If you want a more hardened setup I recommend pfsense, a freeBSD based firewall/router disto [0]. It'll run on any number of mini/nano boards and several companies sell prebuilt boxes. It can run as a wifi AP as well but I find that a separate AP works best.
Pfsense is in no way more hardened than a OpenWRT box. Both are vastly superior to the stock firmware on any soho router available.
OpenWRT and pfsense come from different backgrounds, OpenWRT was intended as a replacement firmware for consumer wifi routers, while pfsense wanted to be a secure and easy to use firewall appliance on x86 hardware.
We use both, OpenWRT on cheap TPLink consumer routers as a VPN router in home and branch offices, and a bunch of virtualized pfsense firewalls for network security in our hq and datacenter rack.
If you're after real routers as in routing protocols like bgp and ospf and not security devices, both are not of much use. this is where vyatta, a open source Debian based router distribution is better suited.
Wireless performance of openwrt depends on the hardware it is running on, but It's generally not great compared to proprietary gear from ubiquity and mikrotik. Both make dirt cheap wireless gear and routers that can match and outperform Cisco routers that cost 10x more. Wireless ISPs everywhere rely on those vendors.
pfsense (as well as m0n0wall) runs great on ALIX and WRAP boards too, not just bigger hardware.
> If you're after real routers as in routing protocols like bgp and ospf
> and not security devices, both are not of much use. this is where vyatta,
> a open source Debian based router distribution is better suited.
I've found pfsense to be extremely quirky, though it works pretty well. If you can wrap your head around the weird way it's all presented, the CARP and XMLRPC sync between clusters works flawlessly.
That said, when you bring their strange "packages" into the mix, all hell can break loose. So be careful.
Anyone looking into prebuilt pfSense boxes would also do well to check out Ubiquiti's EdgeRouter Lite [0]. I was initially looking at getting an ALIX kit [1] for my home router, but the ERL offered much better performance for roughly half the price. I haven't ordered one yet, but I will as soon as I have a day or two to sit down and properly configure it.
What do you use as a separate AP? My cursory searching indicates there exist enterprise-grade APs requiring a controller device, overkill for my apartment, or I use your standard bestbuy device like we're wanting to be avoiding in this thread.
Most consumer routers actually work fairly well as APs. Once you've turned off all the routing functionality, which are the most complex and resource intensive bits, they seems to actually be pretty stable. I'm currently using an Asus RT-AC66U, which is complete overkill, but I wanted reliable AC wifi and it was the best option at the time. Prior to that I was using an Asus EA-N66R AP.
As for how this relates to the exploit discussed here, your only using it as an AP, you'll very rarely need to login after the first setup since it really isn't doing much, just Wifi <-> Ethernet bridging. If using a consumer router the WAN port isn't connected to anything, no outside access to worry about (unless you did some funky forwarding on the pfsense box). You should also disable management via Wifi. That limits any access to a wired connection to the network, meaning someone is already in your apartment to physically patch in with an ethernet cable. Any security bets are off at that point. If you want super extra special security you can setup firewall rules on the pfsense box that only make the AP's IP address accessible from a particular port.
As dumb as this exploit is on the part of netgear, remember that to exploit it the attacker had to have already broken the WPA2 security to access the wifi or physically plugged in with ethernet. The first vector can be avoided by simply turning off management via wifi.
As dumb as this exploit is on the part of netgear, remember that to exploit it the attacker had to have already broken the WPA2 security to access the wifi or physically plugged in with ethernet. The first vector can be avoided by simply turning off management via wifi.
Or accessed your router internally via JavaScript, img tag, or iframe hidden on a malicious or compromised page. XSRF is real.
Edit: granted, browsers limit what JavaScript can do across sites, but request-only access is enough to change DNS settings to something malicious, and if the attacker can inject unescaped content into the page in some way, then they can run JavaScript on the router page and send data back that way.
Edit2: I'm not certain, but I think the timing of image load events could be used to determine success/failure of router actions loaded through a hidden img tag.
You could use a Ubiquity Unifi. They're cheap ( US $69 ) and the control software is only needed to provision them (so long as you're willing to forgo the guest wifi captive portal feature - if you want that then you have to run the control software full time.)
I recently got a Unifi and I'm pretty happy with it. It's somewhere between enterprise and consumer-grade, with an administration interface and reliability / performance leaning towards the enterprise side, and price leaning towards consumer-grade :)
I've found pfSense really shines on old PC hardware since the embedded boxes I've tried it on tend to slow a bit. Something with a still functioning HD and at least 256Mb memory does pretty well with it.
I haven't tried it on an embedded platform, e.g. a Geode or Via CPU.
I'm using an old mini-ITX IPC board from Jetway with one of the first dual core Atom cpus, 1GB of ram (overkill) and 4 x Gbit ethernet ports. With a slim case / power supply I think it was ~$250 about 5 years ago when I bought it.
Other than moving apartments it's only ever been rebooted once, to upgrade from pfsense 1.2 to 2.0. It's never crashed and never caused a problem, and I beat on my network connection. OpenVPN performance from outside is only limited by my WAN speed. It's been awesome.
I also use pfsense in a VM in front of a bunch of other VM's on a VMWare server and it works great for that as well.
I've used an old eMachines PC with a couple of network cards and a switch in the past. An order of magnitude better than the Linksys router from my ISP it replaced. Also never had to reboot until I moved.
Never tried it as a VM front before. Good to know it's another option.
I was formerly on solar before moving to an apartment. Hence the "I've used an old eMachines PC... in the past." Besides that, the power supply barely made past 200W, which is basically 2 incandescent bulbs.
As someone who was on solar you should realize that 200W is a _lot_ of power. Especially if it's 24/7. If you hadn't heard people have moved away from incandescent bulbs because the energy use is considered unacceptable.
[0] http://www.pfsense.org/