NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How to enable connection monitoring and block-listing
How do I enable traffic monitoring and block-listing with Orbi? Even the cheap TP-link I had before had these feature, they are rather basic, but how do I find them and operate them with an Orbi?...
There is a mismatch here. Just because its configured as AP rather than router, doesn’t mean that it is somehow not a route into the internal LAN. It therefore still has a security obligation.
OK, we can hide SSID broadcasts, and use long, complex, passwords with good crypto properties but we need to know that these controls are working as expected. More importantly, we need to know when the aren’t. It’s called Security in depth: multiple independent controls should have to fail before you’re in trouble.
The main router in our network also includes the firewall. It is Internet/ISP-facing, i.e. it guards the front door to our LAN. The NETGEAR router and satellites have a lot of great features but guarding the back door to our LAN is something it doesn’t do adequately.
If you think that only big businesses are under attack, you’re likely to have a very unpleasant surprise. I hope you and your data survive it with a tolerable impact.
We live in a world where even state-sponsor scumbags, theft of sensitive personal data and information to support fraudulent activity which trashes the victim’s credit history, ransomware and blackmail… all have to be considered to ensure survival.
NETGEAR customers who care about their personal data, and have even the slightest awareness of how hostile the digital world can be, have an expectation the products they have bought will include basic features that let them see when a security control, such as a Wifi password, has failed. They should be able to contain the threat. Even the cheapy TP-link Deco home Wifi router and satellites managed that in AP mode. Sure, it had flaws, such as obsolete crypto, but it was still better than that big name NETGEAR.
Your brand loyalty is commendable but until NETGEAR supports security that better equips customers to defend their homes from WiFi-sourced attacks, it is definitely misplaced.
You cleverly sorted out an annoying problem for me in another Orbi link. I hope you can do it again for me here.
SmilingEddie wrote:Even the cheapy TP-link Deco home Wifi router and satellites managed that in AP mode.
I find the Deco User Manual about as (un)informative about operating mode as the Orbi User Manual. On page 24
https://static.tp-link.com/2020/202006/20200628/1910012596_Deco%20M5_V2&V3_UG_2.0.pdf
Router Mode: "Connects to the internet.... NAT and DHCP server are enabled by default."
Access Point Mode: "Functions like NAT, Parental Controls, and QoS are not supported in this mode."
I cannot determine from this what happens to features like DHCP, address reservation, new device detection, IPTV, etc. etc. in access point mode. If some other device is the DHCP server, how does a WiFi access point know which IPs or MAC addresses are valid (or invalid)?
There is probably a good reason that highly sensitive operations take place in "secure" locations: Faraday shields. Employees forbidden to bring cell phones inside the room. etc. etc.
I think it is very clear by now that the only way to prevent access by someone who has deciphered the WiFi password and can thus connect to the WiFi network with a bogus static IP is to have MAC level access control which the Orbi does in router mode, but not in access point mode.
Exactly my point, as a product, the Deco 9 Plus v2 is only a grade above Minimum Viable Product. These guys are new-comers in a market where NETGEAR has dominance and mature products but even TP-link have recognised the basic need for multiple layers of defence where a customer already has DHCP, NAT etc. They even offer the option of alerting when a new device connects.
In short, the dogs in the street know how important an adequate security implementation is these days and yet Orbi programme management, with the R&D budget don't. I've previously expressed a view of how that might have come about.
I would express your idea to Netgear direct. They may listen and add that feature in a future firmware or new product release.
If I truly wanted full protection, I would never rely on any personal line device for firewall, virus, malware, etc., protection, but rather go with the professional business class smart switches and software, provided by Cisco, Fortinet and other quality manufacturers.
Home use is usually not as important, so the best solution is personal firewall protection using the Orbi system, or if set in Bridge mode, using the initial router, as well as setup MAC level access control. Also Disable guest access, even though I find it to be totally safe.
Use the many offered firewall/virus/malware protection provided by Apple, Microsoft, or any of the many choices to choose from, such as, ( not in any specific order), Norton, Kapersky, McAffee, Webroot, AVG, Avast, etc..
Firewall protection is a little overrated for personal use, as most networks are on private IP addrersses. Virus, malware, bloatware protection for personal computers have come a long way, with many choices. I myself use Microsoft's built in Windows Security protection, and have found it to be perfect, as it upgrades almost daily and runs effortlessly in the background.There are also many choices for Apple devices as well.
