ISP and Router Vendor Security Related Offering, DNS and Firewall for Security

[xiaofan]

ISP provided Security Add-on for Home Fibre Broadband: I am not so sure how many subscribers are using the services
https://www.straitstimes.com/tech/t...and-filters-to-keep-malware-away-from-devices
1) Viewquest -- SecureNet
Free for three months for new sign-up of Fibre broadband plans, S$7.99 per month thereafter
https://viewqwest.com/internet/securenet-at-home
2) Singtel -- Broadband Protect.
FREE for the first month, followed by $2.97/mth thereafter, no contract.
Singtel also offers McAfee Security Suite Triple Protect (up to 20 devices) at S$13.02 per month and McAfee Security Suite Plus (up to 20 devices) at S$9.99 per month. It also offers Qustodio Parental Control Pass at S$5.95 per month for 5 devices and S$9.99 per month.
https://www.singtel.com/personal/pr...le-services/my-smart-network/broadbandprotecthttps://www.singtel.com/personal/products-services/broadband/add-ons
3) Starhub -- CyberProtect
S$5.04 per month for CyberProtect 3 which offers 3 licenses to protect 3 devices
S$8.06 per month for CyberProtect 6 which offers 6 licenses to protect 6 devices
https://www.starhub.com/personal/mobile/mobile-phones-plans/value-added-services/cyberprotect.html
4) MyRepublic -- MySafeLite
https://myrepublic.net/sg/add-ons/mysafe/

5) Other ISPs do not seem to have such offerings for home users now.
M1 -- not yet offer anything for home users yet
Whizcomms -- NA
SIMBA -- NA

 

[nothinghere]

OpenWrt to keep router up to date on security + UBlock Origin to block advertisements, that is enough for me imo.

 

[firesong]

Change DNS to one that provides blocking of threat actors via DNS. Free.

Use common sense for everything else.

 

[xiaofan]

Consumer Router vendors also partnered with security vendors.

1) Asus AIProtection powered by Trend Micro
Free bundle with Asus rotuers (AIProtection Classic and AIprotection Pro)
https://www.asus.com/content/aiprotection/
2) TP-Link HomeCare, free with a few TP-Link Routers, powered by Trend Micro
https://www.tp-link.com/sg/homecare/
3) TP-Link Homeshield (free) and Homeshield Pro (one month free trial, S$8.98 per month) for newer AX models and Deco models, powered by Avira
https://www.tp-link.com/sg/homeshield/
4) Netgear Armor, powered by BitDefender (unlimited devices, include BitDefender Security and BifDefender VPN), S$99.99 annual subscription
https://www.netgear.com/sg/home/services/armor/
5) Linksys does not see to have such offerings

 

[xiaofan]

Viewquest used to offer Trend Micro Home Network Security appliance, it does not see to offer that now.


Now it is part of Trend Micro Device Security Ultimate, starting from S$178 (three devices, 12 month subscription).
https://shop.sg.trendmicro-apac.com/products/device-security-ultimate.asphttps://shop.sg.trendmicro-apac.com/homenetworksecurity/

 

[xiaofan]

I use the following on my home network.
1) Asus RT-AX86U router -- not using AIProtection Pro, rather I use Pi-hole
2) Intel J4105 mini PC running OpenWRT -- Pi-hole

Still I think some people may find the offerings from ISPs or Router vendors may be useful, this is especially true for Asus AIprotection and TP-Link Homecare since both are free. You do need to trust provider.

Assu router security walk-through


Netgear Armor simple review
https://www.mbreviews.com/is-netgear-armor-worth-it/

TP-Link Homecare simple review
https://www.androidcentral.com/what-tp-link-homecare
TP-Link Homeshield Pro simple review
https://www.digitalcitizen.life/activate-homeshield-pro-tp-link-deco/

 

[xiaofan]

Tools I used to check the home network.

DNS:
https://www.dnsleaktest.com/https://browserleaks.com/dnshttps://1.1.1.1/help
IPv6
https://test-ipv6.com/
Ads blocking (using Pi-hole + uBlock Origin --> I can get 100%, or 91% with just Pi-hole).
https://d3ward.github.io/toolz/adblock.html
More tools:
https://forums.hardwarezone.com.sg/...ubleshooting-the-network-performance.6641164/

 

[xiaofan]

Related discussion:
https://forums.hardwarezone.com.sg/threads/anti-virus-on-router-level.6948385/

 

[Henry Ng]

I use the following on my home network.
1) Asus RT-AX86U router -- not using AIProtection Pro, rather I use Pi-hole
2) Intel J4105 mini PC running OpenWRT -- Pi-hole

Still I think some people may find the offerings from ISPs or Router vendors may be useful, this is especially true for Asus AIprotection and TP-Link Homecare since both are free. You do need to trust provider.

Assu router security walk-through


Netgear Armor simple review
https://www.mbreviews.com/is-netgear-armor-worth-it/

TP-Link Homecare simple review
https://www.androidcentral.com/what-tp-link-homecare
TP-Link Homeshield Pro simple review
https://www.digitalcitizen.life/activate-homeshield-pro-tp-link-deco/

Router security is good but not those isp security suite.

 

[xiaofan]

Router security is good but not those isp security suite.

Just wondering which router are you using now and how is your experience with the bundled router security offerings?

I tend to think very few people are willing to pay for TP-Link HomeShield Pro and Netgear Armor.

 

[Hafi]

sorry for noobish question, my M1 Fibre issued a dynamic IP address which I believed is shared so how does hacker/script kiddies attack my router from outside WAN if I never host anything public facing?

I tried pentool to port scan my network setup from outside but waited very long no results.

 

[Mach3.2]

sorry for noobish question, my M1 Fibre issued a dynamic IP address which I believed is shared so how does hacker/script kiddies attack my router from outside WAN if I never host anything public facing?

I tried pentool to port scan my network setup from outside but waited very long no results.

They port scan/attack the entire global routable ipv4 address pool.

So long you didn't port forward anything and your firewall is set to default deny incoming connections (most, if not all consumer routers are), it's all noise and there's nothing to worry about.

 

[xiaofan]

They port scan/attack the entire global routable ipv4 address pool.

So long you didn't port forward anything and your firewall is set to default deny incoming connections (most, if not all consumer routers are), it's all noise and there's nothing to worry about.

I think most consumer routers will open port for upnp by default.

Asus
https://www.asus.com/support/FAQ/1039292/Some devices use the UPnP for the ease-of-use. For compatibility, ASUS router setting page(Web GUI) default enables UPnP. Users can visit Advanced Settings-> WAN -> Basic Config -> Enable UPnP to disable UPnP. You can keep UPnP disabled if there is no trouble that occurs after disabling it.

TP-Link: UPnP is enabled by default in the router.
https://www.tp-link.com/sg/support/faq/1543/
Linksys: UPnP is Enabled by default on all Linksys Smart Wi-Fi Routers.
https://www.linksys.com/support-article?articleNum=138290
Netgear: by default, "Turn UPnP On" check box is selected
https://kb.netgear.com/24306/How-do-I-enable-or-disable-Universal-Plug-and-Play-on-my-NETGEAR-router

 

[Hafi]

They port scan/attack the entire global routable ipv4 address pool.

So long you didn't port forward anything and your firewall is set to default deny incoming connections (most, if not all consumer routers are), it's all noise and there's nothing to worry about.

the days of configuration port forwarding, setup DDNS and VPN are over and soon to be obsolete since Cloudflare Secure Tunneling is more secure if you have public facing website/service, it will mask your IP and proxy everything for you. If want to access home LAN from outside can use Tailscale or Twingate (recommended), no need to touch router settings.

 

[tuntun]

Change DNS to one that provides blocking of threat actors via DNS. Free.

Use common sense for everything else.

Which DNS do you recommend? Thanks

 

[xiaofan]

Which DNS do you recommend? Thanks

It depends on the level of protection you want. You can go with CloudFlare Family DNS (1.1.1.3) as the first step.

1) Lower level of protection: use public DNS servers with protection (free)
Cloudflare Family DNS: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
OpenDNS FamilyShield: https://www.opendns.com/home-internet-security/
Quad9: https://www.quad9.net/ (maybe towards medium level)

2) Medium Level of protection:
ControlD Free DNS: https://controld.com/free-dns (maybe slow if using Singtel, okay with Starhub and M1)
Adguard Public DNS: https://adguard-dns.io/kb/general/dns-providers/ (maybe quite slow, not recommended)
OpenDNS Home: https://www.opendns.com/home-internet-security/

3) Higher level of protection: Pi-hole or Adguard Home (more work on the user side) or NextDNS and ControlD
Pi-hole (free): https://pi-hole.net/
Adguard Home (free): https://github.com/AdguardTeam/AdGuardHome
NextDNS (free but need registration, and paid): https://nextdns.io/
ControlD: (paid) https://controld.com/plans?step=plans
OpenDNS Home VIP (paid): https://www.opendns.com/home-internet-security/

 

[firesong]

It depends on the level of protection you want. You can go with CloudFlare Family DNS (1.1.1.3) as the first step.

1) Lower level of protection: use public DNS servers with protection (free)
Cloudflare Family DNS: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
OpenDNS FamilyShield: https://www.opendns.com/home-internet-security/
Quad9: https://www.quad9.net/

2) Medium Level of protection:
ControlD Free DNS: https://controld.com/free-dns (maybe slow)
Adguard Public DNS: https://adguard-dns.io/kb/general/dns-providers/ (maybe slow)
OpenDNS Home: https://www.opendns.com/home-internet-security/

3) Higher level of protection: Pi-hole or Adguard Home (more work on the user side) or NextDNS and ControlD
Pi-hole (free): https://pi-hole.net/
Adguard Home (free): https://github.com/AdguardTeam/AdGuardHome
NextDNS (free and paid): https://nextdns.io/
ControlD: (paid) https://controld.com/plans?step=plans
OpenDNS Home VIP (paid): https://www.opendns.com/home-internet-security/

ControlD is okay on StarHub/M1. The latency for Singtel is pretty bad tho. It's like 20ms vs 300ms.

 

[xiaofan]

ControlD is okay on StarHub/M1. The latency for Singtel is pretty bad tho. It's like 20ms vs 300ms.

Good to know that. I am using Singtel so I put the note that it may be slow. I've updated the note.

 

[ksw2010]

Good to know that. I am using Singtel so I put the note that it may be slow. I've updated the note.

Tested from my BB somewhere in Jurong to ControlD looks not so bad, most likely the peering with their courterpath in HKG that latency is ~35-40ms. I dont think we can feel slowness by ocular with this latency unless compare the ping latency value.

C:\Users\>tracert controld.com

Tracing route to controld.com [147.185.34.1]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 192.168.1.254
2 1 ms 1 ms 1 ms bb121-6-x-x.singnet.com.sg [121.6.x.x]
3 14 ms 1 ms 5 ms 165.21.193.234
4 2 ms 1 ms 1 ms 165.21.193.233
5 2 ms 3 ms 1 ms 165.21.139.169
6 2 ms 2 ms 2 ms 165.21.139.117
7 2 ms 1 ms 2 ms SN-SINQT1-BO403-ae1.singnet.com.sg [165.21.138.85]
8 35 ms 35 ms 35 ms ix-hge-0-0-0-9.ecore2.svq-singapore.as6453.net [180.87.98.85]
9 36 ms 36 ms * if-be-10-2.ecore2.esin4-singapore.as6453.net [180.87.107.1]
10 3 ms 2 ms 2 ms 180.87.108.163
11 3 ms 2 ms 2 ms ae-4.r22.sngpsi07.sg.bb.gin.ntt.net [129.250.5.61]
12 4 ms 2 ms 2 ms ae-0.a01.sngpsi07.sg.bb.gin.ntt.net [129.250.2.122]
13 * * * Request timed out.
14 * * * Request timed out.
15 38 ms 38 ms 38 ms controld-edge1-sin.anycast.net [43.245.49.200]
16 37 ms 36 ms 36 ms controld.com [147.185.34.1]

Trace complete.

C:\Users\>ping controld.com

Pinging controld.com [147.185.34.1] with 32 bytes of data:
Reply from 147.185.34.1: bytes=32 time=36ms TTL=49
Reply from 147.185.34.1: bytes=32 time=36ms TTL=49
Reply from 147.185.34.1: bytes=32 time=36ms TTL=49
Reply from 147.185.34.1: bytes=32 time=36ms TTL=49

Ping statistics for 147.185.34.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 36ms, Average = 36ms

 

[xiaofan]

Indeed it is not so good, same here, Singtel 1Gbps plan, Jurong West area (on leave today, at home).

                                     My traceroute  [v0.93]
ubuntuct1 (192.168.50.5)                                                2023-09-15T10:36:09+0800
Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                        Packets               Pings
 Host                                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 192.168.50.1                                       2.6%   116    0.6   0.7   0.2   1.2   0.1
 2. bb121-6-xx-xxx.singnet.com.sg                      0.0%   116   11.2   9.6   3.3  65.5  10.6
 3. 165.21.193.22                                      4.3%   116    5.5   5.6   2.7  34.6   7.4
 4. 165.21.193.21                                      0.9%   116    2.8   3.8   2.5  22.4   2.8
 5. 165.21.138.245                                    10.3%   116    2.9   5.5   2.5  53.6   7.2
 6. SN-SINQT1-BO403-ae1.singnet.com.sg                 0.0%   116    3.2   3.7   2.5  38.8   4.5
 7. ix-hge-0-0-0-9.ecore2.svq-singapore.as6453.net     0.0%   116   38.5  38.4  37.7  39.1   0.2
 8. if-be-10-2.ecore2.esin4-singapore.as6453.net      57.4%   116   37.0  37.3  36.9  39.8   0.4
 9. 180.87.108.163                                     0.0%   116    3.6  14.3   3.0  51.1  11.1
10. (waiting for reply)
11. ae-1.a01.sngpsi07.sg.bb.gin.ntt.net                0.0%   116    3.9   6.3   3.3  38.4   6.5
12. (waiting for reply)
13. (waiting for reply)
14. controld-edge1-sin.anycast.net                     0.0%   115   54.1  45.5  43.9  67.1   4.7
15. controld.com                                       0.9%   115   65.2  39.3  35.9 101.1  12.2