Tricked routers?

I am considering subscribing to FIOS internet. 15 to 300 Mbps residential options. The router provided by the company will have such high throughput that I won't be able to piggyback my current routers on it for additional security.

1. Do routers provided by Verizon have back doors?
I read that there is an open port for administrative reasons and that users can't close it. If Verizon can access it, then I assume top hackers will be able to, especially if confidential information leaks out. One way to secure the open port design would be to 1) make it stealthy, 2) require anyone entering through that port to provide a strong password. But this stinks already: if that port exists, there will be massive effort to hack it. I would not like to be a 24/7 point of attack. Does Verizon allow only the modem to be used and the router turned off to allow users to hook up their own routers? Although the modem performs a single function, is a modem vulnerable, for example, to allow secret routiing of flows to a clandestine destination in addtion to the user-intended destination?

2. Any suggestion about a Verizon alternative router/modem that can withstand serious WAN attacks?
It seems that even with remote administration DISabled, such attacks may be possible. One way is that, in one (or more countries), subcontractors may have manufactured routers that can secretly leak information in and out, although they were NOT under contract to do so. This may help explain why so much stealing is occurring today on the Internet, despite the accumulating experience of security professionals. If your manufacturing subcontractor is smart enough and and has a secret agenda, one (of the) pillar(s) of security, the router, is gone, unless manufacturing is itself secured.


All this boils down to finding a trusted router manufacturer that can prevent its routers from being either accessible through a backdoor by design OR hacked at the (manufacturing) source. Beside avoiding these flaws, I'd like SPI firewall, remote admin disabling, MAC filtering on LAN sides, informative log, no open port (or if port is open, ability for user to close it), rejection of login after user-selectable number of unsuccessful LAN logins, ability to turn off wireless radio while wired ports stay on.

I don't just rely on routers for security, but the issue today is routers.

Any suggestion?

 

Hi Pigitus,

I have FiOS at its lowest speed with a cable (non-WiFi) setup. Verizon provides a documentation package which includes a CD on how to setup your rouoter.

See Wilders thread FIOS router remote admin access for more information and a link to the post "The Word on Verizon FiOS and Linux" on how to remove that admin port from being accessible.

Note: The most important thing you need to be aware of is to change your admin password on the router. These days Verizon has modified its formerly well-known admin password to be the serial number of the router which is unique for each router it provides. Before changing it call up the technical support phone number of Verizon to find how how long the admin password field is that can be changed by the user - before changing it.

-- Tom

 

You can put pfSense (my choise and what I use) or m0n0wall or smoothwall, or a host of other linux based firewall/router distros on any machine and make your own router. The hardware can scale to your needs. The OS is (IMO anyway) much better than any consumer router by far. You can get crazy on that stuff, or just use it like it is with minimal changes.

If you need performance, look at the specs of the hardware in consumer routers, then look at the specs of even p4 machines, and you might be suprised at the difference.

Sul.

 

I forgot to mention the alternative router should be coaxial and Verizon-FIOS compatible.

Thanks, guys, for the link and other information. I am going to check them out. By the way, the higher bandwiths are the deals currently offered. I don't really need 50 Mbps. I'll try to settle down for less speed if it will cost less.

Sully, I wasn't aware of these alternative ways to make my own router. And I don't run Linux either. Hopefully such software are available for Windows. I should also be able to find a PCI or express card with a coaxial port. That looks like a convincing way to avoid the possibility of a factory-hacked router. Fresh new reading yet again on security for me. We humans are our worst enemies, aren't we?

 

I don't think you fully understand yet. You install (or run from live cd to test) a linux firewall/router distro. As such it is a customized version of linux (of some flavor, pfSense which I use is bsd based). You run it on a spare computer. You interface to it just like you would a consumer router (linksys/dlink/belkin/etc). The web interface is much like your current router, only on steroids I guess.

You need a box, say 600mhz at least, but up to whatever. You need two network adapters, one for incoming from modem, one for outgoing to network. It has all the features you current router does, plus maybe a little more

The faster the cpu and more ram, the better performance for high bandwidth internet. Many consumer routers are based on linux/unix, if not all of them. I went all out (as usual) and got 2 matching intel nics for my box. I tried a half dozen other nics of varying chips/makes, but the intel are hard to beat for performance.

So no, you don't need anything windows related at all. There are even some flavors they call a UTM (unified threat management) like Endian, which are as you migh surmise full of advanced security features. Even in pfSense there are lots of plugins/addons that do handy things, like a virus scanner and my favorite, squid proxy and squid guard for filtering your network. There are some common features like captive portal (a way to restrict network access by client) and nat/port forwarding. There are other options that you might not see in consumer routers like denying ARP to MAC addresses not defined in the static DHCP mapping - in other words, if the router doesn't know you, you cannot join.

If you want wireless you put a wireless nic in. However, what I did was to use my dlink dir655 for the wireless signal. My dlink is 192.168.1.2 and my pfSense box is 192.168.1.1 (the gateway). The wireless security is handled by the dlink, and once they connect to the wifi, the pfSense box handles all the dhcp and dns forwarding. So my dlink has the dhcp turned off, uses a static ip in a different subnet (192.168.2.1 on wan) instead of pppoe/static like normal. I think thats all I had to change in it.

If my pfSense box goes down (it is old hardware in my case) I plug my modem into the dlink, change 3 settins (wan ip to pppoe/static, lan ip to 192.168.1.1 and turn on dhcp server) and I am online in a few minutes.

I tested a lot of these firewall/routers. Most of them are good, but they are all quite different. I chose pfSense because it seemed to have the least issues getting up and running but most importantly it made more sense to me, in every facet. Some of the others might have had some features I liked, but quite frankly if the interface to the features is terrible, then the feature isn't worth as much.

Hope that helps.

Sul.

 

I have the slowest Verizon FIOS (5/2) and don't use their router. Old Linksys, or Netgear or Asus do just fine. Never installed any Verizon software, as all they do is mess up you computer and those programs are useless (gee, they can tell you the IP of your tv or your computer, wow!)

My son has FIOS (15/??) with some ActionTech router. With that coax thing. No Verizon software. Beware, Actiontech, IIRC, doesn't have WPA2 or something important of that sort. Not only that, if you try to enter Admin settings such as MAC address list, from a non-wired computer (i.e. by WiFi), your entire MAC list gets zapped and you have to retype by hand.
In any case, speed - to that terrible router he hooked some other routers and everything including streaming to TV connected to one of those internal routers, from Netflix works just fine.

 

Sully, your last email clarified the spare-computer-as-router alternative. I saved that email, but only for the mid term, because family pressure may make me jump to FiOS sooner than I prefer.

I'll examine the VZ router and do the best I can with it. If it's a pain to conveniently stop its wireless radio, I will do what you did with your Dlink. In fact, I also use a wireless router as a sort of switch (DHCP off) for wireless purposes, while letting another wired-only router directly face the WAN. I don't need wireless myself, so I like to switch off wireless sources in the house as much as possible to minimize radio waves beaming through our brains (although it may not matter much since we are already drowning in all kinds of wireless signals anyway). But even wireless router manufacturers recommend staying at least some number of feet way from those things. So, switching off the wireless has to be fast and easy as it is now for me. (Permanently turning off the wireless capability of VZ's gateway will disable pay-for-view and other minor things that I don't care about).

Lotuseclat79, the reason firmware updates haven't been done (per your experience) may be that Verizon changes the hardware itself at a rather quick pace. The gateway was an Actiontech Revision E around late 2009, and now it's Revision I. 4 revisions in 4 years? Westell was the brand years ago, and the revision numbers also kept moving fast then.

Act8192, I, too, doubt I will ever install Verizon software. I remember the early DSL days when the company provided a Windows 98 vintage software on CD to interface a PC with its modem. I never installed it and hooked my own router to the modem instead.

SMC isn't talked about as much of as Dlink, linsys, and Netgear routers. The SMC Barracuda keeps a great incoming log for rejected connections and has never failed me in 9 years. That log taught me a lot about changing patterns of unsollicited connections over the years. Lots more from China, BTW. But to know more about an IP address, you have to manually identify it with a separate software. A hassle. Is there a log function today that automatically convert IP addresses to IP owner and country right inside the router?

 

No, but there is wall-watcher. Great little app if you've time to submit reports to an ISP who cares, or you just want to geek out

Sul.