You surely have a lock on your front door. Do you have such a lock on your network? Though you may think so, but it may well be wholly unlocked. Or at least, you may not be able to know for certain that it’s locked. If you use a commercial Wi-Fi router from your ISP, or one of the big names like Linksys, Belkin, DLink et al, your network may not be as secure as you think.
At the outset let me state that, as someone who reads hereabouts, you’re no dummy. You’ve taken steps to ensure that the router doesn’t still have the default admin password. You’re using modern encryption on your Wi-Fi. You’re being responsible, but there are things beyond your grasp.
The simple fact is that the firmware the runs most retail, commercial routers is closed source. As such, you have no ready way to verify it’s behavior. Yet, the manufacturer, by virtue of necessity, uses various common software modules to create their firmware. They may even use some open source modules, but end up with an closed source binary in the end.
The upshot of this reality is that you have a very small team of developers responsible for maintaining the code. That means updates come along slowly, if at all for older devices. By extension, serious security issues get addressed slowly, if they ever get addressed at all.
For the past few weeks I’ve been thinking about the Comcast issued CPE that lives in my office. It’s a modem/router combination from SMC. We’ve had the service a long while. All the while we’ve been renting the device for $12.95 a month.
I can’t recall exactly when we transitioned from consumer to business class service. If I assume that it was five years ago, then we’ve paid over $750 in device rental! This for a device that can be purchased outright for under $200.
I’ve used m0n0wall for at least a decade. For several years I’ve intended to migrate to pfsense, a project that was initially forked from m0n0wall. m0n0wall’s NAT implementation is just so very SIP friendly that making the change always felt like a lot of effort. I suppose now there’s an additional reason to follow through on that plan.
Manuel didn’t elaborate on his reasons, but I certainly understand the possibilities. Twelve years is along time to do anything, most especially anything that involves leading a community project.
m0n0wall has been a treat to use. It’s positively inspirational in it’s combination of carefully defined functionality and simplicity. Manuel was masterful in his ability to sustain the project focus, avoiding the mistake of trying to be all things to all people.
Yesterday Ars Technica ran an article once again detailing how millions of consumer and SMB routers are vulnerable to exploit. This exploit, dubbed Misfortune Cookie, leaves the network open to those who would penetrate your systems and steal your personal information. The vulnerability is many years old, and the fix almost a decade old. Even so, it seems that there are still devices being offered that include the vulnerable code.
Announcements like this make me glad that we rely on well-proven, open source software for our network edge. We’ve long used m0n0wall and pfsense around here. Software such as these running on a small, single board computer, are a compelling solution. Sure, it costs more than a bargain router from Frys. The piece of mind is worth the extra $100.
A recent little project that I’ve been working on has used some Buffalo routers, but in that case we use those models that run DD-WRT, the open source firmware for small consumer router hardware.
There are so many great, open source solutions available. I see no reason to risk the cheesy consumer routers.
The article describes how he published the script used to run the exploit. That allowed others to try the exploit against various makes/models of consumer hardware. It thus came to light that the same trick works against various products from Linksys and Netgear, amongst others.
One project that I’m am about to start is moving from my m0n0wall router to a new one build around pfsense. The motivation for the project is the integration of our Comcast Business Class internet service into the rest of the household. At present there are two separate networks, with only a few devices enjoying the high speed cable service. The pfsense system will be configured for dual WAN, accessing both the cable service and Covad DSL circuit.
My existing m0n0wall runs on an old Soekris Net4801. In service for many years, it has been extremely reliable. If m0n0wall does what you need I have no hesitation in recommending the software. Support from the user community is tremendous as well.