>>I'm sure you're well aware of the security implications, but many are not. For lurkers there's a good overview at https://www.howtogeek.com/205299/how-to-ensure-your-home-router-has-the-latest-security-updates/ .
>
>In the Beef / NetWork Chuck Spirit
>https://www.youtube.com/watch?v=80vIin4xGp8
>ticks the router settings and importance of router updates.
>seems most concepts are correct and first steps taken
>perhaps hardening all routers with DD-Wrt orOpenWRT is in order
>(currently relying on different make/models and maker names deleted from net/device name)
>- missing on the IDS IPS
>so perhaps that is another option to take a look at

Agreed, that's a pretty good overview for home users. I'm a bit surprised he didn't touch on these things regarding common residential routers:

1. Disable UPnP
2. Disable WPS
3. Use XKCD-style passwords for Wi-Fi (and all other services which allow them: https://xkcd.com/936/ ). These are secure, easy to type in and relatively easy to remember. Security should be WPA2 or better (as he mentions) and passwords at least 20 characters, 24 might be a better minimum these days

I'm also surprised that he recommends Cisco for the SOHO audience of that video. I think pretty much everyone in the networking trade has a love/hate relationship with them. I personally view them as the IBM of networking, who haven't yet been completely disrupted by more nimble competitors. It used to be "No-one ever got fired for buying IBM", these days the same can be said about Cisco.

To this day pretty much all serious Cisco configuration is via the command line, to which I'm not averse but it's not suitable for SOHO users. ASDM is available for ASAs but it requires Java on a user workstation and is still not the easiest thing for non-professionals to use.

Then there's the IBM-esque practice of charging for literally everything - firmware updates, support, license upgrades, you name it. When added to high up-front acquisition costs, that sticks in the craw of anyone at less than an enterprise level. It's been a while since I last looked but at that time they had some alleged SOHO offerings at somewhat "competitive" up-front prices, but they would still get you in the end for support and license upgrades.

He's right that Ubiquiti Unifi is a great choice for SOHO. If you have all Unifi equipment, it can offer a "single pane of glass" to configure and monitor your entire network. Unifi has excellent access points (that's what first got me using them). I understand their switchgear is pretty good, although I've never configured any.

A while back I set up a few Ubiquiti ER-X routers. Ubiquiti hasn't officially discontinued them but they haven't been available for quite a while. Their price was once under US$60, amazingly powerful for that price point. Hardware offload for NAT and IPSec VPN, available remote access OpenVPN had them punching way above their weight. Ubiquiti seems to want users to go to UDM rather than their EdgeOS products.

Probably the successor to the ER-X is Mikrotik (I've never set up any). People have similarly raved about their price/performance. They had some particularly bad security issues in their early days but I understand things are under control now, as long as users stay patched: https://arstechnica.com/information-technology/2021/12/300000-mikrotik-routers-are-ticking-security-time-bombs-researchers-say/ . I gather they're good for those who like a bargain and don't mind rolling up their sleeves.

Most business routers I've been putting in lately have been pfSense, specifically on Netgate appliances. Another YouTube channel I like is Lawrence Systems. They discuss Unifi routing products vs competitors at https://www.youtube.com/watch?v=WY-24alrvCw .

pfSense in particular is open-source; you can install the free Community Edition on hardware of your choice. This helps alleviate the out-of-stock condition of some of Netgate's more popular appliances. There's excellent documentation and community support for pfSense. Also good how-tos on Lawrence Systems/YouTube.

pfSense CE can be installed on "industrial" PCs. Some examples are available on Amazon if you search for [pfsense mini pc]. Note that current versions of pfSense require hardware AES-NI or better on the CPU.

I haven't looked at DD-WRT et.al. in a long time. They were historically aimed at consumer routers. I've seen too many of those fail over the years, or worse, get flaky. If someone has zero budget but wants to improve a consumer router they already have, then DD-WRT etc. might be an OK choice. If they have that DIY mindset and also have some budget, I'd be inclined to use pfSense on a mini PC.

A couple of years back I set up a SonicWall firewall (TZ500W). While it's worked OK, overall I've been less than impressed:

- Cisco-style pricing and support policies
- We bought it for advanced Deep Packet Inspection (DPI) for HTTPS. The client has fully committed to the M365 cloud. Use of DPI on M365 traffic is specifically not supported: https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/office-365-third-party-network-devices . Microsoft offers a long, frequently updated list of domains that need to be excluded from DPI. This is basically impossible to manage on SonicWall, so we can't use the main feature we bought. Someone else mentioned this at https://www.reddit.com/r/Office365/comments/lwbu7v/exclusion_of_office_365_traffic_from_packet/
- Very poor/restricted VPN choices
- Some significant security vulnerabilities over the last couple of years e.g. https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ . I've had to manually apply a couple of emergency patches. It's a bit disturbing that supposed "enterprise" vendors like SonicWall have had these kinds of issues, when the likes of pfSense have not

In my limited experience, if someone needs the "warm fuzzies" of an "enterprise" firewall vendor (and they have the budget), they're probably better off with Cisco than SonicWall.

Re IDS/IPS: I'm on the fence about this. Suricata is available on pfSense and apparently popular, I haven't yet used it. I think my main concern is the effort of getting it set up and configured, and then paying attention to its output. I understand that all IDSs initially generate a lot of false positives, and getting the filtering set up to avoid this is an up-front and ongoing hassle.

It should be pointed out that anything running on the router that processes traffic in real time will impact performance e.g. DPI, IDS/IPS etc. A router that can support gigabit unfiltered traffic might be significantly slower with Suricata running. Packages like Suricata need extra CPU, RAM and storage which may be non-existent or in short supply on common SoC-based appliances. Even mid-range appliances like Netgate 6100/7100 run Intel Atom CPUs. Googling [suricata performance] brings up some links to high-throughput scenarios running on serious hardware.

So far I haven't been setting up IDS/IPS for clients, but that day may come...

80vIin4xGp8

WY-24alrvCw