Do you see things a little differently?

Monday, October 3, 2016

A Review of the Linksys (Belkin) EA9500.

Linksys EA9500


Calling this a review might be a little ambitious. Many people have already reviewed the product's performance and features. The goal of this blog is to point out a few concerns that I have with the system.

Environment

Router: Linksys EA9500 
Hardware Version: 1.1 
Firmware: 1.1.6.173418.

First Impressions

The router has a default IPv4 address of 192.168.100.1. I connected the router to my laptop, and went to https://192.168.100.1 and after a brief wait for the browser to timeout with 

 I dropped the attempt to use a secure connection by changing from HTTPS to HTTP and was presented with the login screen. The lack of security out of the box is sad, but not a deal breaker. As I went through the configuration, I found a checkbox to enable HTTPS for administration. There is also a checkbox for HTTP which is checked, but grayed out to prevent it from being deselected. It's good that they support secure connections, but not great that you can't disable HTTP.

Insecurity

When the basic network setup was complete, I shut down the router and replaced my old existing router with the new unit. This time I was able to use HTTPS... almost.


As most will have noticed, the newest browsers are beginning to provide feedback when a connection may not be secure. Clicking on the warning symbol in the URL box will bring up information about the connection and provide feedback on why the warning has appeared.

The browser is looking out for me. In order to get to the site, I need to click on Advanced, and then Proceed. Kind of a pain for every time administration needs to be performed. The reason for this becomes quickly apparent when we drill in using the warning icon.




From here, we can select the "View Certificate" button and get more information.
Well, there you go then... the certificate expired in 2010, almost exactly 6 years ago from today (10/03/2016). What would possess them to use a 6 year old certificate in a brand new product?

Okay, this goes beyond stupid. The certificate was issued by and to ut610n when Linksys was owned by CISCO! Can someone explain why Linksys, now owned by Belkin, is using a Cisco certificate? If you are not going to use an authoritative certificate issued by a trusted authority, is there some reason that you can't issue a new self signed certificate that is at least valid for the next 5 years? How lazy can you be?


Logging in

The login screen has two versions, There is a local login and a Smart Wi-Fi login.
The local login shown here, only requires a password. If you are setting up for the first time, it will be the default. If you have logged in at least once, you should have been prompted to change the password.
The Smart Wi-Fi login utilizes a cloud account and is what allows you to manage the router using a smart device app (iOS or Android). What isn't immediately clear, is that the Smart Wi-Fi account is different than your Linksys account.

It took messing with this, and a support call before I got this resolved (by creating the other account). I will not lay blame with Linksys for this, but I will suggest some obvious text letting us know that this is not the Linksys web account.

Another Security Concern

I do have a concern over their password policy. This account is accessible from the Internet, and yet their password policy is very limiting. Eight characters or more isn't bad, but I'm very disappointed that non-alphanumeric characters are not allowed. 

In Interface Speed Test

The administration interface has a link that pops up a speed test. This is a nice idea that saves a few clicks. Unfortunately, it runs into an issue with the secure connection. 
Because I am using the secure browser connection, the browser has a fit when the link attempts to pop up a window which only uses HTTP. The result is a Speed Test that looks like this...
The windows pops up, but it will not return the insecure page.


Smart Wi-Fi Application

The Smart Wi-Fi application actually seems to be well written. It looks like I can adjust any setting from my phone, no matter where I am. I could see this being useful if a parent wanted to update parental controls, allowing or preventing access by time and/or device. Nothing like messing with the kids without them knowing. I personally don't have any need for this (yet), and the best feature for me at this point, is an alert when my Internet connection drops. I'm assuming this works, but I haven't tested it yet. What it does suggest, is an active connection from the Linksys servers to my router, and I once again have to wonder just how secure this is? So far, I am not impressed with the security on the router itself. I will be digging into this as time permits and may ultimately look into disconnecting the router from the cloud engine.

Dynamic DNS

The EA9500 has a configuration screen for updating Dynamic DNS. I choose No-IP.org because they are free. I entered my NO-IP login, and after a moment the status updated to "Failed".  No idea what the issue is, and I don't have time to mess with it. My only other issue with this feature, is that the password field for NO-IP shows my account password. Anyone who can see my screen could read the password when I'm on that function. Not a good design.

Conclusion

Overall the EA9500 has been working well, and clearly has good hardware performance. I definitely like the 8 1Gb ports for connecting my small Data Center. My issues are with the software (firmware) and what are some very poor decisions by the developers. The unit is advertised as an advanced unit for home users, or for small business, yet I don't see a few key functions which would make this a business unit. My expectation would be to have a VPN server, allowing a remote worker or two access to the company. There should also be a VPN client, allowing the unit to tunnel to another location, while still providing Internet access and a local network. These functions are all available in WRT. I would love to see a version of WRT (DD-WRT or OpenWRT) made for this hardware. I have used DD-WRT extensively in the past and been very impressed by it's features , capability, and security. Until then, I will just need to live with what it has.