Routers cyber security best practices

&gt; Set up a guest network to enable internet connection for your guests and for your IoT devices.<p>I would definitely recommend separating guest and iot networks, iot is usually pretty weak (the S in IoT stands for security) so they need as much protection as possible; putting them to guest network is throwing them to wolves.<p>&gt; Enable port filtering. For example, the SANS Institute recommends blocking outbound traffic<p>Tbh egress filtering is generally not very useful, except for some special case networks (like aforementioned iot network). Blocking IRC seems just silly.<p>&gt; Use Media Access Control (MAC) filtering to choose which trusted devices connect to your network.<p>Afaik MAC filtering is pretty much useless, MAC is easily snooped and spoofed. WPA should be sufficient access control, go for EAP (&quot;Enterprise&quot;) if you need better than PSK (&quot;Personal&quot;) security.<p>&gt; Disable remote access management<p>Realistically, not going to happen. Better advice would be to have separate management network, with tighter access controls.

Disabling SSID broadcasts is pointless and just makes some client-side WiFi features worse.<p>The real advice is:<p>1. Don’t trust your ISP supplied router, replace it with a modem only CPE or figure out how to operate it in bridge mode. Then buy your own router you fully control.<p>2. Don’t buy a router made by a Chinese company. Preference routers that run or can run well maintained open source network OS like OpenWRT, Vyatta, pfsense, and similar.<p>3. Change all the default passwords and set good ACLs and other traffic policies.<p>4. Install updates regularly.<p>5. Make intelligent use of VLANs.

Some good, some pretty questionable practices.<p>&gt;Disable Service Set Identifier (SSID) broadcast<p>Can easily be found anyway<p>&gt;Schedule routine reboots to clear the system memory and refresh all connections. Rebooting the router may disrupt any potential malware that may have been implanted.<p>Idk about that.

&gt; Routers are responsible for forwarding messages (data packets) between devices within a network<p>For official document, this seems particularly confused definition. In IP networks, routers route packets between different networks, not within a network. That is pretty much the defining characteristic of a router. Typically the device responsible for forwarding traffic within a network is either a switch (wired) or access point (wireless).

Is enabling WPA3 practical for home networks? I assume my Nintendo Switch wouldn&#x27;t be able to connect any more if I did.<p><a href="https:&#x2F;&#x2F;en-americas-support.nintendo.com&#x2F;app&#x2F;answers&#x2F;detail&#x2F;a_id&#x2F;498&#x2F;~&#x2F;compatible-wireless-modes-and-wireless-security-types" rel="nofollow">https:&#x2F;&#x2F;en-americas-support.nintendo.com&#x2F;app&#x2F;answers&#x2F;detail&#x2F;...</a>

Interesting list. I have been working with routers for a decade now. Few things to note :<p>home router makers use boards from companies like QC, Broadcom, mediatek etc that provide a base configuration of a board and something like openwrt along with their updated drivers and a patched kernel to go with it. Generally these things run something as old as openwrt 15.05 when it comes to something like even wifi 6. It fits their purpose and time to market is small with a proven track record of stability. manufacturers put their modifications for their product lineup and sell it until they can make money. firmwares generally receive patches through their original SDKs and depending on severity the manufactures will send out updates which can take months since the vulnerability was reported or even patched in the SDK.<p>If you are absolutely worried about security you can see why the above model is weak to begin with. While you can do all these things in the list, it&#x27;s not going to protect you from actual firmware vulnerabilities. Cheap routers never receive firmwares beyond like a few months or a year of launch. higher end ones are more frequent but they arent cheap and you can do much better at those prices.<p>depending on how serious you are about your network, a SOHO will likely opt for something like a router with opnsense or an OS that gets regular patches and then put an access point on top it. This is also tricky as the above issue is still true for AP makers these days as many of them use openwrt as well for their APs since the chips tend to be similar and as a result suffer from same issues depending on the maker and model.<p>If you look at Cisco lower end hardware like CBW150AX you may find updates (this one was the cheapest Cisco wifi 6 AP I could find) but you may not get the best performance or features which are available in the higher end ones or from other makers in the similar range. So you may consider paying for higher end APs and then you run into licensing etc. An alternative is generally finding routers with openwrt support and putting them in front your router in AP mode but the stability for an office environment is questionable. I have had weird issues with bands locking up and such APs straight up rebooting randomly in the middle of something.<p>There is really no one size fits all problem here if you are interested in security. You have to start from the OS and hardware first then move to the top of rules and lists and wireguard and keys and policies and separated LANs etc. What is listed above might take your home network from 10% secure to maybe 50% secure (just making a point). Some things will be better but may not necessarily do that much in the grand scheme of things especially if you run a small business.

Criticisms&#x2F;additions to this list?