Network Security, Evolved
Cybersecurity expert Bitdefender started the home security hub market in 2015 with the BOX. It was an interesting and generally well-received device that gave birth to a new product category. But are such devices necessary? I kept asking myself: Why do I need a security hub when my router has a firewall? Turns out there’s good reason (several, actually) to have one.
Yes, every router has a firewall. Yes, it’s always “on”. But typical router security is passive, meaning it’s not actively monitoring the network and assessing the behavior of connected devices. Besides, what good is a firewall, or any security, if it can’t alert you to a problem? It’s the equivalent of a smoke detector with no alarm. The reality is online threats have evolved but home network security hasn’t really done the same, until recently.
Enter, the BOX
The BOX is first and foremost a security hub. That’s how Bitdefender markets it and how I suggest you approach it. Its router section is a secondary feature that can be disabled depending on the type of configuration you choose. That being said let’s get this out of the way up front: If all you want is a router and you don’t care about advanced security features there are plenty of better performing and less expensive options.
The original BOX was a small “puck”, similar in size to the older Apple TV or Roku with decent but not impressive hardware specs. Based on reviews it performed well as a security device but the router section lacked strength and speed and was generally underwhelming. Plus it had a miniscule 64 Mb of storage capacity.
Now in its second generation (released Dec. 2017) the new Bitdefender BOX has upped the ante both in terms of its award-winning security software and considerably more robust hardware. In short the BOX 2 has more of, well, everything.
Watch and Learn
Of all the features the one I was most curious about is what Bitdfender calls “Anomaly Detection” or machine learning. The BOX “learns” how each connected device behaves under normal operating conditions so any deviation, e.g. someone hacking a “smart” security camera — something which might otherwise go unnoticed — triggers a block. It will even protect you from inadvertently sending sensitive personal or financial information over an unencrypted connection. In short, the BOX goes far beyond the passive security of a typical router.
Finally, to tie it together all devices and alerts are centrally managed from Bitdefender Central (mobile app and Web-based) which might also be one of the more important and overlooked selling points. So with all of that in mind let’s get started.
The Other Players
As of this writing there are only a handful of similar products currently available that I’m aware of, but not all offer the same level or type of security features, nor do they all function as a router. Here are a few, though there will certainly be more.
I haven’t tried any of these so I can’t say how they compare to the BOX but here’s a feature comparison table for the BOX, Cujo and Norton Core from the Bitdefender website.
UnBOXing First Impressions
The BOX comes in a sturdy and very nice-looking, uh... box. I've bought some high-end stereo gear that wasn’t packaged this nicely so I was pleasantly surprised to see such consideration given to the packaging of a network device. It looks like something Apple would have designed.
The first thing you notice when you remove the BOX from its packaging is how light it is given its size. You would be forgiven for thinking it was empty but a look through the top grate reveals a single circuit board. Given its impressive feature-set I expected it to be stuffed to the gills with hardware. I admit I’m someone who (perhaps foolishly) equates solid and heavy with quality but make no mistake, the BOX is all business. The A9 processor runs slightly warm so I assume(?) the empty space is necessary for cooling in the absence of a fan and is not the byproduct of an aesthetic choice. In any case it’s dead quiet.
The BOX has a clean aesthetic as a 7.5" x 4" x 4" rounded triangle with three shiny cream-colored panels attached to a matte dark gray central structure. There’s a bright bluish-green “ring” status light that glows from behind the front panel, cooling perforations running down the triangle’s “points” and top and bottom plates, and three rubber feet. Though not small or discrete it is to my eye a reasonably attractive piece of kit, more so than the Norton Core’s geodesic design. I like having it in plain view but there are a couple things I might change. Keep in mind I’m nitpicking, none of them are deal-breakers.
I prefer it were smaller and/or shorter. At nearly 8" tall with a smallish footprint and featherlight weight I’ve found the weight of two ethernet cables hanging off the back — which probably weigh more than the BOX — can sometimes create a bit of instability if placed near the rear edge of a table, console etc. where the cable weight, if unsupported, can “pull” on the tall lightweight BOX. For example, Cat7 cables are heavier and stiffer which doesn’t help the situation. Also, it would be nice if the status light could be user-disabled and only come on if/when an issue arises or for firmware updates. It’s rather bright.
The BOX includes a one-year subscription to the Bitdefender Total Security software suite. There are desktop and mobile apps for macOS, Windows, iOS and Android which complement and extend the BOX’s security features to provide virus and malware protection (and much more) on individual computers and mobile devices whether you’re at home or out in the world and no longer connected to the BOX network. Even better, the apps can be installed on an unlimited number of devices.
After the first year Total Security costs $99US per year. Strictly speaking you don’t need to buy the security software to use the BOX but it’s kind of pointless if you don’t. When you consider the quality of protection and the unlimited devices it covers the cost is extremely reasonable at ~$1.90/week.
The BOX maintains an encrypted connection to the Bitdefender servers which allows you to conveniently manage your connected devices via Bitdefender Central and also keep virus definitions up-to-date.
Since the service requires the use of Bitdefender’s mobile app(s) or website to manage devices you might wonder how much access, if any, Bitdefender has to the devices connected to the BOX network. I contacted Support with that very question and here’s their response:
Bitdefender does not have access to the devices that you will connect to the BOX network. In fact, our department uses Team Viewer to remotely connect to customers in order to troubleshoot, therefore, we ask for consent and we have limited access. We do see in our database a list of the names of the devices in your network and if the BOX is active or not, the same information that is displayed on your end.
The only device that we can virtually access, is the Bitdefender BOX itself, but that is only in certain circumstances and under one form:
- We only connect to the BOX when troubleshooting is necessary and we ask for permission from the customer to gather the latest logs from the BOX itself.
- We can only access the Bitdefender BOX from our end with your consent, and the only visible information on our end regarding the BOX would be the logs, in form of text.
Configuration Options / Setup Requirements
Setup instructions and videos can be found on the Bitdefender website but only the Central mobile apps can be used for the initial setup. There are 3 configuration options available depending on whether you use:
- The all-in-one modem/router provided by your ISP.
- Your personal modem and router (which is what I use).
- The BOX as a standalone router.
- Setup Requirements
- Broadband Internet Connection (Cable/DSL/UTP)
- Bitdefender Central Mobile App (iOS and Android)
- A mobile device with:
- 4G/3G data connection
- iOS 9 or higher
- Android 4.4 or higher
Once setup you can use the Central mobile app, or to a lesser extent the Web interface, to (partial list):
- Add new users
- Assign a specific device to a specific user
- View bandwidth usage by the hour
- View threats for the past 7 days
- Manage parental controls
- Manage detected threats per device (block/unblock)
- Manually run a Protection and/or Vulnerability scan on a device-by-device basis
- Edit the device name and icon
- Configure the parental controls
- Pause Internet on a device-by-device basis
- Port-forwarding for individual devices
The Bitdefender Central Web interface (below) was a little buggy for me initially but it’s working nicely now and offers basic management features, though the mobile apps do provide more options. The Web interface lacks any router settings, and the mobile apps offer limited network settings. The following settings are only available when using the BOX as a standalone router (except where noted *), otherwise they are disabled. Presumably your existing router(s) would have these settings and many more.
- Wi-Fi name and password
- LAN address
- WAN (DHCP, PPPoE, Static IP)
- Custom DNS servers
- Guest Network*
*The Guest Network feature was added September 2018 and is (most likely) intended for when the BOX is used as a standalone router. Surprisingly however, it can also be enabled when using the BOX with your own router acting as the “primary”. Normally in such a configuration the BOX’s Wi-Fi is disabled by default since the primary is running the [router] show, but enabling the Guest option partially overrides this setting. Also, keep in mind the (primary) router must be physically connected to the BOX, so unless you plan to run a long length of ethernet cable to another area of your home there will be two different routers in very close proximity, each broadcasting their own signal. Not an ideal scenario. So if your own router supports a Guest Network in AP/bridge mode (most do) then it’s preferable to configure it there and leave the BOX’s Guest option disabled.
Protection and Vulnerability Scanning
Depending on the type of device that connects (computer or non-computer) the BOX will automatically run a protection or vulnerability scan, or both. A notification will appear in Bitdefender Central to let you know a device has connected and the result of the scan, good or bad. In the case of a problem the alert will contain a very brief description of the threat or vulnerability. Whether it’s something you can resolve from your end will depend on the type of problem detected. For example, a weak username/password is easily fixed but a software defect in a connected device is not (see below).
Threats are blocked by default though you can always override it with an “Allow” option. Devices can also be blocked and sites and urls whitelisted. My question is: How do you know when it’s safe to “Allow” a detected threat or device? That’s where the BOX alerts come into play.
Different types and levels of manual protection and vulnerability scans can be performed on a device-by-device basis at any time. Again, depending on the type of device (computer, mobile, or non-computer/IoT) there will be different available options. Not surprisingly computers and mobile devices have the most thorough scanning options (below):
- Network Vulnerability Scan
- Quick Scan
- System Scan.
Below are two examples of actual threats the BOX caught on my personal devices.
Denial of Service: Canon
When I connected a Canon printer I was immediately alerted to a very serious Denial of Service (DoS) vulnerability in the Canon software but was assured the printer was protected while on the BOX network. Although the BOX can’t fix software issues in other products I contacted Canon support and provided a screenshot of the alert in the hope they might take action to resolve it (they haven’t). Below is a screenshot from my Bitdefender Central account Web interface.
“Dangerous URL” Blocked: Netflix
Below are screenshots from my Bitdefender Central account (Web interface). The culprit? It seems the “Dangerous URL” belongs to the Netflix channel on my Roku 2 which I had to suss out on my own since the BOX appears unable to resolve an IP to a domain name.
It’s good to know the BOX can monitor what individual Roku channels are doing, and is another example of a problem I would have never known about were it not for the BOX. I have for the time being chosen to keep the block in place.
Main Notifications list (left); details of Roku notification (right):
A Note About ‘Nest’
I have several Nest Protect smoke and CO alarms installed. By design they only connect to the home network once per day for a few seconds as part of their diagnostic tests, otherwise Nest uses its own proprietary wireless protocol to communicate with other Nest devices. Although the alarms appear in my Central account their status is “Disconnected” despite being “on” and operating normally. I was confused by this so I contacted Bitdefender support.
Bitdefender remotely ran a diagnostic test on my BOX (with my permission) and confirmed it can only detect the Nest during the very brief daily alarm tests. It seems Nest is able to “hide” its network footprint most of the time, even from the BOX. The alarms are still protected by the built-in Nest security (though I have no idea how good it is) and also checked for vulnerabilities by the BOX, albeit only once per day instead of 24/7 monitoring which is clearly less than ideal. Bitdefender has informed me that they will order a Nest Protect to test in-house so I will update this section if and/or when necessary.
Clearly Bitdefender is on their game as they consistently score very well according to the AV-Test Institute. But new threats pop-up often and unexpectedly, as such cybersecurity is a moving target and no device will be 100% secure 100% of the time against 100% of threats. The key is how quickly and effectively they can identitify and respond to new threats by releasing software updates which I am happy to say is a daily occurence. Still, it requires a degree of trust (or perhaps faith) that Bitdefender can stay ahead of the curve most of the time.
Virtual Private Network
On April 18, 2018 Bitdefender added an optional VPN service to their Total Security subscription (included with the BOX) that is powered by Hotspot Shield. The free plan allows up to 200 Mb per day or you can pay $40/yr. for unlimited data.
Considering that privacy, security and trust is at the core of all these services I find it curious Bitdefender chose to partner with a company who in 2017 was accused of violating its own privacy policies by the Center for Democracy & Technology (CDT), a nonprofit advocacy group for consumer privacy rights. At best the optics don’t look great, especially when there are dozens of VPN services Bitdefender could have chosen. However, in fairness to Hotspot Shield — aside from the privacy issues — the service does routinely score pretty high overall. Whether that’s enough to compensate for the negatives is for you to decide. I applaud the addition of a VPN but I question the choice of provider.
Internet of Things (IoT)
So what exactly is an Internet of Things or “IoT” device? It’s a parent term referring to any type of non-computer home appliance that communicates wirelessly to the Internet or other devices via a network. They are also commonly referred to as “smart” devices. A few examples include:
- Lightbulb; doorbell
- Smoke/CO2 alarm; thermostat
- Appliances (washer/dryer, refrigerator, oven, toaster etc.)
- Security camera
- Lifestyle hub (Apple HomePod, Amazon Echo, Google Home etc.)
- Child and adult toys
The type and number of IoT devices is enormous and growing everday. What’s also growing are IoT security vulnerabilities which is why it’s important to consider these devices into your broader network security strategy.
Fortunately a big selling point of the BOX lies in its ability to secure IoT devices. Despite being a relatively new category these devices already exist in tens-of-millions of homes across the planet with no sign of slowing down as society moves inexorably towards “smart” homes and cities. According to research firm International Data Corp the IoT market will be “surpassing the $1 trillion mark in 2020 and reaching $1.1 trillion in 2021”.
Then there’s this pearl:
IoT hardware will be the largest technology category in 2018 with $239 billion going largely toward modules and sensors along with some spending on infrastructure and security.
Did you catch that?
Some spending on security. Pretty much sums up the problem, huh?
IoT: An Inconvenient Truth
A lot of IoT devices are little more than novelty gadgets while others are practical, even life-saving. But they all suffer from the same fatal flaw to one degree or another: They have very little or no security features, nor can security software be installed on an IoT device like it can on a computer so you’re at the mercy of whatever built-in safeguards the manufacture includes, if any.
What’s more, since IoT devices are controlled with software, usually a mobile app, not only is the hardware (device) vulnerable to attack, so is the management software. Even if it were possible to install IoT security software on a device-by-device basis (which it’s not) who would do it? Who would want to? It would quickly become a management nightmare. Most people barely think of their computer’s security as it is, who would think about or bother with a “smart” toy or toaster?
According to some estimates at least 70% of IoT devices have critical vulnerabilities. Even if that number seems high it’s fair to say that as a category they are sorely, even dangerously lacking in safeguards. They present gaping holes through which someone could, with minimal effort, gain access to your entire network and every connected device. It’s like locking the doors of your home but leaving the windows wide open.
The question is, how secure is secure enough for an IoT device? There are practical considerations like cost and feasibility, and without an established standard it’s unrealistic to expect every manufacturer to view IoT security in the same light, much less invest the necessary resources. The reality is IoT devices are and will continue to be a network’s Achilles’ heel. The upshot is the BOX has you covered.
As mentioned the BOX is equipped with a router so let’s take a closer look at its specs and performance.
- Dual Core Cortex A9 @1.2 Ghz
- 1 GB of DDR3 memory
- 4 GB internal storage
- Concurrent Dual band Wireless 2.4 Ghz & 5 Ghz
- MU-MIMO 3x3 antenna configuration
- IEEE 802.11a/b/g/n/ac
- Wave-2 @ AC1900
- 1 x WAN port - 10/100/1000BASE-T Ethernet
- 1 x LAN port - 10/100/1000BASE-T Ethernet
Around back is the A/C jack, reset button and two ethernet ports. Sorry, no USB. The lack of multiple LAN ports will be a problem for some but it doesn’t have to be. High-quality plug-n-play network switches like the TP-Link 8-Port Gigabit Desktop Switch TL-SG1008D can be found for ~$20 and less. Quite frankly switches are an (almost) obligatory device for any network, so just get one and don’t worry about the lack of ports.
Based on the marketing material it seems Bitdefender prefer the BOX be integrated into an existing network rather than used as a standalone router which begs the question: Why include a modest but capable router then downplay that feature?
My guess is that it (most likely) has less to do with the hardware and more to do with the limited configuration options. Of course this has absolutely no bearing on its usefulness as a security device, but I can see how it could limit its appeal for those who expect such things. I would hope this is something Bitdefender could flesh out at some point via a firmware update.
My (non-BOX) Network
To improve speed, stability and security I recently switched from an all wireless network to a pseudo wired one. Nearly all of my devices (desktop computers and peripherals) are now wired to the network via a switch and/or powerline adapter. Wireless usage (laptop, phone and tablet) is usually within 10 ft. of an access point so signal strength is not an issue. My network kit includes:
- Two (2) Ignition Design Labs Portal routers operating as a mesh.
- Six (6) TP-Link AV2000 Powerline Adapters.
- Three (3) TP-Link Network Smart Switches.
- ARRIS Surfboard modem.
- Category 7 ethernet throughout.
BOX Configuration Options
As mentioned above there are three configuration options depending on whether you’re using:
- An ISP provided modem/router. *The BOX’s Wi-Fi will be disabled.
- A personal modem and router. *The BOX’s Wi-Fi will be disabled.
- The BOX as a standalone router. *The BOX will broadcast its Wi-Fi.
The BOX and a Personal Router
First I used the BOX alongside my personal router (Ignition Design Labs Portal) which requires setting it in AP/Bridge mode. Frustratingly I had to run through the setup a few times, resetting the BOX after each attempt before I finally figured out what I was doing wrong.
At varying stages of the setup process it requires the plugging, unplugging and reshuffling of modem, router and BOX cables along with changing networks. None of it is difficult but it’s very easy to get ahead of yourself and move on to the next step before the router and/or modem has had sufficient time to reestablish a connection to the network.
1) After unplugging/plugging the BOX or modem always ensure they have (re)connected to the network before proceeding to the next step.
2) When you reach the step where you need to place the router in AP/Bridge mode it's quicker and easier (but not necessary) to use a different device (laptop or mobile) to access the router settings.
This was my problem. After disconnecting/reconnecting cables I wasn’t waiting long enough for the network to become available so of course when I moved to the next step the setup failed. Once I realized my mistake the setup worked perfectly.
As a Standalone Router
To backtrack a little… because of the Groundhog Day loop I found myself in (above) I took the opportunity to try the BOX on its own, the setup for which is so simple even I got it right on the first attempt. It’s worth noting that by necessity the BOX was installed in a less-than-optimal corner near a bank of windows (reflections) and a lot of electronics (interference) so I was impressed to find the BOX pumps out a better-than-expected signal, both in strength and coverage (see results below). Just to be sure it wasn’t a fluke I streamed two simultaneous 4K movies to two devices on different floors over Wi-Fi only and I’m happy to say it was free of buffering or any other issues.
As a “Filler”
You won’t find this particular configuration in the docs but it’s a variation of the standalone option (above) that I stumbled upon early on when I was struggling with the “personal router” option (above). After disconnecting the Portal routers I configured the BOX as a standalone (primary) router using the same name and password as my current network. Then I reconnected the routers, placed them in bridge mode, and moved them to other rooms on different floors, far away from the BOX.
It wasn’t a terrible setup but I still wouldn’t recommend it. Yes, I got the added benefit of the BOX’s Wi-Fi signal while gaining better coverage in the troublesome dead-spots on the second floor and attic via the Portal routers operating as a mesh which were also protected by the BOX. The downside? The BOX was independent of the Portal mesh and in general the whole thing felt hacky.
Each setup process is nicely illustrated via screenshots, video and within the Central app, and should be relatively easy to follow for non-techies. However, I found the process not as plug-n-play as I had hoped. There isn’t much in the way of troubleshooting tips should you run into problems but Bitdefender offers free and friendly phone, live chat and email support should you get stuck.
Speed... (Not The Movie) And Strength
A total of 24 wireless speed and 24 signal strength measurements were taken at the same six locations on each floor (6 measurements x 4 floors x 1 router) with results averaged by floor and type, respectively. All measurements are specific to the BOX functioning as a standalone router, i.e., the Portal routers were completely disconnected. I also use VyprVPN which I disabled for testing.
About the Structure
The house is a century old and overbuilt with two stories, a full attic and basement, solid plaster walls, and a lot of signal-absorbing obstacles. In short, a challenge for 5 Ghz.
Wired measurements taken with Speedtest on a MacBook Pro connected to the BOX’s LAN port with a 7' Cat. 7 ethernet cable.
I easily exceeded 60 Mbps with the BOX on a wired connection. Speeds in the mid 70s were not uncommon with a high of 110 Mbps.
Wireless measurements taken with Speedtest on a MacBook Pro using the 5 Ghz band only. I was not able to get the MBP to connect on 2.4 Ghz.
- First Floor
- 61 Mbps
- Second Floor
- 52 Mbps
- 57 Mbps
- 41 Mbps
After reinstalling the Portal routers into the BOX network there has been no noticeable or measurable change in speed. Bitdefender claims the BOX should have very little or no impact on speed and based on my tests and daily usage this seems to be an accurate claim.
Signal Quality and Strength
Signal and strength measurements taken with WiFi Explorer which defines Quality as: Excellent, Good, Poor, Very Poor and Strength as a percentage (higher is better).
- First Floor
- 2.4 Ghz: Excellent; 93%
- 5 Ghz: Excellent; 82%
- Second Floor
- 2.4 Ghz: Good; 73%
- 5 Ghz: Poor; 54%
- 2.4 Ghz: Good; 76%
- 5 Ghz: Good; 71%
- 2.4 Ghz: Good; 83%
- 5 Ghz: Good; 69%
Quality and Strength Summary
Not surprisingly the 2.4 Ghz band had great range across the house, easily penetrating all obstacles. However, on the second floor 5 Ghz is less impressive which isn’t surprising considering it’s a perfect storm of obstructions, corners and dead-spots, yet the attic 5 Ghz is considerably better. Considering the structural hurdles overall performance, while not stellar, is better than expected.
Should you use the BOX as a standalone router? As a simple plug-n-play router it performed surprisingly well in my multi-level signal-absorbing home, even with multiple 4K streaming. For the average user with a small-ish space to fill it should work nicely. Just don’t expect much in way of configuration options.
To BOX or Not
So-called “smart” technology is (probably) the future, for better and worse. The simple static router firewall is no longer enough now that every connected device in our home makes for a target-rich environment. Still, it’s easy to dismiss products like the BOX as the domain of obsessive and paranoid “security types”.
Odds are most of us will never have an IoT device targeted by a hacker despite the apparent ease with which it could be done. The probability of a child’s smart toy, lightbulb, or security camera etc. being used to invade our home is statistically slim in my opinion. Yet it probably happens to someone every-single-day.
In an age where society is always online it’s fair to say most of us are guilty of the occasional lapse of online judgement, having visited a sketchy website, clicked a questionable email link, or downloaded an infected file. All of which makes computers and mobile devices more likely entry points for threats to the average person than someone hacking a smart refrigerator. Such is the reality of a “connected” life. Still, why risk it?
As a security hub the BOX has what I consider the most comprehensive feature-set among the current crop of devices. Make no mistake, combined with Bitdefender’s well-established cybersecurity track record the BOX is a formidable, all-encompassing security package. I’m not a fan of subscription software but in this case I have no problem with the $99/yr. Total Security fee which is very reasonable for what you get. But perhaps the most important and overlooked feature is the deep integration and convenience of Bitdefender Central which makes device management a pleasure. True, the alerts could use some refinement to improve their usefulness to non-technical users but overall it really is the glue that holds everything together.
The Elephant in the Room (Part Deux)
Advanced (“smart”) security features are slowly making their way into dedicated routers. If like most people you own a (dumb) “static firewall” router then the BOX is easy to justify as it handily outperforms typical router security. But if you already own or plan to upgrade to one of the newer security-centric “smart” routers then the path is less clear as there will inevitably be some overlap of features and functionality.
The BOX as a Router
My guess is the majority of people will use their existing router(s) to handle networking duties making the BOX’s router section unnecessary. Fortunately Bitdefender has provided a way to disable it during the initial setup so as to not get in the way. In fact, it’s probably safe to assume most BOX users have zero need or interest in the router and simply want a powerful and effective security hub, so perhaps it’s unfair to focus too heavily on router configuration. But therein lies the rub.
Given its primary function as a state-of-the-art consumer security device I don’t know why Bitdefender included a wireless router but they did, so it’s reasonable to expect more than a handful of settings. It’s as though a piece of the puzzle is missing. Are advanced router settings necessary on a security hub? Probably not. But neither is a router, and having one without the other seems fundamentally... wrong.
Nevertheless, whatever limitations the BOX may have when compared to a dedicated wireless router it performed well in both speed and coverage and should work nicely on its own for those with modest needs and a small to medium space, or if your network would benefit from a little extra “filler” coverage.
The BOX checks a lot of, uh... boxes. Bitdefender provides what is arguably some of the most effective and comprehensive cybersecurity software currently available for consumers... anywhere. Period. That is the BOX’s greatest strength. That it also comes with a capable router is icing. No, it’s not inexpensive to own or operate, and the value of the $99/yr. subscription will depend on your priorities. But for me, as I slowly add more IoT devices to my network the peace of mind is worth the expense.