Tag: home networks

Article

There are situations that will occur which will require you to replace your home network’s router

How to tell when it’s time to upgrade your router – CNET

My Comments

There are factors that may drive you towards upgrading your home network’s router at some point in its life. Here, you may think that it is still performing adequately for your current needs including your current Internet service level.

You may find that when you sign on to a new Internet service, you may be offered a new Wi-Fi router for your home network as part of the deal. In most cases, this may see you through quite a number of years with your service. But on the other hand, you may choose a “bring-your-own-router” option for your new Internet service so you could keep your existing equipment going for the long haul. But going down that path may not be ideal unless you intend to use up-to-date equipment that can support your new Internet service and current computing devices to the best it can.

Reliability

If you find yourself frequently turning your network’s router and modem off and on to reset your Internet connection, this may be an indicator that your equipment is on its last legs. A good indicator would be if you are on average doing this routine more than once a week.

Another factor to observe is whether your online experience has degraded especially with multimedia content that you are streaming or when you engage in videocalls. Look for situations like excessive buffering or stalled connections that can indicate your router is becoming unreliable.

Speed

You may want to make sure that you are taking advantage of the bandwidth you are paying for so you get your money’s worth.

This would be important if you are upgrading to a service tier that offers more bandwidth for example. For that matter, you may find that after two or three years on the same service plan, you may be aware that your telco or ISP is offering a deal that has more bandwidth for the same price you are currently paying.

Another factor is how sluggish is your home network. This may be noticed with use of network-based media setups like AirPlay or Chromecast yielding substandard performance or print jobs taking too long when you print via your home network. Similarly, it can be noticed if you have many people in your household or business and the network’s performance is sub-par while they use it at once especially for multimedia.

If you Internet connection is provided using a separate modem and router setup, you may want to check if the router is at fault by connecting a computer to the modem directly via Ethernet and using that to assess speed and latency.

Network Security and Software Quality

You may find that some devices like the FritzBox 5530 Fiber will have continual firmware updates and keep themselves secure

Another factor that may be worth considering is whether the router’s vendor is supplying regular firmware updates for your unit. This is important in relationship to bugfixes or patches to rectify security exploits discovered within the firmware.

This factor is important due to data-security issues because a bug or security exploit within the router’s firmware can increase the risk of a cyberattack on the network or its devices.

Some vendors may continue to supply software-quality and security updates for their older equipment but cease to provide feature updates that add functionality to these devices. But you have to be careful where the vendor ceases to supply any updated firmware after they have declared end-of-life on that device.

Newer network technology arriving

Newer routers like the carrier-supplied Telstra Smart Modem 2 are most likely to be engineered for today’s Internet service and home network expectations

Increasingly your Internet service may be upgraded to newer technology in order to allow for faster throughput. It is something that will be continuing to happen as Internet service providers increase capacity and speed for newer use cases and applications. You may even find that you have to upgrade your home network router if you are revising your Internet service or moving premises to an area with better Internet service.

If you are using a modem router and you upgrade your Internet service to something that uses newer technology, you may have to replace the modem router with different equipment that supports the new technology properly.

In the case of some fibre-copper setups like fibre-to-the-node, fibre-to-the-cabinet or fibre-to-the-basement that implement DSL-based connectivity, you would have to make sure the modem-router can support the latest DSL specifications fully and properly for that link. Here, a lot of older DSL modem routers support ADSL2 at the best but you need equipment to work with VDSL2 or G.Fast links that a DSL-based fibre-copper link would use.

In some cases, the installation may require the use of a separate modem connected to a broadband router that has an Ethernet WAN connection. Examples of this would include satellite, fibre-to-the-premises or most cable-modem installations.

As well, you may want to improve your network’s speed and security. This is more so with Wi-Fi networks where you may find that you have relatively up-to-date smartphones, tablets and computers on your network. In this case, you would be thinking of Wi-Fi 5 or 6 with WPA2-AES or WPA3 for security.

Distributed Wi-Fi

You may even be considering the use of a distributed-Wi-Fi setup like the NETGEAR Orbi to increase Wi-Fi coverage

Another thing worth considering is whether to implement distributed-Wi-Fi technology a.k.a mesh Wi-Fi to increase coverage of your home network’s Wi-Fi segment across your home or small business.

But most distributed-Wi-Fi setups are dependent on working with equipment sold by the same vendor. That is unless the equipment supports Wi-Fi EasyMesh which offers a vendor-independent approach. At the moment, there are still some early teething points with the EasyMesh standard with some vendors not running with software that is polished for true interoperability.

Most systems that support this functionality may have the ability to work as access points for an existing router or as broadband routers in their own right. You may also find that some home-network routers, especially some of the units made in Europe like the AVM FritzBox devices can support distributed Wi-Fi after a firmware upgrade.

This solution may come in to its own if you are thinking of bringing your home network up-to-date by replacing an old router that uses very old technologies on the LAN side.

Conclusion

If you are dealing with a very old home-network router that is becoming very unreliable or slow, you may have to look at these factors when considering whether to replace that router with a newer unit.

Article

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

A wireless router that is part of a full broadband service

A home network needs to support both a wired and wireless local-area-network path for many different reaons. If you just use a wireless-only home network, you are exposing everything to the vagaries of the radio technology that the wireless network is all about such as interference to or obstruction of these radio signals. As well, a lot of sessile devices like desktop computers have the antenna and radio circuitry for the wireless network functionality located towards the back of the equipment and this can cause interference for equipment that uses a metal chassis.

It would be ideal to implement an Ethernet + wireless setup with a Wi-Fi network of at least 802.11n dual-band multi-stream specification providing the wireless coverage and Gigabit Ethernet wiring pulled through the house to all of the rooms. But a lot of factors can get in the way of this ideal such as the cost to pull Cat5 Ethernet wiring through an existing house or factor in Cat5 Ethernet wiring to each room in a new building.

On the other hand, I would head for a wireless + HomePlug powerline setup or one covering wireless, Cat5 Ethernet and HomePlug. Here, I would use at least 802.11n dual-band multi-stream technology for the Wi-Fi wireless segment and at least HomePlug AV500 for the HomePlug powerline segment. Using all three paths, where I include Gigabit Ethernet to some rooms like one or two of the main living areas, the office / den area and one or two bedrooms along with the other two technologies. This could create a home network that covers the house on what would be effectively a “beer budget”.

Let’s not forget HomePlug as a network connectivity tool (European setup)

In some environments like a multiple-building setup or a network in a commercial building or apartment block, I would consider implementing HomePlug AV2 MIMO technology to assure reliable operation.

Why a wired and wireless network setup?

A wireless link provided by the Wi-Fi segment is to primarily serve the mobile and portable devices that are intended to be located on a whim. Whereas a wired link provided by Ethernet and/or HomePlug AV is to serve the devices that are normally fixed by providing reliable network connectivity to these devices.

Another advantage is to set up an extra wireless access point to increase your wireless network’s coverage. This can do that job better than the typical wireless network range extender because this setup can supply full wireless-network bandwidth in the remote area due to the use of a wired backbone rather than a weak wireless network with all the vagaries of radio.

Why include HomePlug AV even if Ethernet wiring exists?

8-port Gigabit Ethernet switch for use when you wire for Ethernet

HomePlug AV can serve as an “infill” solution for a wired no-new-wires setup especially if you find that you have to locate a normally-fixed device in an area that is further from an Ethernet infrastructure socket. This can be of importance if you have to shift it temporarily to suit a new need or you have network-capable devices in an area where you didn’t factor the need for Ethernet connectivity in the first place.

This could also allow you to work an Ethernet wiring setup on a “beer budget” with a few rooms covered and use HomePlug AV or similar technology to provide wired connectivity to other rooms. Similarly, you may have a part of your house that is separated from the rest by a thick wall made of brick, masonry or cinder-block where the Wi-Fi network won’t perform past that wall and it is prohibitive to pull Ethernet or other wiring past that wall. Here, the HomePlug AV technology “takes it past” the obstacle.