Are Home Routers Secure? NO!

[OVERKILL]

Zyxel USG60 that just got decommissioned because of the stupid Zyxel backdoor that just happened. Zyxel with Cyren was at the boarder with Untangle or Sophos UTM in bridge. Now just Untangle on my Rangeley. Have you seen our used Untangle yet?

I'm familiar with it but don't use it. I'm curious why were you bridging the Sophos UTM or the Untangle solution rather than using one of them for NAT? Either would be far more capable than the Zyxel unit.

I use Cisco's Umbrella solution (IPS, AMP) in conjunction with CIRA's DNS filtering setup. Back when I was running an ISR for NAT I used an ASA 5505 in transparent mode then upgraded it to a 5506X also in transparent mode with the very cumbersome and extremely slow FirePOWER module. Eventually cut out the ISR and had the ASA doing NAT but it really was a bit of a pile, even though I really wanted to like it. I replaced it with another ISR, then went Sophos XG, then back to Cisco with an MX64, which is what I'm running presently.

 

[Mainia]

Layered defense, two different enterprise content filters, and IDS at the time the Zyxel had Geo blocking where others I owned did not. If I did not have the Geo firewall I would be getting crap from China, Iran, Russia, Romania ect. my daughter was pulling in. I used Untangle's SSL Inspector to unencrypted her stuff and Application Blocker to kill her VPN's.

I It really did not make much difference in final user speed who was NATing. My daughter is older now and isn't downloading crap any more, so when Zyxel screwed up big time, I dumped them for good.

 

[OVERKILL]

Layered defense, two different enterprise content filters, and IDS at the time the Zyxel had Geo blocking where others I owned did not. If I did not have the Geo firewall I would be getting crap from China, Iran, Russia, Romania ect. my daughter was pulling in. I used Untangle's SSL Inspector to unencrypted her stuff and Application Blocker to kill her VPN's.

I It really did not make much difference in final user speed who was NATing. My daughter is older now and isn't downloading crap any more, so when Zyxel screwed up big time, I dumped them for good.

Ahhh, seems a bit excessive, but if you couldn't do it all with one solution I get the approach. I am also blocking VPN's and force DNS traffic to only use the servers I specify (CIRA) which leverage AMP algorithms to dynamically maintain blacklists which you can select from based on the types of traffic and content you want to avoid. Their ad block algorithm is surprisingly good.

Kids are on policies that cut off their access at specific times as well.

You can get really anal and filter all Youtube and search traffic, but my kids are old enough now that I don't bother with that.