bought an ASUS AC-87U Router, do I still need an AV?

Here's a review of the trend micro feature

http://youtu.be/s0zqmTidmEs

The person isn't really testing just showing the setting and what it looks like when trend micro picks up a bad link.

 

No question about it, AiProtection is amazing. The DNA capabilities to find malware/malware hosted sites before any definitions are released is second to none!

 

I've thought about getting one for the Trend AIProtection. That's the main benefit I would get over my existing setup. Let us know what you think when it's up and running.

 

I couldn't resist to Mayahana commercials and also purchased one, so divorcing soon from my decennial marriage with NETGEAR routers

 

If some of the cheaper ASUS models could handle the Trend AiProtection or if I could save up to afford one of the more expensive ASUS models, I would also make my next router purchase an ASUS with Trend without a doubt. Not only are you getting a quality router with quality components, but the added value that Trend brings to it definitely stands out from the other brands at this current time. This is great for the consumer market and hopefully other router manufacturers will also bring similar functionality in the future and make deals with Trend or other security software companies with similar technologies to bring an even wider variety of choice to the consumer market. More choice is always great as competition helps to achieve greater goals and often lower prices over time. Regardless, the consumer market can really benefit from the added protection.

 

Agreed! Apparently Trend AIProtection doesn't create much overhead so it could potentially be added to less powerful models. Currently the RT-AC68U has the AIProtection and can be had for a fair bit less then the 87U.

On the other hand I'd like to see full UTMs built into more affordable consumer/home routers. Although the hardware specs are on the low side I'm curious to see how well Bitdefender Box performs. It could be a good solution for many home users who's networks wouldn't be throttled by a 10/100 interface. If it works well over all I would pay more for a gigabit version.

 

The problem with full UTM's for consumers is configuration. Once you start tossing more complex configurations to potato heads expect serious issues. ASUS w/AiProtection is pushing the envelope right now, as it's really not as plug and play as ASUS would have you believe. I've set up about a dozen of these for people - executives at Fortune 500 firms (for their homes), 3-4 people on the forum here, etc. Then updating the firmware to major releases can be difficult(for consumers) as you need to backup the configuration, update FW, reset device, then load the old configuration and THEN re-enable AiProtection. Ouch!

Right now there is a bit of a problem in the industry - consumers NEED more than Layer 2 routers. Blended threats with blended internet facing devices are only properly protected by a Layer5-7 UTM. Getting them plug and play for all known configurations, networks, and situations is a serious issue. ITUS is working on SNORT+CLAM that is supposed to be plug and play. Bit Defender is working on that with BOX coming out right now, but BOX is only 10/100, so useless to a good portion of people that would consider deploying it! Closest thing we have to home UTM's are ITUS (Layer 7), and ASUS(Layer 5). You could in theory use ITUS with ASUS, provided ITUS has a bridge mode to cede DHCP to ASUS, because ASUS strongly enforces DHCP even with DHCP server disabled.

Right now we are at a threshold - how to provide Layer5+ to consumers without confusing them, and breaking things. ASUS is WAY ahead of the game right now, and probably the best overall solution for most people. The protection level from ASUS is quite remarkable for a home network, especially considering AiProtrotection does deep packet inspection.

 

Agreed that plug & play is necessary for most home users who cannot handle advanced configuration. Perhaps there's a market for devices like the coming "Box" that could include optional back-end management/support for home users?

 

Potato Heads need to be factored in all consumer endeavors as they will ultimately run into your product at some point. So the lowest common denominator is usually factored by companies. It's not meant to be derogatory, just that people with 100% no clue on about anything computer/network related may at some point encounter it. Right now the choices for raw consumer market are limited, and seem to be;

ASUS w/Trend AiProtection
http://www.asus.com/us/Networking/RTAC87U/
Bit Defender Box (constricted to 10/100)
http://www.bitdefender.com/box/?icid=NA_box_homepage_banner
Itus iGuardian
https://itusnetworks.com/

That's about it for relatively plug&play layer5-7 UTM/NGFW for home blended threats. I'd have ordered a Bit Defender Box already if it wasn't 10/100, since my WAN connection itself is 135-200Mbps.

 

I'd like to add as additional options:

OpenDNS Umbrella ($50/user/yr), and OpenDNS Prosumer ($20/user for 3 devices). The major difference between Umbrella and Prosumer is Umbrella uses "deep inspection below the DNS layer using proxy-based, URL-level filtering". I'm trialing Umbrella. Umbrella may or not not be available to home users (vs. corporations).

ZScaler. Similar but seemingly deeper functionality as OpenDNS Umbrella. It looks like a min # of licenses of either 25 or 50. I can imagine pulling together a neighborhood buying club to make it feasible

 

Beware that if you use the OpenVPN server of Asus routers, the DH keysize is only 512 bits. It is possible to generate and use larger ones through Telnet/SSH, but it gets slower as the keysize gets bigger and it is gone when the router is rebooted/power is lost.

 

Those aren't cheap! ZScaler is an SaaS, essentually I could setup my own SaaS by using VPN's. Drop a Fortigate on the gateway, static it, then drop Forticlients on all desktops and mobile devices. All traffic on any device, anywhere in the world is routed through my home network Fortigate for Deep Packet Inspection, and UTM. If I was traveling I would do this to ensure privacy/safety while using public WiFi, and making my systems virtually unhackable. ZScaler is just a commercial version of the same thing.

Bit Defender Box is ZScaler on a small scale for the home.. It saddens me they cheaped out and went 10/100. Who deploys 10/100 anymore? Untangle comes with built in OpenVPN, so you can do the same thing, and route all traffic through the 7 layer protection of Untangle via a 2048-Bit encrypted Untangle pipe.

 

I didn't realize that they renamed it to Shield now. Glad to see it come to fruition. This is OpenWrt running Snort in all it's glory. They put some decent components in there. I've got my OpenWrt running Snort as well but I can't enable all filters as mine is far too under powered. You can run OpenWrt on a small PC now and filter/control application layer (L7). I really like what these did with their Kickstarter project.

 

I have several spare systems around here. Right now 2 of them are in service as servers. Untangle is on a Dual Core 2.66ghz box with 4GB of ram. Overkill for Untangle, I run everything full bore, and it still has almost a gig of ram free, and seldom runs over 10% of the processor. I should probably build a pFsense or something, as Untangle is good but I don't agree with a lot of their philosophies, as they refuse to update SNORT IPS, and after a year it still has the same old 3000 signatures, when fully loaded I think Snort IPS should be around 8000-10000 sigs these days, right? Untangle feels NAT is enough..

Do you have any recommendations for me?

 

I've put some thought into this question over the last day or so. I haven't got any recommendations regarding your 2 spare systems because, quite honestly, I don't have any experience with using PC's with UTM distros.

However, the hobbyist in me wants to suggest a MIPS Creator CI20 router developer board to you so that you can throw OpenWrt on there (or many others) along with Snort, L7 filtering, PeerGuardian or many other choices out of the 3,500 or so packages available for OpenWrt. But the big issue here is that the major failing point of this board for you would be the lack of GbE connections and I respect that, given your home network setup specs. Otherwise you could create a powerful home router with significant granular control for roughly $60 and to your own needs and creative choices. I wish that there were similar developer boards to this but having GbE on board. I will look around for other boards out of curiosity. I am a big fan of building things myself from a hobbyist perspective but the security perspective is also equally important to me along with having fine granular control over everything in my network. And at the same time, I like being able to do so much yet with a smaller footprint, less energy usage, smaller router vs. large PC/server. It's not so much the energy usage or the size that really matters in the end either, it's more about seeing what was accomplished in the end with so little that is satisfying to me.

The other point that I understand and respect also is that I don't feel like suggesting open source specific tools/hardware/OS/hardware related things is the most appropriate thing to suggest to you. The reason being is that you have the money to spend, you want quality hardware along with high performance and the most important point would be that you want someone to be accountable if, say, there were bugs that needed fixing or something not working right or some sort of support needed along those lines. And that aspect I can totally understand, if I were to be spending hundreds of dollars on hardware devices and software and something went wrong I would certainly want someone to be accountable.

Quite honestly, I still think that you should pursue running a DNS server as I recall talking with you about previously. That is something that would be creative, interesting and very useful as well. And potentially profitable at the same time as providing security and service to whomever was to use that service, most likely us security conscious forum users who have security on our minds regularly. And to have different category options available, particularly advertisement blocking, malware, etc. That would be of great interest to many users here, myself included.

Enjoy your weekend!

 

Merlin Firmware v378.50 just released! = https://www.mediafire.com/folder/bkfq2a6aebq68//Asuswrt-Merlin

Supported devices are:
* RT-N16
* RT-N66U
* RT-AC66U
* RT-AC56U
* RT-AC68U
* RT-AC68P
* RT-AC87U

Changelog:

378.50 (7-Feb-2015)
- IMPORTANT: You must do a factory default reset, and manually
reconfigure your setting if coming from a version
older than 378.50. Failure to do so can
lead to various issues with wifi, OpenVPN,
and the new AC68U bootloader.

- IMPORTANT: Please read this changelog, especially the changes
related to jffs, user scripts/config and OpenVPN in
the previous 378.50 betas.

- NEW: Merged with Asus GPL 378_4129 code.
- CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly
on MIPS architectures (and possibly other particular
scenarios as well).
- CHANGED: Added warning to the DDNS page if you set the type
to Custom and either JFFS or custom script support isn't
enabled
- FIXED: A few unescaped quotes in the French dict breaking VPN pages
- FIXED: MAC list would get corrupted when removing and re-adding
entries on the MAC filter list
- FIXED: AC68U CFE update wasn't written to flash due to permission
issues
- FIXED: Static Key field wasn't visible when using HMAC authentication
- FIXED: syslogd was always enforcing the -S switch
- FIXED: When setting a static DHCP from the networkmap, the user-entered
name wouldn't be used. Now it gets used, and we rely on the rc
daemon to properly handle it if it's not a valid hostname (it will
simply not provide it to dnsmasq's static name list).

 

Just received this beast... very easy to install and up to now super smooth, no issue whatsoever. Very responsive internet connection, no impact on speed with AiProtection and better compatibility with windows phones (compared to my previous NETGEAR router). So far so good, my NETGEAR will definitively retire in the garage . Weaknesses? A bit less configurability on the media server side and some firmware bugs.

 

Congrats and welcome to the club of ASUS routers! AIProtection is indeed very good and doesn't slow anything down.

I urge you to install the latest Merlin Firmware which will then also unlock the DNS Protection feature where you can easily select one of the pre-configured DNS servers. I selected Norton Safe

 

Thanks! Indeed next steps is to play with Merlin Firmware

 

Did you upgrade to the latest FW?

I don't find the DNS feature of Merlin helpful, all it does is allow you to select pre-canned DNS which you can google for yourself.

 

Yeap, the first thing I did before configuring anything else.

 

If you notice random disconnections on the 5GHz band, you will want to upgrade to the latest Merlin Firmware as it fixes that.

 

I must be lucky, so far no disconnections on 5GHz, signal strength similar to my previous NETGEAR.

And forgot to mention that QoS really works as it should. Unlikely what I experienced with my previous router.

 

If you think that QOS is good, you should see it in Untangle!

I can take already classified websites, and then assign priorities based on classification. So for example anything the web filter classifies as a 'game', I can set priorities to it down to an 'extreme' level. If I want to slow my sons downloads, I can take anything classified as a download website (automatically), and constrict it to say 25% of the bandwidth. After dealing with Untangle's extreme controls, anything else feels extremely lacking! With that being said, in the CONSUMER market, ASUS 87U has by far the best QOS.