is a firewall for the firewall.
I just don't understand how people who design commodity networking gear can be so bad at network security.
Another response to your inquiry handles the cynical/pragmatic answer, but there's another half to it: Unfortunately, 'commodity networking gear' has to work for the same type of people who install 'flashlight' apps on their phones that require access to contacts and GPS. If you and I had our druthers, SOHO routers would ship with DD-WRT or PFSense out of the box...but unfortunately, these boxes get sold at Wal-Mart...to the kinds of people who buy routers at Wal-Mart.
I am by no means a network expert, but it seems as though some of these things are just common sense....
Pull 100 people off the sidewalk and ask them if any of these sentences mean anything to them. Odds are good that an unfortunate Saturday afternoon involving whiskey and a circular saw would leave you with enough fingers to count the number of people who could provide an explanation to these concepts. Thus the "common" in "common sense" doesn't really seem to apply.
- Don't have ports open to the Internet ("stealth" or otherwise) by default
Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.
- Don't use unencrypted protocols... period
That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.
- Don't enable wireless by default
A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.
Seems like just doing those things our routers would be a lot safer than they are now.
Yes. Now put one of your routers in the hands of the general public, and see exactly how far 'security' gets them - Their iPads don't connect, Skype doesn't work on their desktop, and certificate authorities get to determine who lives and who dies on the internet.
For places where your line of reasoning is practical, there is SonicWALL, Cisco, Smoothwall, and Barracuda. For home users, there's Asus and Netgear.