router vs software firewall

Uhm...

I'm not quite sure if software-based protections are reliable to protect your hardware, router in this case. I'd say it's better to harden the router itself. Hide SSID, use AES, and configure/disable other things that might become the possible threatgates, etc. There are more you can get from the more expert members. Digging older threads might give you more info.

 

This thread motivated me to check the default settings of my new router which I discovered are a mixed bag in terms of security.

1. UPnP was ON, however info on the web says that not all implementations are at risk. There's a test that (supposedly) determines whether or not your router's iteration of UPnP is vulnerable here:

http://upnp-check.rapid7.com/

This test says my router is not "discoverable" so I've left UPnP on the for moment, but I'd like to hear the pros & cons of having it On/Off.

2. The WPS PIN was ON (it's now off).

3. WPA2 - PSK [AES] was ON

4. SSID was ON

There's info on the web stating that hiding the SSID doesn't improve security much since someone with a little knowledge can still find it. It would discourage the average person though who doesn't know how to do it.

http://www.howtogeek.com/howto/2865...hiding-your-wireless-ssid-really-more-secure/

 

Suggest you replace that [noparse]http://upnp-check.rapid7.com/results...[/noparse] link with this one: http://upnp-check.rapid7.com/. At the later page I notice: "This service is only suitable for identifying whether your UPnP is exposed to the internet". Looks as though it tests for WAN side access. LAN side access would also be of concern unless you've established that the level of authentication in your arrangement is satisfactory to you.

Better than counting sheep...
https://en.wikipedia.org/wiki/Universal_Plug_and_Play

 

Thanks for the heads up about my incorrect link to the UPnP test site (now correct). What is likely to happen if UPnP is disabled in a home router? What support does the protocol provide to new devices and is that support needed after they are connected?

 

In a networking context, I'm not a fan of devices auto discovering each other, auto exchanging information about their capabilities/config, auto allowing other devices to modify their configuration, etc (ARP and sometimes DHCP exceptions). I like the human in the loop, manual configuration, device-specific login credentials required to access or change configuration info, type pattern. You need to play with something to really understand it, and I haven't done so (with UPnP). So if you read up and do some experimentation, I'm certain you'll arrive at a better understanding than I can give you. Thus the previous starter link. Having said that...

I think this would depend on what options you have and use to control it, and what UPnP driven features you were/are trying to use. If you fully disable it, I suspect that would prevent UPnP based software from acquiring and displaying some detailed information about the device. I'd look for places where network device information is displayed and see how that changes. If you can enable UPnP while preventing changes made through UPnP, I suspect the discover and read operations would function properly while protecting the device from UPnP based modifications. If you have a device/program that is punching holes in a firewall via UPnP, and I doubt everyone will, breaking the mechanism should cause a network connectivity issue of some sort. UPnP is used to access media servers, so if your router is configured to be one perhaps you'll run into problems there depending on what you disable.

It seems possible that UPnP would be used for one-time-only discovery and config purposes, but I don't think I would count on that.

FWIW, I have some links to UPnP test tools (which I never played with, perhaps there are better ones out there):

UPnP Tester
http://www.markgillespie.co.uk/?page_id=18 (note comment regarding administrator privileges)

Universal Plug-and-Play Tester
http://noeld.com/programs.asp?cat=dstools (scroll down)

UPnP-Inspector
http://coherence.beebits.net/wiki/UPnP-Inspector

Maybe you can explore and let us know what you learn

 

Yeah, but I just don't want my SSID appeared in other people's computers. Just if my neighbours do the same. A long list of available networks is kinda annoying.

 

Another draw back of hiding it is that users will not know that a channels is already used by X number of people and then this may impact you. So, to be visible is actually beneficial especially in WIFI polluted areas. If they know you they will avoid you

 

That would be true for people who actually know that there are wifi channels and how to determine which ones are being used in their area.

 

That's the first troubleshooting step anyone (e.g. support, user guides) give when dealing with WIFI issues or low signal. So, pretty common... Unfortunately with this idea of hiding SSID to improve protection is not always easy to implement.

 

don't worry to being hacked, i've used internet for maybe over 10 years and really begging hackers to hack my pc, and i even made some very angry and nothing nothing has happend for over 10 years.

I've only used Router Firewall and none on my PC.
So it's just paranoia, nobody will hack you if you don't give the hackers the right to hack you, and that can be done maybe they sent you a file and you open it, or else then can NEVER hack you. It's just rubbish.

 

Agree! I just use a NetGear router,never an issue.

 

Software and so called hardware firewalls should be used together.
With IP v6 NAT is useless.All the PC-s in the LAN are accessible/visible so a software firewall is needed on the PC-s.

How would you know.

 

I agree.

 

If you're using an external DSL or cable modem, you have a network. Unless your modem is set to pass through (most are not) you're using NAT (Network Address Translation) which also functions as an inbound firewall. Most cable and DSL modems are combined devices that have a basic firewall.

 

NAT is useless in IP v6 i ve heard ,i may be wrong.