Router recs to replace Apple routers?

[Pounce]

32 minutes ago, Cyknight said:

due to the lack of PIM multicasting.

Do you know if this is only an issue when VLAN's are involved?

[C4 User]

44 minutes ago, Pounce said:

If you are doing this what are you using?  

I use SonicWall.  I am sure there are other options out there.

[CFUG]

1 hour ago, C4 User said:

In addition to deep packet scanning, in today’s world, I recommend a security device that is able to scan encrypted traffic too.  As the hacks are starting to use HTTPS sites....

Yes.  Again, a quality threat management appliance will stream-scan both http and https.

[Pounce]

3 minutes ago, CFUG said:

Yes.  Again, a quality threat management appliance will stream-scan both http and https.

Yes and no. Very few will do SSL and when you do it you REALLY have to trust it.

[C4 User]

12 minutes ago, Pounce said:

Yes and no. Very few will do SSL and when you do it you REALLY have to trust it.

Yap!

[CFUG]

I'm aware.

[lippavisual]

For a home, I don't see the need for separate security/firewall device.

If you purchase a great router from the start, you'd have all those features built-in on one device and the tools needed for any network inspection.

Vote: Mikrotik 

[ecschnei]

For a home, I don't see the need for separate security/firewall device.

If you purchase a great router from the start, you'd have all those features built-in on one device and the tools needed for any network inspection.

Vote: Mikrotik 

Mikrotek is one of the named as vulnerable. I'm sure they will fix it...

 

Sent from my SAMSUNG-SM-G920A using Tapatalk

 

 

 

[lippavisual]

4 minutes ago, ecschnei said:

Mikrotek is one of the named as vulnerable. I'm sure they will fix it...

 

Sent from my SAMSUNG-SM-G920A using Tapatalk

 

 

 

The only reason it would be on the list, is because someone thought they knew what they were doing and didn't properly protect the router.  There is a "quick setup" option with them, but it does not fully lock down everything.  That has to be done manually.

[janthony6]

USG Pro.  

[Pounce]

2 hours ago, lippavisual said:

The only reason it would be on the list, is because someone thought they knew what they were doing and didn't properly protect the router.  There is a "quick setup" option with them, but it does not fully lock down everything.  That has to be done manually.

For reference in case anyone is running RouterOS and relying on it's firewall.

 

https://forum.mikrotik.com/viewtopic.php?t=132499

[lippavisual]

Thanks for that Pounce.

[Cyknight]

5 hours ago, Pounce said:

Do you know if this is only an issue when VLAN's are involved?

I'm not going to claim ANY specifics or details beyond what I said. I already mentioned I've seen no issues personally, but that I've not used any mentionable number of UBQT gear  to really have an opinion. Just wanted to point out the fact of the 'blacklisting'

[Pounce]

No worries. I was just curious. I see from communications that Ubiquiti and C4 are discussing.

I just thought that the feature is probably only potentially needed when there are VLAN's present. I'm not sure of the percentage of sites where VLAN's are leveraged.

[C4 User]

Below is from a recent article published on Drudge Report regarding Russian hacking of home and small business networks.  Many of the more common lower end devices are listed as vulnerable.  

 

 

In obtaining the court order, the Justice Department said the hackers involved were in a group called Sofacy that answered to the Russian government. 

 

Sofacy, also known as APT28 and Fancy Bear, has been blamed for many of the most dramatic Russian hacks, including that of the Democratic National Committee during the 2016 U.S. presidential campaign. 

Earlier, Cisco Systems Inc said the hacking campaign targeted devices from Belkin International’s Linksys, MikroTik, Netgear Inc, TP-Link and QNAP.

[pinkoos]

Thanks for the replies regarding new network gear, I was traveling so only now got a chance to check in.  Looks like there are many options out there that I hadn't heard of and that I will need to look into.  Thanks again.

[88Tiger88]

On 5/24/2018 at 7:43 AM, Cyknight said:

With the clear underscore that I have not seen any issues whatsoever to date myself (though I haven't used it much) - please take note that Ubiquity is in fact on Control4's do not use list due to the lack of PIM multicasting.

In the same vein, note that any repeater use (mesh or otherwise) is also against C4 recommendation (this does NOT include Mesh systems using all hardwired APs!!!)

 

Google and Eero are also on the do-not use list, though in general I wouldn't recommend ANY consumer class router for Control4.

i assume PIM multicasting is for VLAN configuration, if just flat configuration without different VLAN, is that still be issue for no PIM multicasting support?

[88Tiger88]

On 5/24/2018 at 2:08 PM, Cyknight said:

I'm not going to claim ANY specifics or details beyond what I said. I already mentioned I've seen no issues personally, but that I've not used any mentionable number of UBQT gear  to really have an opinion. Just wanted to point out the fact of the 'blacklisting'

looks issues are known within C4 community  

 

" but most routers you'd find in a residential setting where Control4 would be used are in the same boat there. Likely most such installs are all on the same network where the router's PIM support isn't relevant. "

 

https://community.ubnt.com/t5/UniFi-Wireless/Unifi-Made-Control4-s-Do-Not-Use-List-PIM-Support/td-p/2288539

[Mike_S101]

On 5/24/2018 at 4:17 PM, Pounce said:

Use a security appliance from a major company.

Please could you give some examples Pounce

Would rather not invent the wheel if we the experienced people on this forum

[Pounce]

7 hours ago, Mike_S101 said:

Please could you give some examples Pounce

Would rather not invent the wheel if we the experienced people on this forum

Ubiquiti USG's and SonicWall have been mentioned. Fortinet is another. It's not that these are immune to issues, but the larger companies are going to have fixes turned around faster.

[thegreatheed]

Wasn't the router malware issue limited to routers with default credentials and remote management turned on? 

That's the impression I got when I read about it.

https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

In other words, "don't be stupid", twice.

[Pounce]

20 minutes ago, thegreatheed said:

Wasn't the router malware issue limited to routers with default credentials and remote management turned on? 
 

I am not sure if the actual vector is public. Pretty consistent to recommend changing default passwords and keeping firmware updated.

https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/#p3

[thegreatheed]

Comment on that article:

"As far as the infection method used to install VPNFilter, the vulnerabilities are different for every model and firmware combination. But they're believed to be known flaws that have already been patched.

So what can you do to protect your devices from getting VPNFilter, or any other malicious software? 1) Don't expose administrative interfaces or services to the Internet. Just don't. It's really hard for security professionals to do this, meaning it's basically impossible for regular users. So don't enable remote administration of your router, and don't share your NAS with the Internet. 2) Keep it up to date. Vendors fix vulnerabilities, but that doesn't help you if you don't patch them."

[lippavisual]

6 minutes ago, thegreatheed said:

Comment on that article:

"As far as the infection method used to install VPNFilter, the vulnerabilities are different for every model and firmware combination. But they're believed to be known flaws that have already been patched.

So what can you do to protect your devices from getting VPNFilter, or any other malicious software? 1) Don't expose administrative interfaces or services to the Internet. Just don't. It's really hard for security professionals to do this, meaning it's basically impossible for regular users. So don't enable remote administration of your router, and don't share your NAS with the Internet. 2) Keep it up to date. Vendors fix vulnerabilities, but that doesn't help you if you don't patch them."

This is correct.  Basically, if you just bought a router off the shelf, plugged it in and off to the races, you're vulnerable.

Any integrator here that offers networking services and performs those services correctly, you shouldn't have any problems with this BS.

 

Now for Mikrotik, I only use a Windows program called Winbox to connect to my routers.  I disable all remote administration services like telnet, ftp, ssh, web gui (port 80), etc, and only leave winbox port open.  This, coupled with a strong username and password is extremely difficult to hack into, especially for moderate home users.

[Pounce]

Again, the actual attack vector is not mentioned. Mentioning to set passwords, managing remote admin and keeping firmware up to date is just plain basic security. You can do ALL of those things and still be vulnerable. This is simple logic.