>Agreed, that's a pretty good overview for home users. I'm a bit surprised he didn't touch on these things regarding common residential routers:
>
>1. Disable UPnP
problem there is ease of use with media servers... Yes, I take the extra step of loading onto USB and feeding directly, but others might want to watch in different / separate rooms, so a subnet with UPnP might make sense, esp. over WiFi.
>2. Disable WPS
No discussion there - but the ease of "sharing" login info via mobile and scanned QR has already made all WiFi suspect for nets able to reach relevant info. A few seconds alone with a connected device is all it takes.
both probably considered "too basic"...
>3. Use XKCD-style passwords for Wi-Fi (and all other services which allow them:
https://xkcd.com/936/ ). These are secure, easy to type in and relatively easy to remember. Security should be WPA2 or better (as he mentions) and passwords at least 20 characters, 24 might be a better minimum these days
That is one I am sitting on the fence - without the difficult to remember substitutions a pure dictionary attack permutating only small caps words will quick special brute force. I use combination of both, but the "hard to remember" part of the key length below 20 - total length even larger compared to XKCD example
>
>I'm also surprised that he recommends Cisco for the SOHO audience of that video. I think pretty much everyone in the networking trade has a love/hate relationship with them. I personally view them as the IBM of networking, who haven't yet been completely disrupted by more nimble competitors. It used to be "No-one ever got fired for buying IBM", these days the same can be said about Cisco.
>
>To this day pretty much all serious Cisco configuration is via the command line, to which I'm not averse but it's not suitable for SOHO users. ASDM is available for ASAs but it requires Java on a user workstation and is still not the easiest thing for non-professionals to use.
>
>Then there's the IBM-esque practice of charging for literally everything - firmware updates, support, license upgrades, you name it. When added to high up-front acquisition costs, that sticks in the craw of anyone at less than an enterprise level. It's been a while since I last looked but at that time they had some alleged SOHO offerings at somewhat "competitive" up-front prices, but they would still get you in the end for support and license upgrades.
Cisco brand image was torpedoed by Snowden over here. Granted, I don't remember any big headlines on Cisco at least i Corona times, a lot more on Huawei and a bit on Juniper. Coupled with pricing Cisco mostly eliminated for small companies at the moment.
Also network(s) descibed in
https://www.youtube.com/watch?v=wwwAXlE4OtUare a bit above any needs of a imagined "Chucks Coffee Shop" needs IMO
...
>I haven't looked at DD-WRT et.al. in a long time. They were historically aimed at consumer routers. I've seen too many of those fail over the years, or worse, get flaky. If someone has zero budget but wants to improve a consumer router they already have, then DD-WRT etc. might be an OK choice. If they have that DIY mindset and also have some budget, I'd be inclined to use pfSense on a mini PC.
I like his arguments against single point of failure a lot. Of course if you have a small team looking after a beefy router setting up virtual subnets isolating logical parts - great, but you need the equally costly redundancy layer machines.
If you can set up your subnets just via cheap cascaded routers, redundant machines are cheap throw aways - but this will become more difficult when local machines need different tasks beside office, email and surfing..
In such setup OpenWrt / DD-Wrt should be much safer than depending on official router sw.
....
>In my limited experience, if someone needs the "warm fuzzies" of an "enterprise" firewall vendor (and they have the budget), they're probably better off with Cisco than SonicWall.
Well above my level of expirience...
>Re IDS/IPS: I'm on the fence about this. Suricata is available on pfSense and apparently popular, I haven't yet used it. I think my main concern is the effort of getting it set up and configured, and then paying attention to its output. I understand that all IDSs initially generate a lot of false positives, and getting the filtering set up to avoid this is an up-front and ongoing hassle.
>
>It should be pointed out that anything running on the router that processes traffic in real time will impact performance e.g. DPI, IDS/IPS etc. A router that can support gigabit unfiltered traffic might be significantly slower with Suricata running. Packages like Suricata need extra CPU, RAM and storage which may be non-existent or in short supply on common SoC-based appliances. Even mid-range appliances like Netgate 6100/7100 run Intel Atom CPUs. Googling [suricata performance] brings up some links to high-throughput scenarios running on serious hardware.
>
>So far I haven't been setting up IDS/IPS for clients, but that day may come...
My approach with definite separate nets is good only for very small number of users.
Using throw-away VM for "casual work browsing" and special VM loading from non-writable source for banking I feel almost as safe as in the nineties (bringing DTAUS diskettes to the bank every 2nd or 3rd week).
Pain starts at more than a handful of connected users,
will rise until 2 dozen and then will be permanent sore...
So for me logical consequence is building on "backup first and foremost",
then assume you need to assess how often and far you have been compromised...
