bwcbwc writes "My home network is going to expand shortly as I upgrade my DSL modem to DSL/2 (possibly with an integrated router), and (finally) add wireless (802.11g since that's still at least twice as fast as the DSL port, and if I use 802.11n half the neighborhood will be able to scan my SSID).
While I've seen plenty of articles on the net about securing your wireless connections on the LAN side, and a few articles about hacking your router's firmware, I've never seen any deep articles about securing your router's internals from attacks from the WAN side. The only consistent recommendations in this area seem to be "make sure your firmware is up to date" and "change your admin password". Consumer-level stuff, not Slashdot-quality (is that an oxymoron?). This is fine if your router vendor maintains the firmware in the face of new attack vectors, but when the latest update for your router model dates back to 2004, it makes you wonder.
So my questions (maybe too many):
1) Which home routers (priced under US $100) or DSL Modem/Router combos (under $150) are the most secure? Which vendors seem to provide the best ongoing support for security and other programming issues?
2) What configuration options and mods can I make in the router settings to enhance my security. Changing the passwords, turning off uPNP and WAN ping seem pretty obvious, but are there any other good ones?
3) I know some/most routers are basically Linux boxes. Which routers are easiest to mod from a sysadmin's perspective? Is there a trade-off between LAN-side configurability and WAN-side security?
4) If I have 2 routers (one wireless+wired, one wired only), I have to plug one of them into the other. From a security perspective, is there a preference as to which router should be connected directly to the internet and which one should plug into the other? If the outer most router is compromised, it can become a man-in-the-middle against the inner network. On the other hand, if the inner router is compromised, it is already part of the outer router's internal subnet."