bought an ASUS AC-87U Router, do I still need an AV?

Discussion in 'other anti-virus software' started by Mortal Raptor, Dec 25, 2014.

  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    That's a good strategy. There's also wireless isolation which is an option in my Netgear router:

    http://www.wirelessisolation.com/
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    If you want to get even more extensive. Segregate radios with ghetto Vlan's, and do space broadcasting limitations. We can get a bit advanced with consumer routers if necessary despite being limited with policies/routes.

    1) Hide the 5Ghz SSID (WPS off), assign a ridiculous password to it, turn on MAC filtration with a 'single point' to a device. This is your personal WiFi within the intranet for just you.
    2) Dial the power down to 0 on the 5Ghz, then 'tick' it up until you can just see it within the walls of your home at the location where you need it specifically.

    Alternatively - kill the 5Ghz Radio...Next;

    3) Completely Lock down the 2.4Ghz primary - MAC address filtration with empty MAC's.(filter ALL) Hide SSID, broadcast limitation, WPS off, Ridiculous Password, Radio Broadcast "Scheduling" with a 1 minute only window of broadcast.
    4) Assign a GUEST network to the 2.4Ghz radio, disable intranet access. (Ghetto VLAN)

    You've successfully 'magnificently' secured your home network. All of your wireless activity will be funneled through the ghetto VLAN, as your primary 2.4ghz is effectively locked up. You can't disable the 2.4Ghz entirely without disabling the guest network capability, but you can disable it enough with ghetto-policies so it is unusable, and locked down, then force everyone to work within the restrictions of the guest segregation.
     
    Last edited: Jan 11, 2015
  3. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Sorry, but I just don't get your analogy. The kid you're mentioning is standing outside my house, in front of a locked door. How is he going to steal cookies out of my jar is beyond my understanding...
     
  4. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    New Merlin Firmware released ( 3.0.0.4_376.49_5 ):

    https://www.mediafire.com/folder/bkfq2a6aebq68//Asuswrt-Merlin

    376.49_5 (9-Jan-2015)
    - FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)
    - FIXED: Additional security issue in infosvr (incorrect memcpy()
    call) (Asus bug)


    Supported devices are:
    * RT-N16
    * RT-N66U
    * RT-AC66U
    * RT-AC56U
    * RT-AC68U
    * RT-AC68P
    * RT-AC87U

    Merlin seems busier than ASUS themselves constantly releasing updates and improvements to the AC87U
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Exploit requires access to the WiFi, which means your AES Key has to be compromised.. That's why the exploit says public (unsecured) WiFi. But even then, this doesn't say whether or not this includes guest WiFi, which I highly doubt as Guest WiFi segregates attached clients away from the intranet, and hence wouldn't be able to access the router to execute code. This exploit seems to be for people that are already violating the basics of network security.

    From the article: Summary:An unpatched router can be hijacked, if the attacker is on the same network.

    So how is the attacker on the same network if he doesn't have the AES Key? Answer - people running unsecured networks are asking for it. Also, if the attack is guest-segregated, they won't be able to implement this anyway no matter how hard they try. What did we learn here? Don't run an unsecured network, and if you do, run it in guest segregation. Much ado about nothing. This isn't even a real exploit in the sense of what I consider exploits.
     
    Last edited: Jan 11, 2015
  6. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, leaving unsecured routers and complaining is like having house doors wide open and complaining over things getting "misplaced".
     
  7. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
  8. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    I secure my Wireless network with a hard to guess password with capital letters, numbers, and special symbols......but access to the main GUI of the AC87U Router setup I chose a simple username and a simple password (it's a browser name followed by a number) that's not bad right since people won't be able to get into the wireless network in the first place so it doesn't matter how easy or hard the main account for accessing the setup of the router is right?
     
  9. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    The proper way to secure administrative access is: Disable administrative access over the WAN, then set reasonable admin password. Finally, set a 'specific' IP address from within the LAN to access the administration of the device. This way nothing outside of the Local Subnet can access the administrative settings AND only a specific IP address can access the administrative settings.

    I recommend that procedure used at all times. Also it's wise to use my ghetto-vlan method to segregate your network if you want some real security. That way even if someone gets into your wireless network, they are locked out from accessing the intranet from the wireless network.
     
  10. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Right, thanks bro
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    New Firmware just came out;

    http://www.asus.com/us/Networking/RTAC87U/HelpDesk_Download/

    ASUS RT-AC87U Firmware version 3.0.0.4.378.3885
    - Fixed infosvr security issue.
    - Fixed media server related issues
    - Fixed 3G/4G USB dongle related issues.
    - Fixed dual wan related issues.
    - Improved UDP throughput between LAN and WAN.
     
  13. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    Thanks a lot bro!!

    jumping on this right away as I feel this AC87U has a lot of room for improvement
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I found a bug already. If you go to change the router password it says 'Specified Time Interval Cannot be Set' and won't allow you to edit ANY administration settings.

    Workaround for this:

    Select Einewetok as your time zone, change admin settings. Then switch back from Einewetok. Sounds dumb, but it works... Lame bug.
     
    Last edited: Jan 12, 2015
  15. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Not to mention I can't possibly set my time zone. If i set to GMT +1 (Ljubljana), it keeps on nagging about intervals overlaping. What intervals!?!??!?
     
  16. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    didn't have that issue as my Timezone was already +4 before the upgrade, didn't do a factory restore this time
     
  17. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Did you backup config prior to patching? (hopefully) Do a full factory reset, load your config after. Then go to admin, and pick Einewetok as your time zone, hit apply, then go back in and change to your normal time zone.

    That fixes it.. I am successfully on the new firmware, no issues yet.
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Check your AIProtection after this FW update. I did, and mine was off. Also, new web blocking screen, a small 'plug' for Trend on the Desktop.

    I found another bug..

    If you change your admin port to say.. 10006, and designate HTTPS only. The web blocking screen doesn't display, and instead you get an empty page when it blocks something.. It STILL blocks what it normally does, but you get an error screen instead... Come on ASUS, get with it.
     
  19. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I had to first apply a timezone without DST start and end fields, switch to my won and reapply it and all of the sudden DST fields received dates where before they were just empty.
     
  20. Mortal Raptor

    Mortal Raptor Banned

    Joined:
    Oct 6, 2014
    Posts:
    1,013
    ASUS is having lots of trouble with firmwares on this device. In the review I read, they said the full potential of the AC87U wasn't unleashed due to crappy ASUS firmware

    I think it's better to stick to Merlin Firmwares
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Merlin firmwares are highly recommended for years, for sure. Hopefully some of these newer ASUS models will be supported by OpenWrt, especially with the backing of semiconductor companies and hardware manufacturers through the combined effort of prpl. Personally, I would love to have one of these higher end ASUS models and if I did have one, I would use Merlin's firmware at the moment.
     
  22. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, we could donate money or the actual RT-AC87U router to Victek (author of TomatoRAF firmware which is OpenWRT based). I was talking with him the other day about the RT-AC87U support and he said he could easily do it if he only had the router itself for testing/work. Seeing how much I paid for it, I understand him for not having it already.

    So, that would be another option...
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'm good for a donation to do this, if others will get on board. ASUS apparently sucks at Firmware.. LOVE the device, and it's capabilities, and especially the Trend scanning.. But they need to get with the program on the FW.
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I'm flattered, but you must be referring to another Victek as I certainly don't have the ability to code router firmware :)
     
  25. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.