32 MB RAM and the 9202 to 64 MB RAM.
One of the Cisco SMB WRVS4400N ARM processors is dedicated solely to
IPS/IDS. Cisco provides all of their source available for devices, so
wonderful reverse engineering lab tests (we all love so much) can easily
port to linux wrt, however to date, none have been able to port any linux
stack to these dual ARM devices (hardware limitations). I.E. there is
currently no published ddwrt, OpenWRT or Tomato firmware available for the
Cisco Small Business series routers, which also provide 1000G ethernet,
802.11B/G/N, VLAN and VPN as well as ability to port forward single or
range, hang out nice DMZ honeypot, filter both inbound and outbound, and
exclude PPTP, multicast, and UNPN packets. The IPS function also will
interfere with a large number of known packet signatures for BitTorrent,
Skype, etc. Of course there is extensive ability to filter web traffic based
on wordlist or URL, for businesses that find paying bandwidth and hourly
salary for Youtube surfers prohibitive.

Most of the SOHO Netgear, LinkSys and Dlink small "routers" and "modems" are
vulnerable to the DNS rebinding, so check to verify that your system is not
listed:
http://www.smallnetbuilder.com/security/security-features/31212-is-your-router-one-in-a-million

Many other "home" routers have easy web based information leak exploits
which are not published. For instance, many known write conditions exist
therefore remote management script attempts to use it to get a reverse shell
written to the device, whereupon the cracker comes along and replaces the
whole firmware with their own version. One of the clues that your router
firmware has been overwritten includes new "options" or greyed out options
in the web based interface; usually the new users added will not be seen
through the Administration section either. Exploiting these holes will
also *allow you* set your own VERSION number, etc. which can be useful to
determine if the files have been changed. Bot builders then use this 24X7
bandwidth to send email, setup open proxy phishing hacks, and run bots
against other routers, web systems and hop off. Many of these access
portals are traded on international IRC (say 10 soho routers for 1 ssh in
France for instance) The sheer number of systems that can be pwned in 1
night using one of these bot tools (similar to Metasploit, using specific
plugins [easy to develop - traded on IRC or 2600 group ftp's]) is
incredible. Once on a shared network (or in the router) we have access to
ALL packets traversing the network [even SSL via sslstrip and other
sidejacking tools].

For Linux and Security professionals, I suggest nothing short of a
WPA-Enterprise (using radius) connection key, VLAN's and inbound and
outbound port filtering (especially if you interact in the community at
security or linux conventions, provide build source, etc.) I only advocate
SSH access via source and destination, or VPN encryption. I don't recommend
ANY remote access ever. Of course, I recommend that logging and be setup
to a local mail server (using a gmail plugin should be trivial).

References:
http://freeradius.org/
*http://www.linux.org/docs/ldp/howto/8021X-HOWTO/freeradius.html*
--

(503) 754-4452
(623) 688-3392

http://www.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss