The biggest security feature of a wireless guest network is that it can keep guests/visitors and IoT devices away from the main/private network. When this is working properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest wireless network from the same router. Some routers always offer this separation, others let you configure it. The feature is assigned different names in different browsers.
- Asus calls it "Access Intranet"
- Both Synology and TP-LINK call it "Allow Guests to access my local network" (see TP-LINK example)
- D-Link calls it "Internet access only" in the Guest Zone
- TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
- Eero and AmpliFi have no configuration option for this.
- Peplink does not offer Guest Wi-Fi networks, but any Peplink SSID can be isolated by assigning it to a VLAN that does not allow inter-VLAN routing. (more)
- With Google Wi-Fi, sharing between the Guest and main network is always enabled, but devices on the main network are only shared if you specifically share them in a Google app. More here: How Google wants to re-invent the router (April 2017).
- Older Netgear routers had an option to "allow guests to access my local network". From a March 2015 article at How-To Geek. I am not sure if this still exists.
- TP-LINK calls this "Allow Guests to See Each Other"
- TRENDNET calls this "Wireless Client Isolation" and they explain that it "isolates guests from each other"
- Synology (as of SRM 1.2.3) has no option for this. Guest users are isolated from each other by default
- According to a March 2015 article at How-To Geek, older Netgear routers had an option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6 combined two options into a single option called "allow guests to see each other and access the local network." Not good. As the article says "There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN). "
- How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from his article: "I helped someone set up a . ASUS RT-N66U . router, and . made sure to change the default router credentials . . my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters . when I went to log in to the device later it would not let me in . Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time . did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear. So, test if your router allows a 17 character password. It should.
- How short can the router password be? Very short passwords should not allowed.
- Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords? That is, does it say anything about the length of the password or if any characters are not allowed?
- Does the router defend against brute force password guessing? After a certain number of wrong passwords it should do something to prevent further guessing.
- Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
- Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.
- Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware? Peplink does this. See an example from December 2015, announcing firmware version 6.3. Most routers require you to seek out firmware updates on your own.
- For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
- For an existing router: can it automatically update the firmware on its own? If so, see the next topic. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to be in charge. This lets me install bug fix releases fairly quickly but delay new versions/releases.
- How easy is the upgrade process? Better routers can completely handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means that the firmware upgrade can be done by a remote user.
- The new firmware may reset some options. To protect against this, manually backup the current settings, if you can, before updating.
- If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is notoriously inconsistent at keeping their auto-update servers up to date. " Tests run by the Wall Street Journal in early 2016 found 2 of 20 tested routers incorrectly reported their firmware was up to date.
- Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded by the router itself or by you manually from the vendors website. Good luck answering this question.
- Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
- Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you easily reboot into the prior firmware. This can also help if a configuration change causes a problem. The Linksys EA6200 can also restore a prior version of the firmware.
- Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
- Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is working correctly. Also, if you experience network problems, it is vital to know when the last firmware was installed.
- How often does the router check for updates? Can you control this?
- Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
- If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
- Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
- Can you force the router to check for new firmware?
- Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
- If you do nothing, how quickly will newly released firmware be installed? Eero promises to install new firmware "within a few weeks"
- When the router phones home looking for updates does it do so securely with TLS?
- When the router downloads new firmware does it so securely with TLS?
- Is newly downloaded firmware validated in any way, such as being digitally signed?
- Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
- Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
- Does the vendor document the changes in each firmware update? If so, do they do it well?
- Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
- How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
- In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
- In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?
As for answering these questions, someone from Linksys was kind enough to address these issues for their routers in Feb. 2017. I created a new page for Self Updating Router Firmware and hopefully I can get answers from other router vendors too.
- Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. Peplink routers, such as the Pepwave Surf SOHO have three log files (Event log, AP log and Firewall log). The D-Link 860L also has three log files: System, Firewall & Security and Router Status.
- Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address. Peplink routers log both failed and successful logins to their web interface and the log shows the source IP address.
- Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
- Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
- Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
- Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
- Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO.
- Does the app talk directly to the router or does it talk to the hardware vendor?
- If the app works remotely, how?
- What permissions does the app need? Does it ask for more permissions than it needs?
- Can you log out of the app?
- Does the app communicate with Bluetooth or WiFi?
- If app uses WiFi, is it HTTP or HTTPS? See also, the section above on securing local admin access
- If app uses Bluetooth, how secure is it? I am not familiar with Bluetooth security. Eero and Luma both use Bluetooth.
Rare security features
- One option is a standard two-factor authorization (2FA) authenticator app. As far as I know they are the only router vendor offering this feature. This is great as it lets you make remote configuration changes to the router, but also prevents a bad guy who knows the password from changing things.
- Another option is to confirm the changes by pressing a button on the device. This insures that a change is being made by a human being who is physically at the router. I don't know if any other routers offer this option.
- Some of their routers also support telephony, so there is also an option to make a phone call to confirm any configuration changes.
(added March 2024, updated June 2024)
The Asus ROG Rapture GT-AC5300 can use Amazon Alexa voice commands to turn on the Guest network and/or pause the Internet. It can also use IFTTT to send an email when a specific device gets on the network. (source).
VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own. The Resources page has a list of routers that can function as VPN and/or Tor clients.
The lifespan of a router is like that of a banana, but the real problem is that it does not turn brown when it goes bad. Router manufacturers, as a rule, are not up-front and honest about how long their devices will be updated with security patches. If you look for new firmware and see the latest release was 2 years ago, does that mean the router has been abandoned (probably), or, have their simply been no bugs in the last two years (unlikely). In November 2018 the German government released router security guidelines and the big gripe was that they said nothing about this.
The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks. Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials." Sounds interesting, I hope to fully understand it someday.
This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.
Germany
October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers. Three years later (November 2018), they released some security guidelines. See Germany proposes router security guidelines by Catalin Cimpanu of ZDNet and Germany pushes router security rules, OpenWRT and CCC push back by Richard Chirgwin of The Register.
Question
Many routers are sold as a set of devices, commonly referred to as a mesh. Examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected? As a rule, the main router controls firmware updates on the satellite devices. How? Securely?
Some non-security features to look for
Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.
Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.
Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged directly into the modem, no router at all. But, a router running its own tests should be good enough.
Current bandwidth: If the Internet seems slow, it can be helpful if the router shows the current bandwidth being used by each attached device. While some can do this, you have a great router if the list of attached devices can be sorted to show those using the most bandwidth at the top. The Surf SOHO does this.
CPU usage: It can be helpful to see CPU usage as it lets you gauge when its time for a new router. Check it at times when your router is the busiest and/or when streaming a video or two.
I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.
Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.
Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. The Amped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.
Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface (assuming there is a web interface).
Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.
Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.
Website blocking is arguably a security feature, but an optional one. In the old days, some routers would only block HTTP access to the site, but not block HTTPS. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.