Best router for security

Topic

New Reply

I have a Linksys WRT 3200 ACM. I know it does a lot but I’m not very technical, so I can’t take advantage of all it offers. It’s just me and my husband, a lapto,  couple iPads, iPhones and a TV.  My biggest concern is security; I’ve read things routers & I know not all are secure.  But it’s hard for me to figure out what’s best.   I WPA2 set.  Is this a good router?  I would like opinions on what others are using and what you feel might be the best for a secure network. Thanks!

Reply | Quote

Replies

Here is a review of your router:

https://www.gadgetreview.com/linksys-wrt3200acm-mu-mimo-wireless-router-review

They give it five stars. However, they didn’t say anything about the security of the router.

If you use WPA2 and a good password, you should be fine. I don’t see any security concerns with your router.

The one concern I have about your setup is that you are connecting your TV to your home network. TVs (and other IoT devices) are not known for their good security. If you have a spare computer, you can connect the TV to the computer as a monitor, and surf the web through the computer rather than the TV. (That’s how we do it at my house.) In my opinion, you can make a computer more secure than a smart TV, and that’s why we do it that way.

The only devices we connect to the internet at my house are computers, phones, and tablets. (We also have two Ring cameras.) I would never connect a refrigerator, a light switch, a thermostat, a coffee maker, or any other household device, and it is because of security concerns.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

dmt_3904

Reply | Quote

Thank you. I don’t have a spare computer.  I have a networks and put the tv on one, devices on the other.  I thought that would offer some security.

Reply | Quote

dmt_3904 wrote:
put the tv on one, devices on the other. I thought that would offer some security.

Yes, smart choice to run a 2nd network for less-trusted/less-secure devices.

And looks like you’re ok now, but be sure to keep your router firmware up to date. Periodically visit your router manf’s website ( https://www.linksys.com/us/support/ ) & search for your router model ( Linksys WRT 3200 ACM ) to check for updated firmware to be downloaded & installed.

Also, for a comprehensive intro to router security, suggest you visit…
https://routersecurity.org/

Hope this helps.

Reply | Quote

Put the tv on a guest network if using wifi

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I always disable UPnP and remote management unless I have a specific reason to use it. I like the idea of the TV on the guest network (with a password) but make sure the guest network is isolated.

Reply | Quote

Thank you everyone for your replies!  What is UPnP and why would I need it?  I think remote mgmt is disabled, but will check.  Funny thing with Linksys – the guest network IS NOT SECURE!!  It’s like hotels – you login unsecured and then put in the password. It’s not good.  I have 2 channels – 2.5 GHz & 5GHz, so I created -two different passwords.  The TV is alone on the 2.5GHz channel.

The firmware is set to updated automatically,but I recently checked & it says no updates available.

Reply | Quote

[dmt_3904]

UPnP is not enabled. I do not see any option for remote management. I had a website to check which ports are open – but I don’t remember what it was  – anyone have a good way to check/verify open ports on the network?

• This reply was modified 4 years, 11 months ago by dmt_3904.

Reply | Quote

Gibson’s ShieldsUp.

1 user thanked author for this post.

dmt_3904

Reply | Quote

I checked my router on ‘Shields Up’.  File sharing test is good & all but one port (113) is in Stealth.   GRC website explains that port is closed on NAT routers to avoid not allowing a legitimate connection.  It also says this:

The latest firmware update for the Linksys family of NAT routers has added an adaptive IDENT stealthing feature (though it is not enabled by default). So the Linksys routers will give you the best of both worlds.

I have a Linksys and checked that my router has the feature selected and it does.  Linksys website says:  Filter IDENT (Port 113) is an Internet Filter that keeps port 113 from being scanned by devices outside of your local network. This feature is selected by default.

I did not see where I could ask this question on GRC website – so I am asking here (so many smart people : )  Why did that port show up as ‘closed’  on ‘Shields Up’ report if it is prevented from being scanned by devices outside my local network?

Other than this – I’m comfortable that my router is secure for now, thank you all for your input.  I know WPA3 is out there, but I haven’t checked that out yet (I don’t know if my devices will support it) and I will probably replace my router at some point.

Reply | Quote

dmt_3904 wrote:
Why did that port show up as ‘closed’ on ‘Shields Up’ report if it is prevented from being scanned by devices outside my local network?

https://www.grc.com/faq-shieldsup.htm#IDENT

Hope this helps.

Reply | Quote

Thank you that does help explain – but I think I have to call Linksys.  The router is set to filter on port 113 – so I thought it should respond as ‘stealth’ to the query from Shields up.

Reply | Quote

It doesn’t matter if port 113 is closed rather than stealthed, other then identifying a machine on that IP address.

If you have the latest firmware, remote admin is off, you have a strong router password and all other ports are “stealth” then you are as safe as you can be on the internet.

cheers, Paul

Reply | Quote

[dmt_3904]

Thank you.  I get a little anxious because I don’t totally understand it all and I had read this on ‘Shields up’ about the port being closed:

This lets the sending system know that its open request was received so that it doesn’t need to keep retrying. But, of course, this “affirmative denial” also lets the sending system know that a system actually exists on the receiving end . . . which is what we want to avoid in the case of malicious hackers attempting to probe our systems.

And I found one more port I was concerned about – when I do a scan on All Services Ports,  BGP Port 179 is open.  I know it’s Border Gateway Protocol but I don’t know if it’s supposed to be open.  I was doing some searching online, but could not find anything helpful.  I’ll keep looking, I don’t know why the router has that open or if it should be or how to correct it, if not.

I’ll also accept and appreciate any advice given here! : )

• This reply was modified 4 years, 11 months ago by dmt_3904.

Reply | Quote

When you said

The firmware is set to updated automatically,but I recently checked & it says no updates available.

back in post number 2265152, were you talking about the router’s firmware or the TV’s?

The reason I ask is because I just checked the Linksys website, and the latest version of your router’s firmware was released back in February of this year. The version number is 1.0.8.199531. The release notes for that firmware version mention that it fixes a buffer overflow security hole. In fact, the last firmware release before the latest one also fixed a security vulnerability, according to the release notes. Most all of the firmware releases have also fixed various minor bugs, simply listed as “General bug fixes” in the release notes of the firmware. So, you may wish to see just which version of the firmware your router is currently using. It could be that the issue with port 179 being open is fixed by one of the firmware releases in the last several months.

Also, with router manufacturers releasing fixes for security vulnerabilities in their routers, it’s also a VERY good idea to check for new router firmware every couple of months.

If you purchased your router in the last few months (since the middle of February), that doesn’t automatically mean that it will have the very latest version of the firmware. Routers can sometimes sit for months on end (in distributors’ or retailers’ warehouses) until they’re sold to a consumer.

By the way, I did some reading up on the Border Gateway Protocol, and I don’t think that any home user needs that port open. It’s mostly used between ISP’s and others who route traffic on the Internet itself.

I also have a Linksys router, albeit an older model, the WRT54G from several years ago. Firmware updates haven’t been available from Linksys for quite some time. However, I just ran Steve Gibson’s Shields up on it right before posting this, and the “all ports scan” returned a completely stealthed result, all ports stealthed and showing green. Therefore, I believe your router showing port 179 as being open is indeed an error within the router that needs to be fixed somehow. However, like you, my router’s Linksys-provided firmware lacks the ability for me to stealth port 179 to the best of my knowledge, if it weren’t already stealthed.

Reply | Quote

I was talking about the router. It says it’s up to date. Thanks

Reply | Quote

All ports at Shields Up! should be Stealth. That’s your secure starting point. Some people may have special needs for assorted software, but anything other than Stealth would worry me.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

Strictly speaking no ports should be open, so I don’t know why your have 179 open. Check the Linksys forum for any ideas.

Maybe a factory reset is worth trying?

cheers, Paul

Reply | Quote

Agreed; no ports should be open. One thing to try is to reboot the router. Can’t hurt. Also, just because port 179 is officially assigned to BGP there is nothing that limits it to only being used by BGP. Some malware could be using it.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

dmt_3904:
And I found one more port I was concerned about – when I do a scan on All Services Ports, BGP Port 179 is open.

Yeah, that’s weirdunexpected. BGP is an Internet routing protocol that I’d totally expect your ISP to be using but, no, wouldn’t expect on your lan.

So just for giggles, I ran ShieldsUp scan on up-to-date Win7 box, behind securely-configured Linksys router (different model than yours) connected directly to ISP’s cable modem (i.e., no ISP router) and acting as dhcp server for lan… result: port 179 was NOT open.

Obviously don’t know details of your network configuration, but agree with Paul T that factory reset may be worth considering, along with concurrent reboot of ISP CPE, followed by router reconfiguration & reconnection iaw guidance provided by Michael Horowitz on his previously-referenced website:
https://routersecurity.org/newrouter.php
https://routersecurity.org/index.php#StartHere

Hope this helps.

Reply | Quote

Sorry to say, your faith in Shields Up! is mis-placed. Any router has 65,000 some odd TCP ports and the common ports test only tests about a dozen. The All Ports test only tests the first thousand. Gibson means well and his test is easiest to understand, heck, he invented the term Stealth for a port and I am grateful for that. But he has not updated his list of common ports in about 12 years or so, so it misses many commonly abused ports. The service is frozen in time.

And, any test like this has yet another potential problem, router self-defense. Many routers have an anti-DoS feature. If this gets triggered, it will report everything as closed/stealth, even ports that are open.

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

3 users thanked author for this post.

Perq, scoobydoo, wavy

Reply | Quote

Michael432 wrote:
Sorry to say, your faith in Shields Up! is mis-placed.

Hello Michael.

Not sure if you intended to reply to me, or perhaps OP dmt_3904? In my above post I neither recommended nor expressed faith in ShieldsUp. After OP dmt_3904 mentioned that a ShieldsUp scan showed “BGP Port 179 is open”, I simply ran the same scan from a box behind a (different) linksys router, because I thought perhaps OP might find such a data point useful/informative (i.e., “No, port 179 should NOT be open.”)

Instead, what I actually did recommend to OP is your routersecurity.org website, which I explicitly mentioned both in my above post #2265303, as well as in an earlier post #2265110 (along with a specific recommendation to “be sure to keep your router firmware up to date”).

Hope this clarification helps. Thanks much for your websites, and thanks for contributing your expertise to this thread!

Reply | Quote

“your faith” was a poor choice of words. I meant the comment broadly, and not to apply to one particular person.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

Thank you everyone for your suggestions and for your help.  I surely hope it’s not malware!!  I am pretty careful, I am running Malwarebytes premium and I have windows defender.  They have never reported any malware or infections.  I also have some other security software. And web browser protections, and ad blockers etc. I will try your suggestions and report back here on my results.

I was also planning to search for a new wpa3 router  – I read that they are backwards compatible for devices that don’t run wpa3, but I’d get the upgraded security of the router.

Reply | Quote

FYI about router firmware.

If a router says there is no available update, this means very little.

For one thing, the router could be wrong, so it can’t hurt to manually check at the website of the company that made the router. More importantly, it does not mean that the currently installed firmware is up to date. The words are chosen very specifically to imply something they do not mean. A router that has not had a firmware update in 13 years, will still report that there are no updates available. The important point is whether the firmware is still being maintained with updates/fixes. And, that can be hard to determine. As a rule of thumb, if the last update was over 2 years ago, then most likely there will be no more updates, ever. The life span of the router software/firmware is an important issue in picking a router, but no review ever mentions it.

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

scoobydoo

Reply | Quote

So I did a factory reset on my Linksys.  I could not change all parameters to the one suggested on routersecurity.org but UPnP is off. Port 179 is still open.  I checked everything.  I ran the tests on the router security test page.  Virus total says my router IP address has Spamhaus!  I know it’s malware but I don’t know what it means since I reset the router.  How could the router be infected right after factory reset?? But, it was there before the reset nothing has changed, port still open.  My laptop does not show any infections when I run windows defender and MBAM scans.  I have not connected it, I am on my iPad.  So it’s certainly weird and unsettling.

I plan to take the advice offered by Michael Horowitz and get a Pepwave router.  Maybe call my isp and Linksys.  Any advice would be welcome.

Reply | Quote

I have no guess/theory for why port 179 is open. If you (or someone you know) is familiar with nmap, it may be able to provide some information on the software that is listening on the port. You can learn your public IP address at many sites, such as ipchicken.com. Then run

nmap -p 179 -sV 1.2.3.4

where 1.2.3.4 is your public IP address. This is best done from outside of your home.

Yes, definitely check with both your ISP and Linksys. Good luck.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

So you’re saying get the ip & run that from the windows command prompt while  connected from outside my home ?

Reply | Quote

So I did a factory reset on my Linksys.  I could not change all parameters to the one suggested on routersecurity.org but UPnP is off. Port 179 is still open.  I checked everything.  I ran the tests on the router security test page.  Virus total says my router IP address has Spamhaus!  I know it’s malware but I don’t know what it means since I reset the router.  How could the router be infected right after factory reset?? But, it was there before the reset nothing has changed, port still open.  My laptop does not show any infections when I run windows defender and MBAM scans.  I have not connected it, I am on my iPad.  So it’s certainly weird and unsettling.

I plan to take the advice offered by Michael Horowitz and get a Pepwave router.  Maybe call my isp and Linksys.  Any advice would be welcome.

Reply | Quote

Your IP address being listed in spamhaus doesn’t mean you have malware. The ip address was previously used to send spam most likely.

Reply | Quote

Agreed. The spam may have come from another customer of the ISP who previously was assigned the same public IP address -or- it may be that spammers are routing their emails through the router after having hacked it. They do this while the router/publicIP has a good reputation and when it goes bad, they move on to another hacked router.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

Ok thanks for feedback.  I feel a little better about the malware notice.  I don’t think the router is infected, it’s been reset. Still gotta work on open port and I think I will get a new router.  I wanted one that will support wpa3 anyway.

Reply | Quote

dmt_3904 wrote:

Ok thanks for feedback.  I feel a little better about the malware notice.  I don’t think the router is infected, it’s been reset. Still gotta work on open port and I think I will get a new router.  I wanted one that will support wpa3 anyway.

If your are buying a new router buy one with wi-fi 6 support.

Reply | Quote

Wi-Fi 6! I haven’t ever seen anything about that. What is it?  Do you know the names of some manufacturers who support it?  I really want a router that is secure – I have been concerned about it for a while since there are so many security flaws and bugs with home routers and the manufacturers don’t seem to care. I recently read more about it on routersecurity.org, not realizing it was that bad!   I want a router that I can configure appropriately for security, a good firewall, allows me to set up a secure guest network (my linksys does not), one that doesn’t phone home, one that doesn’t make me sign up for an account, that has adequate firmware updates and won’t be abandoned soon after purchase.  Oh yeah, also easy for the average consumer to configure ; )

Reply | Quote

dmt_3904 wrote:

Wi-Fi 6! I haven’t ever seen anything about that. What is it?  Do you know the names of some manufacturers who support it?

https://www.techradar.com/news/wi-fi-6-routers-the-best-wi-fi-6-routers-you-can-buy-in-2019

1 user thanked author for this post.

dmt_3904

Reply | Quote

$699.99
View at Best Buy
$999.99

WOW I will hold out for WIFI 7 or 8 …

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I don’t think WiFi 6 (or WPA3) is a big deal. For the most part, WiFi 6 is better at dealing with hundreds of concurrent devices on one router. As for security, the improvements I have read about are quite minor.

It adds encryption to open networks (no password needed), but hardly anyone uses an open network. It also adds a defense against brute force guessing of the password, but a long enough password (13 characters or more) was already safe from brute force guesses. And, any new protocol is likely to have hidden problems that won’t be revealed for a while. This has already happened with WPA3.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

scoobydoo

Reply | Quote

wavy wrote:

$699.99
View at Best Buy
$999.99

WOW I will hold out for WIFI 7 or 8 …

If you have a modern smartphone it probably support wi-fi 6

Huawei P40 Pro
iPhone 11, 11 Pro and 11 Pro Max
iPhone SE
LG V60 ThinQ
Motorola Edge Plus
OnePlus 8 and 8 Pro
Samsung Galaxy S10 and S10E
Samsung Galaxy Note 10
Samsung Galaxy S20
Samsung Galaxy Fold

Reply | Quote