Go | New | Find | Notify | Tools | Reply | |
Seeker of Clarity |
I have an old Apple Airport router that works awesome! Range and speed are great. Never had a problem. But it's old... I don't think I've seen a patch or update for it in ages. I think I need a new router to batter-assure security. I'd also like to encapsulate my IoT devices on a separate VLAN. And I don't want them talking amongst themselves so no inter-device connectivity within the IoT VLAN. Any recommendations? I've read the Steve Gibson bit on a three router design (lined below), but I gotta believe that this objective is achievable with features on a single modern WiFi router. https://www.pcper.com/reviews/...ution-IOT-Insecurity  | ||
|
| Good enough is neither good, nor enough |
Google Mesh. Best I have ever used by far. There are 3 kinds of people, those that understand numbers and those that don't. | |||
|
| Member |
Google WiFi | |||
|
| Member |
| |||
|
Nullus Anxietas |
If your current router is still working for you, at this point I'd hold off a bit, until WPA-3 becomes readily available. See What Is WPA3, and When Will I Get It On My Wi-Fi?
Kinda sorta. If you know what you're about with routers. In truth, though, nothing beats physical separation. At work I always used a "belt and suspenders" border design: Firewall router on the border, then the firewall proper. Crude ASCII "drawing": Internet <-> router <- DMZ -> firewall <-> LAN The DMZ is exactly like a military DMZ: A no-man's LAN(d) that has only the inside-facing interface on the border router and the outside-facing interface on the firewall on it. Approaching Gibson's design philosophy with a single router would take a more advanced router. One not designed for "the masses." And a fair degree of router fu. I would never use a "WiFi router" in the first place. Routers, network switches and wireless access points should always be separate devices, IMO. (N.B.: I used to do this kind of thing for a living, for whatever that's worth.) I'm going to achieve something similar to the kind of isolation Gibson's talking about using VLANs. I'm currently liking Ubiquiti EdgeRouters for routers, NetGear ProSafe for network switches, and EnGenius for access points. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
quarter MOA visionary |
Assuming that if you already know who Steve Gibson is and are familiar with VLAN's then I would assume you know the difference in a Router vs Wi-Fi AP? So like ensigmatic said - if security is truly your issue then wait for WPA3. Plenty of Enterprise level AP's out there that could be added to your existing environment that could provide a plethora of secure configurations. EnGenius will be shipping a couple of AP's 802.11AX including WPA3 in the next couple of months. I am sure there are others. YMMV | |||
|
| Free radical scavenger  |
Except for the original Airport Express, Apple issued security updates for their WiFi routers just a year ago, in December 2017: https://support.apple.com/en-us/HT201519 I own them all and can confirm that the updates were issued and successfully installed. With that info, I don't see why you would need to buy a new WiFi router, unless you have an original Airport Express (the model that plugs directly into an outlet). | |||
|
Republican in training |
It's nearly 2019 and the last update your router got was from 2017? -------------------- I like Sigs and HK's, and maybe Glocks | |||
|
| Nullus Anxietas |
If it ain't broke...? At work, for the longest time I ran the Livingston IRX 211 Firewall Router that came with our first Internet connection: A 56K DDS circuit from PSINet. Even after we upgraded to a 1.54mb/s T1 circuit. I think I probably ran that router for better than ten years. It got one update in all that time. Likewise, in all that time, it had only one published vulnerability, and that was only a problem if you were so stupid as to expose the router's telnet port to the outside world [* ]. It is possible [**] to create software that isn't a boiling mess of bugs and security vulnerabilities, thus doesn't need updates every week [***]. It is also possible to configure and manage network resources in such a manner that they're naturally less vulnerable to the unknown [****]. [* ] In all that time, neither our border router nor our firewall was ever breached. [**] Though increasingly unlikely, between the increased complexity of today's systems and the decreasing competence of those who style themselves "software designers." [***] That often create as many problems as they cure. [****] FSVO of "less". "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| quarter MOA visionary |
So what? I didn't know that TCP/IP had changed so much in the last two years? The only time updates in FW are needed if there is something wrong with the current one, a security vulnerability fix or a feature update. If your environment is not changing then the need to update is almost nil. It's not like a phone or software where the environment is fluid. | |||
|
| Free radical scavenger |
Yes, the last security updates for Apple's discontinued WIFI routers were released a year ago. Apple doesn't tell, but I'd guess the security updates were related to patching KRACK, a flaw discovered in WPA2. There doesn't seem to be much else to update regarding security in those routers. | |||
|
| Republican in training |
"So what" from an IT "pro"?? There are constant security vulnerabilities being discovered on a monthly basis that can be fixed with firmware on routers. -------------------- I like Sigs and HK's, and maybe Glocks | |||
|
| quarter MOA visionary |
Upgrading FW without a reason is dangerous. Like ensigmatic said it can cause more problems than it fixes. Furthermore FW updates are generally just updates to accommodate new or different other devices. Of course if there is a security bulletin out there then by all means update. For the most part if everything is running just fine - leave it alone. I have had customer devices that literally run years without a reboot, update or anything else if no other changes are going on. Remember these devices are not volatile like computers, software and phones that constantly change. Periodic review is fine though and is good practice to do so. PS..."so what" is probably not the best answer but what I was trying to convey was the level of importance to constantly update for those types of devices is not high for the most part. | |||
|
| Nullus Anxietas |
No, from two IT pros.
Is that a fact? The archives for my two IT security mailing lists each go back to 2004. There's not a single reported vulnerability in Ubiquiti EdgeRouter products. In addition to those mailing lists I regularly watch several other IT resources, even though I'm retired. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024