Devices To Stop Intruders

I have been looking lately around the Internet for network devices that are designed to stop intruders, hackers, or anyone who is not supposed to be on your network. Please don't ask me why I want this, I just do. I am looking for devices that are placed in the cable line BEFORE the router, so "whatever is not supposed to be on the network" doesn't reach the router, and after that, reach the devices connected to it.
Surprisingly, I have found very little. The only thing I have found that has met my criteria is something called the Fingbox. It is hooked up as I say and constantly monitors your wireless and wired networks for intruders. If something is found, all you have to do is click block and it's history. I have written to the company several times. I have read several very positive reviews on the device. It is not badly priced at $129. I am seriously thinking of getting it. However, I have seen some other devices, such as very expensive routers that are designed to do basically what the Fingbox does, won't allow the "intruder" to get into the devices. So this is what I have been searching for. Please don't criticize or give me any negative feedback about what I want to do. It is my choice and I am hoping some of you may already be using such devices and can recommend something or a networking company for me to look at. Price is not an object, as long as I feel it is worth it. Thank you.

 

I think its great that you are security conscious jek, and want to protect your home network!
Have never used Fingbox or similar device, but i did some research, and they look acceptable for the price.

My take on this.........Whilst Fb is aimed at attackers who directly target your router as a door into your network with efforts such as bruteforcing WiFi passwords and the likes, there is another door in that Fb wont help with. That door is usually an exposed vulnerability in software running on one of the clients connected to your home network. ie your pute, your wife's, or perhaps one of the kids devices.

You see, hackers are quite advanced these days and they know that stealth is the key to a successful infiltration. If they can gain access to a network host system, lets say, via an unpatched vulnerability in software running on that pute, they will usually do this under the premise of an authorized user (gaining the required usernames and passwords to do so) so no one will ever notice that they are inside.
Once inside a host computer, they can very quietly have a look around your whole network and gain access to it as a seemingly legit user, so Fb will never know, because they can fool it into believing they have the right to be there.
Know what i mean?
Fingbox is not 100% foolproof, but it is a very good start if your router is substandard.

Be like the hackers.....go stealth with your network. In that i mean router configurations like disable broadcasting of your network so no-one will even know you are there. You can config most routers so you are able to connect automatically when broadcasting your SSID has been disabled. There are other options also.

Having said that, what helps you feel more comfortable with your setup, is what you should do......money is a small price to pay for peace of mind, and a good nights sleep.

Others here will have some great suggestions for you to follow up on i am sure.

Good luck with your choices, and you are right in considering this matter of security in order to protect yourself & family online!

Rep

 

G'day John, I saw your post on another security forum in which i am a member, but lets leave my replies here for now!

My personal network security ghost and how i configure it :
(this is just my personal choice of network defense that i will share with you, and anyone else who is interested)

Introducing my bad-ass D-Link EXO AC1900.

We shall only concentrate on its security measures here, but bare in mind that above that, you also get a power packed list of full router features as a bonus. ie your network will run like a well oiled machine.
For me, the beauty of this router is its fully optioned hardware firewall.

1. DMZ (demilitarized zone or network perimeter) it functions as a small, isolated network positioned between the Internet and your private network. The purpose of a DMZ is to add an additional layer of security to your LAN; an external network node can access only what you choose to expose in the DMZ, while the rest of the LAN's network is firewalled.
2. SPI IPv4 or stateful packet inspection. SPI mode blocks all unrecognized network connections, and approaches each incoming data packet as an isolated connection.
3. Anti-spoof Checking a technique for identifying and dropping data packets that have a false source address.
In a spoofing attack, the source address of an incoming packet is changed to make it appear as if it is coming from a known, trusted source. Spoofed packets are commonly used to carry out denial of service attacks, exploit network and system vulnerabilities and gain unauthorized access to business/home networks and data.
4. IPv6 Simple Security basically used to copy the behaviour of an IPv4 NAT Router.
Allow everything out / Deny everything in, unless it is a reply to a recent outgoing request.

Apart from the hardware firewall i also recommend :

1. Changing default login username and password to the router and also enabling Captcha (which the EXO supports) as an extra security overlay for login.

2. Rename default SSID to a network name you like and use a strong WiFi access password using both letters, numbers and symbols. ie *(johns network 998745)*
3. Disable your SSID broadcast beacons so it is not visable to anyone who may be sniffing from outside. (This is able to be done and still allow you to auto connect to your network if you check the box in the routers config).
4. Always keep your router firmware, and your computers software Up-To-Date, including your OS
4. Always be good to your family both in the real world, and online!

Anyway, unless your the Pentagon, the best blackhat hackers out there would not be willing to spend the time required to try and access you from here on in.
Its just more productive to move on to an easier (unsecured) victim because lets face it, your too hard now

Cheers, Rep

 

The problem is what you want really does not exist because what you want really is, more or less, a router function. That's why you have not found anything that sits between the router and modem. That Fingbox (and similar devices) are router devices.

What you want is an advanced router.

That D-Link is a nice option. I just (like last week) replaced my old Netgear wireless router with the Linksys MAX-Stream AC1900 MU-MIMO Gbps Router. This would meet your needs very well too.

The key thing is to use Ethernet (wired) whenever possible, and use a very strong passphrase for the wireless side of your network. Also, use the strongest encryption your wireless devices support.

But note you still must actively protect each of your connected devices by ensuring your operating system and computer security programs are current and you, the user and ALWAYS the weakest link in security, are not "click-happy" on unsolicited downloads, links, attachments and popups. The best security in the world is pointless if the user opens the door and invites the stranger in.

Ummm, sorry but this is not really effective. Just about any wifi scanner (as found with every notebook, smart phone, etc.) that is looking for available wireless networks will still "see" your network. There just will not be a name (SSID) assigned to it. That does not stop them from gaining access if they know, or can figure out your passphrase.

And anybody with a simple wireless packet "sniffer" like XIRRUS WiFi Inspector can still see your network, plus they can see the mode, signal strength, BSSID/MAC address, channel, and more. Just not the name of your network. But that will not stop any junior wannabe hacker. That particular sniffer will even show a general direction from your current location, where found networks are located. But with a simple, cheap, home made directional antenna, a bad guy can pinpoint the room of the building your WAP (wireless access point) is located.

So you can certainly disable SSID broadcasting if it makes you feel better, but don't get a false sense of security that it is securing your wireless network any better - it is not. Since some wireless devices need you to enter the SSID during setup, I just suggest choosing a name (and passphrase) that a nosy neighbor wiz-kid cannot identify as belonging to you. That is, don't use personally identifying words! For example, if you or someone in your family is "John", don't use John in your SSID or passphrase. Don't use your dog's name, kid's name, house address, or any other identifiable words.

To stop all but the most determined professional hacker who is specifically and personally targeting you is a very strong passphrase, properly updated connected computers, plus the highest encryption your devices support. These steps will deter a bad guy sitting in his car down the street with a directional from accessing your network. He will move on to easier pickings.

Of course none of this is necessary for Ethernet connected computers. For someone to hack into your Ethernet network, they would have to physically be inside your house with an Ethernet cable connected to your router! Hopefully you would notice that.

In addition to WiFi Inspector, inSSIDer is also popular. Note if you live in a crowded apartment complex, interference from nearby wireless networks can degrade the performance of your wireless connections. You can use one of these sniffers to see what channels surrounding networks are using. It is not uncommon to see lots of networks using channel 1, 6 or 11 (common default channels). You can set your channel to 8 for example and improve your wifi performance.

 

Hi Digerati, disable SSID is just another layer to utilize although as you state not foolproof, but no single security layer is.
Why have broadcast beacon headers in your packets flying around, when you have the choice not to?
As you say, its important to configure connection before you disable, thats a no brainer!

Mainly why we do this is so you can write something personal in your ssid that aids in your ability of personal network identification which is committed to memory.
As no one can see your ssid name, it doesn't matter, then extra clues to passphrase ID are not given.
If you include symbols within the passphrase (which you should) ^ ie *%&( .....or similar, it would take a script kiddie months, years or decades to bruteforce or dictionary it. Hell, even a pro!
What im trying to relay is that if you use the above technique coupled with letters/numbers/capitals, it wouldn't matter squat if you had 'John's Place' among your ssid lettering.

In high traffic area's, sometimes it can be difficult trying to read off numbers when 25 networks are in range and a dozen of them all have default Comcast92a3456, or Comcast 34b5461, or.......anyway you get the picture!

Cheers