[Havoc]

I've just accepted that residential routers are full of assorted orifices (security holes, backdoors & holes in functionality).

Then again I'm not hiding anything dubious - if I was I'd install a firewall box asap. (And yes I know the "nothing to hide" slippery slope etc argument)

[pXMzR2A]

> I'm not hiding anything dubious - if I was I'd install a firewall box asap.

This person does not do online banking, does not have a webcam or mic installed device such as a laptop, and does not have an email account.

The only reason I don't have a firewall box behind my residential router is because I don't have money to buy extra hardware.

[e12e]

To be fair, I know that firewalls have come to be considered "good security practice" -- but I've always been more comfortable to only expose programs that are supposed to talk to the Internet. Any recent version of Windows (say 8.1) comes with a firewall enabled (and that's needed, as windows still is a bit chatty with various smb protocols etc... just don't enable filesharing on your lan, if it's not protected from the Internet...). Don't know about OS X -- and for a Linux box, one can just make sure that everything is either off, listens to loopback -- or is supposed to be open.

Now, in many settings one do need a "LAN" in the sense of a firewalled playground for hopeless consumer devices, such as printers, ip web cameras etc.

Perhaps the biggest reason to have a firewall, is if you're running windows -- as unpatched windows machines live dangerously on the open Internet. And you'll be unpatched from initial install until you've patched up...

AFAIK there's been a while since any major Linux distro shipped with remote (no-action needed, like browsing) vulnerability out of the box.

As for "does not have an email account" -- I generally assume that anyone with half a brain can patch into the upstream DSLAM of my DSL line, so anything between me, and everywhere else is suspect. Which is of course why I protect my IMAP/SMTP with TLS.

[edit: consider people that use a laptop outside of the home -- they'll probably have to use dubious wireless links. It's more convenient to assume that the trust-boundary between you and the internet is at the local ethernet port/wireless card -- than anywhere else. That way you can have one set of "OpSec" that works (or not) wherever you are -- rather than fighting an uphill battle of situation awareness...]

[TheSoftwareGuy]

>"This person does not do online banking, does not have a webcam or mic installed device such as a laptop, and does not have an email account."

I don't know a ton about networking (probably not too much in fact) but doesn't HTTPS fix most of this? And if your laptop grants access to its mic/webcam to any packet that manages to make it past your router, I think you have a bigger problem.

[wtallis]

Most devices trust their router a lot. HTTPS on its own doesn't protect you from a malicious router. Strict Transport Security and Certificate Pinning are also necessary for HTTPS to protect you against an evil router, and even then it does nothing about all the unsecured and weakly secured traffic and devices on your LAN and all the opportunities that come from being able to lie about DNS records. If you can't trust your router, you really just have to initiate a secure VPN connection to a network that isn't out to get you.

[TheSoftwareGuy]

>If you can't trust your router, you really just have to initiate a secure VPN connection to a network that isn't out to get you.

:(. that's really frustrating. So you really need to vpn to a secure network anytime you use free Wi-Fi?

[wtallis]

Yeah. With the right security software on your device and the right options on the server you could theoretically initiate a properly secured connection with some web sites, requiring DNSSEC, STS, etc., but for general purpose use you need the VPN.

[Havoc]

Email and banking has two factor authentication and runs over SSL so it would have to be a very determined hacker to get to my money.

Its not perfect, but as I'm pretty comfortable with the risk balance. Things like all these android apps containing god knows what make me way more jittery (See google's recent cleanup).

[wlesieutre]

I'm guessing that Apple's are better than average, since they have two versions (the built in HD on a time capsule doesn't make it appreciably different) and maintain them for long periods between upgrades.

Asus/Netgear/D-Link/etc follow the "If we don't release an 802.11ac router every week, we won't get enough press releases out!" model, and their firmware suffers as a result.

I'm not touching those unless I can wipe the stock firmware and replace it with Tomato or DD-WRT.

[spitfire]

Apple's routers are based on VxWorks. So if you trust VxWorks' networking, then you can trust Apples routers.

Personally I trust VxWorks over some patchwork router of the week by the usual vendors. It's used in many safety critical/medical applications, including the mars rovers.

The downside being that VxWorks has very low resource requirements, so some vendors use them to cut resources. Hence, You'd better be happy with the factory provided configuration because you can't flash them.

[rosser]

I recently bought an Asus AC-1900 router (the RT-AC68W) after a long search, specifically for its supporting DD-WRT.

[ariendj]

Some OpenWRT routers like the TL 1043ND I have suffer from VLAN leakage. Basically the router separates WAN from LAN via a VLAN config as the CPU has only one LAN port. At the router's bootup, devices on my lan would randomly get a public IP adress assigned by the DHCP server on the modem. Scared the crap out of me. From now on the thing is an access point, not a router.

[stickfigure]

You can buy routers which come stock from the factory with DD-WRT installed. I just bought one from Buffalo. Zero fuss and works great.

[lstamour]

I would trust Apple's even more if the firmware releases were as regular as iOS updates. And the same goes for AirPort Utility releases, especially on Windows.

[13]

I have to run the configuration tool in a windows VM because on 10.10 they removed the frameworks it uses to run. I wish they weren't so complacent as to turn my hardware into bricks.

[ssmoot]

Maybe you just need to reinstall it? I just took a peek at it on my new laptop (which has never had anything but Yosemite installed on it) and it worked fine.

[Rebelgecko]

Airport Utility 5.6.1 was the last version that supported some of the older airports. Unfortunately Airport Utility 5.6.1 doesn't work (officially) on anything newer than Snow Leopard, but there's some modified versions floating around that work on 10.9