Replacing My Netgear Router With The ASUS ZenWiFi (CT8)

I’ve been reporting recently that networking gear maker Netgear has had a massive security #fail where 79 of their router models are affected by a security flaw that allows for the complete takeover of the router. If that isn’t bad enough, exploit code and tools to find these routers out on the Internet were already in the wild. Meaning that the bad guys are likely trying to exploit this and that users of Netgear products are not safe.

That’s not good.

Now while Netgear seems to be trying to roll out fixes for this security #fail, I’ve argued that because of their past history when it comes to security issues, and the fact that they sat on these new issues since January of this year and only started doing something about it when the issues were made public, you should pull any Netgear routers from service and replace them with something that is far more secure. Oh yeah, you should also never spend a penny on their products again. Now I am not saying lightly. The fact is that this specific security issue is not trivial. And even if you take Netgear’s advice and disable remote administration (which for the record, you shouldn’t be using any form of remote administration if you want to be completely secure), it is only a mitigation. Netgear won’t go as far to say that this will make you completely safe until fixes come out for this issue. Thus this router had to go as I take the security of my network very seriously.

For the last few years I’ve been running an R8500 which is also known as the Nighthawk X8. It has been a pretty fast router with features such as aggregate ports that I do appreciate, but it is on the list routers that were affected by this issue. So I shut it down and in it’s place went the ASUS ZenWiFi AC (CT8) mesh WiFi system which I recently reviewed. Now in theory, I am giving up two things by going to the ZenWiFi AC. Specifically:

  • There’s no ability to aggregate ports. Which means that accessing my NAS for media streaming and backup purposes should be a bit slower.
  • The Zen WiFi has a pair of 802.11ac bands. One is for the dedicated backhaul between the nodes that runs at up to 1733 Mbps. The other is for devices which runs at 867 Mbps. That’s a drop from the R8500 which did  2.1 gigabits for each band that it has. Though as it is a classic router, it doesn’t have a backhaul connection.

But in reality, it wasn’t as bad as I thought it would be. The speed differences are very slight from my testing. For example, doing a backup of my MacBook Pro over 802.11ac to my NAS was five minutes slower. And surfing the net, playing games, doing Zoom calls, doing remote access doesn’t feel any different. So perhaps my fears were unfounded.

Now by using the ASUS ZenWiFi (CT8), I was able to clean up a few things:

  • When Rogers installed my cable modem years ago, they dropped it in the living room. I then had to run a long Ethernet cable from the cable modem to the den which is where my NAS and router live so that I could connect it to the router. Because this is a mesh WiFi system, that cable is no longer required as the node in the living room plugs into the cable modem, and then that node connects over the dedicated backhaul to the other node that is in the den.
  • Since I have a TCL 4K TV and a PC that I use for Zwift in the living room, I plugged those into the node in the living room via the gigabit Ethernet ports on the node. That node is also plugged into my Rogers gigabit Internet connection.
  • In my den, I plugged in my NAS which has two Ethernet ports on it into the node that lives in there.

Top tip: For best results with the ASUS ZenWiFi (CT8), make sure that the light that is on the front of each node is white and not yellow. White indicates that the backhaul is operating in an optimal manner. In my case, the original location in my den that the second node was going to placed on made that node light up yellow. Which meant that the backhaul connection was not at its best. Though my testing indicated that it was still plenty fast. Thus because I am OCD about these things, I had to play around with the location of each nodes to get it to light up white.

But what about security you ask? Well this is what I typically do when setting up a new router:

  • I disable UPnP for the reasons I outlined here.
  • I also disable WPS for the reasons outlined here.
  • If the router supports it, I use WPA3 for authentication.
  • I never use any sort of cloud management for the router nor do I expose the admin page to the outside world as those are great ways to get pwned by hackers.
  • I make sure that the firmware is up to date.
  • I use a third party DNS service rather than Rogers DNS service.
  • I disable PING, Telnet, SSH, and HNAP to make sure that the router isn’t accessible or seen from the Internet.

The only thing I haven’t done is done a penetration test on this setup. I’ll do that in the coming days and update this post with the results. I don’t expect anything out of the oBut other than that, everything has been positive so far. All my devices work, everything is fast. I have no complaints and I can sleep better knowing that my network is as safe as possible.

UPDATE: I got around to scanning my network from the outside using a tool called Nmap. It allows you to scan for open TCP or UDP ports and it has predefined profiles that allow you to scan for as little or as much as you want. I spent about 30 minutes scanning for open ports or services across the TCP/IP spectrum and found nothing open. Thus I am confident that my network is properly locked down.

One Response to “Replacing My Netgear Router With The ASUS ZenWiFi (CT8)”

  1. […] another router. Specifically the ASUS ZenWiFi AC (CT8) model which ASUS sent over for me to review. I set it up and locked it down and I declared all to be well with the […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: