Three routers for security?

Several years ago Steve Gibson’s concept of an IoT-secure network involved three routers - the “Border” facing the internet, the “IoT” and the “Secure,” where you mostly live and work. https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/

Does this alternative add any security compared to the Pepwave Surf with VLANs and no Inter-VLAN routing permitted?

Great article, topology and concepts. That article is from 2016 and inevitably CVE’s exist for the ASUS RT-N12 now. Home routers seem plagued with problems in that department. If the router has security issues then topology becomes less important.

Since the Surf SOHO supports 16 VLAN’s - it’s like having “16 routers” for the cost of one and it gets regular security updates. The Surf can support the configuration in this article using VLAN’s with inter-VLAN routing off, a few simple fire wall rules and layer 2 isolation.

Using the 3 router example in the article, my only recommendation is to move the 192.168.50.1 admin subnet off the “untagged LAN”. The idea here is that the untagged LAN is the “border lan” and should not have an admin access capability IMHO. Either way the Surf is orders of magnitude better compared to my old home router.

Admin access should be allowed only on the “secure lan” which can be accomplished on the Surf SOHO MK3 by creating a VLAN and assigning the 192.168.50.1 subnet to it. I took it a step further and assigned that admin VLAN to a single PORT/single computer.

I literally set up my network like the article suggests by isolating everything - each device gets its own VLAN on a dedicated port/Wi-Fi network. Nothing can talk to each other. The reason? Because I got hacked! Looking through my notes, before I bought a SOHO MK3, I was only using a 10 letter Wi-Fi password. It sounds bad (it was) but like many home users I was just too busy with other stuff. Worst of all the admin webpage was programmed to close after 60 seconds of inactivity so it made it difficult or impossible to enter larger more secure passwords and to monitor the client list etc… Kicking the admin off the router every 60 seconds is a security feature?

With the Surf I can easily enter new random ~40 digit upper/lowercase alpha/numeric/symbolic Wi-Fi passwords monthly, keep an eye on the client list while I am folding@home, and run Kismet on a non-networked laptop. The first year I owned the SOHO MK3 it received more updates than my old consumer grade router got in 5. Some of the updates even included new features - for free. It just keeps getting better.

4 Likes

So there’s no need for multiple routers when you have a Pewave?

@Jaywalker

Don’t think you going to get a good answer for this. It all depend the requirements and the criticality for your network. For SOHO network, do you think you really need to go up to that level ? If your answer is “Yes”, i will be more happy for this as we can sell more routers to meet the recommended topology and concepts :heart_eyes: :heart_eyes: :heart_eyes:. In fact , Peplink/Pepwave router can easily allow you to configure base on the network that you want to setup.

It always being a question, more router mean more secure ? I would say it’s all depend the security configuration hardening for the device. As long as you know what you are doing and harden the security configuration properly, don’t think you will having problem on the security.

Just 1 more things to share and the question always being asked as well. If you using the same brand of devices, do you think if 1 of the router being compromised, the other 2 will still secure ? :grinning: :grinning: :grinning:. Hope this give some info to you when deciding your network setup.

5 Likes

While your whole answer is not a definitive “yes” or “no,” it is an excellent response, nonetheless.

I had not considered that. I bought Pepwave because it was more secure than the alternatives. I would not be comfortable introducing a less secure router into the network just to mitigate the “one brand of router” vulnerability, and a “different, secure” router would probably mean higher costs. I believe I’ll stay with the single Surf SOHO. Thanks.

1 Like

Another advantage of Mr. Gibson’s “3 router solution” the article didn’t touch upon is that the “border router” provides an extra layer of protection should the phone line / modem take a lightning strike. It would probably be cheaper to buy phoneline and CAT5 lightning strike protecttion.

Another advantage to the “3 router solution” is you have 1 or 2 back up routers in case one goes down.

On that note I have seriously considered buying a spare SOHO MK3 “just in case” - but it would be kept offline until the need arose. Bear in mind if the power grid takes a strike near you it would potentially fry all 3 in the “3 router solution”. Keeping back ups or spare router(s) unplugged is a better way to go IMHO.

When I buy a router, lightning strike (or other) replacement costs is actually one of my considerations. For home use $200USD is an acceptable risk considering this thing is like 16 routers.

One SOHO can do all this and more and is ~$100USD cheaper than buying 3 consumer grade routers on average.

Good points. After losing a router in one lightning strike and a water heater in another strike, I had an electrician install a whole-house surge protector that covers the electric lines, the cable TV, and the phone land line. Then I installed a surge protector that stops providing switching when the surge protection capability dies over time so that I’m not using an expired surge protector.

1 Like