Showing posts with label Network Security. Show all posts

Wi-Fi security issues – a 5 step guide on the Common Threats and how to manage them

Today’s Wi-Fi networks are now more secure than the typical wired network in the same building. While that may seem like a bold opening statement, today this is often the case.

It is true that WLANs got off to a chequered start 20 years ago, with attackers finding ways around the early security procedures and protocols in place. Consequently, though, the industry devoted a great deal of effort and innovation towards making WLANs much more secure – and they succeeded. There are, however, still challenges in securing any network.

As we know, wireless “leaks out” to the surrounding environment, which means passers-by can see and attempt to connect to any network they choose. As a response, we need to put steps in place to mitigate this threat. For wired networks, physical barriers with locks on the doors and containment physically within the building are the traditional wired networking means of defense. However, if a person with malicious intent is able to gain physical access, perhaps through social engineering, or tail-gating, a device can be connected and access gained which, then, is an opportunity for an attack to commence.

So how have WLANs been addressing security concerns? What has the result of all that investment and innovation been?

Wi-Fi Security Methods

The Gold standard is the use of Digital Certificates. This method is preferable because, unlike user-created passwords, certificates are virtually impossible to replicate. However, this method is also the most complex to deploy for the network administrator. Unless a friendly, user self-service Enrolment System is used to automate the authorization, creation, and distribution of certificates and secure WLAN setup for users can become a time-consuming task.

The Silver standard is a username and password-based authentication – often linked to a user database such as Microsoft Active Directory. This works well, but network administrators need to implement with care, making sure that proper server certificates are deployed to ensure users address a legitimate server, and that user passwords are suitably complex. Interestingly, both password complexity and frequency of change need not be as onerous as imagined and are well explained here.

We must accept that there will be a need to support some devices that cannot support the gold or silver methods. Such equipment often compromises devices that have crossed over from the home market to the workplace as digital transformation has taken hold – smart speakers, video streamers and casters, as well as other IoT devices. Limited to Pre-Shared Key authentication, in the commercial world, the use of a unique static key per device, called Dynamic Pre-Shared Key, provides enhanced security and limitation of a breach if one key is discovered.

2019 will see the introduction of a further security enhancement called WPA3. This new Wi-Fi security standard will replace WPA2, and improve the encryption strength and ease of setup of the methods discussed above.

Role Based Access – with a suitable WLAN infrastructure, the above access methods can map to user roles. Define what is allowed for a user type and apply rules accordingly. Roles provide a plethora of controls, from VLAN allocation, through to simple port and protocol-based firewall rules up to application-based recognition and control, including URL filtering.

via Ruckus

Why do you need a VPN? (Don’t miss these 3 key security benefits.)

A virtual private network (VPN) encrypts all the data sent and received by a device connected to the internet. It does this by routing that data through the VPN’s private server. The core value of using a VPN is to prevent cybercriminals or internet service providers (ISPs) from snooping on or exploiting your unsecured internet activity.

A VPN protects you from this in three key ways, by allowing you to:

Encrypt unencrypted communications sent to and from your device
Disguise your browsing history
Connect anytime, anywhere, from any device

Dashlane’s VPN is available to all paying customers as part of our suite of digital identity protection and control features.

1. Encrypt unencrypted communications sent to and from your device

Public WiFi is very convenient for people who like to connect on the go. If you’ve ever connected to WiFi at an airport, hotel, or coffee shop, you’ve used public WiFi. But make no mistake—there is a security/convenience trade-off every time you connect to a public WiFi network.

Public WiFi networks are unsecured, which means that any unencrypted site or service you use on public WiFi could be compromised by man-in-the-middle (MitM) attacks. An MitM attack happens when a cybercriminal sits on an unsecured network and intercepts and/or modifies your unencrypted internet activity. This includes the ability to see unencrypted HTTP websites you visit and the information you submit on those websites, like your passwords. It also means a cybercriminal can modify a page or URL to trick you into submitting credentials for a normally secured site, like Gmail—otherwise known as phishing.

HTTP websites aren’t the only thing you may use online visible to a cybercriminal in a MitM attack. A number of voice over IP (VoIP) services are unsecured and unencrypted as well. VoIP is the technology that allows you to make audio calls over the internet instead of through your cellular provider’s network.

Any unencrypted internet activity can easily be intercepted and/or modified by cybercriminals via MitM attacks. A VPN encrypts all your unencrypted internet activity, from web surfing to VoIP calls and everything in between, blocking potential phishing opportunities available in a MitM scenario.

But aren’t most sites protected with HTTPS protocol?

While most popular sites use encrypted HTTPS protocol (instead of the unencrypted HTTP protocol), many of those popular websites don’t automatically redirect unsecure requests to the secure HTTPS protocol. That puts you at risk. This is also true with your email account settings. There are unsafe protocols used to receive, access, and send email, like POP3, IMAP, and SMTP. Using a VPN ensures that your browsing is always routed with encryption, and your email account settings use secure encryption protocols, like POP3S, IMAPS, and SMTPS. (The ‘S’ in all these acronyms stands for “secure”!)

2. Disguise your browsing history

What you do on the internet is private, right? Well, not really.

As it currently stands, internet service providers (ISPs) like Verizon or AT&T can have complete visibility into all of your browsing history.

They can do that because they attach your internet activity to your device’s IP address, which is a unique identifier for each device connected to the internet. This information includes your exact geographical location. They can collect personal data and may even use it to serve you ads.

A VPN disguises your device’s IP address, because all your traffic is routed through the IP address of the VPN’s server. So, your ISP can no longer see what websites you’re visiting or searches you’re making, since the traffic routed through the VPN is now encrypted.

3. Connect anytime, anywhere, from any device

A VPN is an incredibly useful tool for securing your online activity and protecting your privacy. But it would be useless if it only worked on certain devices or in specific geographic locations.

Dashlane’s VPN works instantly across all your devices, in any location around the globe, so you can stay connected and protected, no matter the situation.

via dashlane

New Gigacheck Wireless Analyzer Offers Smartphone App Connectivity to Test WiFi and Ethernet Connection Speeds

Press Release Summary:

Greenlee Textron Inc. announces GigaCheck in AirScout® line of wireless analyzers for testing Wi-Fi coverage and wired Ethernet connection. It measures signal to noise ratio, PHY rate and transmit/receive success rates on wireless networks using the industry standard Ookla® Speedtest®. The analyzer provides technicians with tools to validate connection speed on wireless and Ethernet networks and verify whether the customers receive the connection speeds they pay for and expect.

Original Press Release:

Greenlee Communications Launches AirScout GigaCheck

Easily Verify Network Connection Speeds with Greenlee® Communications AirScout® WiFi® Test System

AirScout® GigaCheck Tests WiFi and Ethernet Connection Speeds up to a full Gigabit

Vista, Calif., (June 19, 2018) — Greenlee Textron Inc., a Textron Inc. (NYSE: TXT) company, announces the addition of GigaCheck to its award-winning AirScout® line of wireless analyzers. Controlled via Smartphone app, GigaCheck tests Wi-Fi coverage as seen from the residential gateway and tests wired Ethernet connection upload and download speeds up to 1Gb in real-time.

“Today’s customer demands dependable, high-speed services and expects their service provider will deliver the speed they pay for. AirScout GigaCheck gives technicians the tools needed to quickly and easily validate connection speeds on both wireless and ethernet networks,” explains Oleg Fishel, Director of PLM for Greenlee Communications.

AirScout GigaCheck measures Signal to Noise Ratio, PHY Rate and transmit/receive success rates on wireless networks using the industry standard Ookla® Speedtest®. Upload/download and Ping tests are performed on both Ethernet and WiFi for real-time speed testing.

The AirScout unit connects to the wireless router in one-click and is controlled via a smartphone app. The simple connection and intuitive user interface of the app make it easy for technicians to verify customers are receiving the connection speeds they pay for and expect. Technicians define pass/fail thresholds based upon their SLA and can generate reports and save them in the Cloud for easy transference and transparency of test results.

BTR, Broadband Technology Report, awarded AirScout Enterprise the 2017 Diamond Technology Winner in Wi-Fi Solutions. For more information on the complete AirScout line, visit www.getairscout.com.

Greenlee, under its Greenlee Communications brand, develops Ethernet, Transport, C37.94, Fiber, DSL, Wi-Fi and Copper test solutions, tracing and locating equipment, and fiber/cable jet installation equipment. A broad product portfolio, coupled with solutions-branded Greenlee Utility®, HD Electric Company® and Sherman + Reilly®, creates a single source partner providing unmatched value to the communications and utility markets.

Greenlee Communications

The Greenlee Communications brand offers a complete line of innovative and industryleading test and measurement solutions for the communication service provider industry. Our expertise and innovative solutions address all stages of network deployment enabling the development, installation and maintenance of xDSL, fiber, cable and wireless networks. It is a leading brand of test and measurement solutions in the global communications industry with a long track record of delivering high quality innovative solutions enabling technicians to achieve their goals in a timely manner and with confidence.

Greenlee Textron Inc.

Greenlee Textron Inc. is known as a global leader in the professional tool category. The Rockford, Illinois-based company develops high quality innovative products distinguished by customer-driven design and differentiated by supply chain excellence. It also leverages its powerful brands such as Greenlee Communications and Greenlee Utility in the electrical, construction and maintenance markets worldwide. More information is available at www.greenlee.com.

About Textron Inc.

Textron Inc. is a multi-industry company that leverages its global network of aircraft, defense, industrial and finance businesses to provide customers with innovative solutions and services. Textron is known around the world for its powerful brands such as Bell, Cessna, Beechcraft, Hawker, Jacobsen, Kautex, Lycoming, E-Z-GO, Greenlee, Textron Off Road, Arctic Cat, Textron Systems, and TRU Simulation + Training. For more information, visit: www.textron.com.

Certain statements in this press release may describe strategies, goals, outlook or other non-historical matters; these forward-looking statements speak only as of the date on which they are made, and we undertake no obligation to update them. These statements are subject to known and unknown risks, uncertainties, and other factors that may cause our actual results to differ materially from those expressed or implied by such forward-looking statements.

Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng

WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: this flaw, if exploited, gives an attacker a skeleton key to access any WPA2 network without a password. Once they're in, they can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

But because Vanhoef hasn't released any proof-of-concept exploit code, there's little risk of immediate or widespread attacks.

News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.

The warning came at around the time of the Black Hat security conference, when Vanhoef presented a talk on networking protocols, with a focus on the Wi-Fi handshake that authenticates a user joining a network.

The cyber-emergency unit has since reserved ten common vulnerabilities and exposures (CVE) records for the various vulnerabilities.

Cisco, Intel, Juniper, Samsung, and Toshiba are among the companies affected.

At its heart, the flaw is found in the cryptographic nonce, a randomly generated number that's used only once to prevent replay attacks, in which a hacker impersonates a user who was legitimately authenticated.

In this case, an attacker can trick a victim into reinstalling a key that's already in use. Reusing the nonce can allow an adversary to attack the encryption by replaying, decrypting, or forging packets.

Windows and latest versions of Apple's iOS are largely immune from the flaws, according to security researcher Kevin Beaumont, in a blog post.

However, Vanhoef said the security issue is "exceptionally devastating" for Android 6.0 Marshmallow and above.

via zdnet

Here is every patch for KRACK Wi-Fi attack available right now

Monday morning was not a great time to be an IT admin, with the public release of a bug which allowed WPA2 security to be broken.

As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates.

The security protocol, an upgrade from WPA, is used to protect and secure communications between everything from our routers, mobile devices, and Internet of Things (IoT) devices, but there is an issue in the system's four-way handshake which permits devices with a pre-shared password to join a network.

According to security researcher Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks (MiTM) and eavesdrop on communication sent from a WPA2-enabled device.

US-CERT has known of the bug for some months and informed vendors ahead of the public disclosure to give them time to prepare patches and prevent the exploit from being utilized in the wild -- of which there are no current reports of this bug being harnessed by cyberattackers.

The bug is present in WPA2's cryptographic nonce and can be utilized to dupe a connected party into reinstalling a key which is already in use. While the nonce is meant to prevent replay attacks, in this case, attackers are then given the opportunity to replay, decrypt, or forge packets.

In general, Windows and newer versions of iOS are unaffected, but the bug can have a serious impact on Android version 6.0 Marshmallow and above.

The attack could also be devastating for IoT devices, as vendors often fail to implement acceptable security standards or update systems in the supply chain, which has already led to millions of vulnerable and unpatched IoT devices being exposed for use by botnets.

The vulnerability does not mean the world of WPA2 has come crumbling down, but it is up to vendors to mitigate the issues this may cause.

In total, 10 CVE numbers have been preserved to describe the vulnerability and its impact, and according to the US Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

So who is on top of the game?

Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug.

Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities."

"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.

"Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available."

In other words, some patches are available, but others are pending the investigation.

Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.

Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.

FreeBSD Project: There is no official response at the time of writing.

Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.

Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.

The WiFi Standard: A fix is available for vendors but not directly for end users.

Mikrotik: The vendor has already released patches which fix the vulnerablities.

Google: Google told The Verge that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks."

AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary."

OpenBSD: Patches are now available.

Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates.

Netgear: Netgear has released fixes for some router hardware. The full list can be found here.

Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack.

Check back as we update this story.

via zdnet

The Best Wi-Fi Mesh Router Systems

The Best Wi-Fi Mesh Router Systems

posted by Ted Kritsonis on October 01, 2017 in Internet & Networking, Computers and Software, Guides & Reviews, Top Picks :: 0 comments

Sometimes a single router simply won’t do. While manufacturers have made them more powerful, and Wi-Fi technology has advanced to better cover wider spaces with better range, throughput can still be an issue. Enter Wi-Fi mesh routers, networking systems that use multiple routers that “talk” to each other to cast a net that serves to improve signal strength throughout the home.

They serve a useful purpose if you have weak areas or dead zones in your living space. Wi-Fi range extenders can be decent accessories, except they don’t work seamlessly the way mesh Wi-Fi systems do. It’s hard to pinpoint one mesh system that is the “best” above all others, but there are advantages between them worth taking into account. For example, you may want more stringent parental controls, or prefer a design that can blend in with your décor.

Before you take the next step in home networking, here are some pointers to think about:

Does your home Internet Wi-Fi connection have weak or dead signals anywhere in your home? If so, you may want the range multiple routers can provide. They may also use what are called “back channels” to communicate with each other on a separate frequency for uninterrupted operation.

Do you want a Wi-Fi network that is easy to setup, manage and administer? Well, who doesn’t, really? The simple step-by-step setups inherent in mesh Wi-Fi systems extend to the app-based management tools that could include parental controls, security, media prioritization and more. You don’t need to be mechanically-inclined to run one of these like a pro. Plus, you can even access your router’s features away from home.

Do you like the idea of a Wi-Fi network that is scalable and expansive? Mesh Wi-Fi networks usually come in packs of two or three, but you can always add more single units to expand the mesh further.

Are you concerned about compatibility? No need to be. Mesh Wi-Fi routers work just like any other router does, and would be fully compatible with whatever hardware your Internet Service Provider (ISP) delivers through the modem. Your devices would also connect to them like any other Wi-Fi router.

Wondering about speed and range? The whole premise here is that you get better throughput around your home, which will improve the connection speed in areas that struggled before. Mesh Wi-Fi won’t get you faster Internet on its own — overall speed depends on what you’re paying for from your ISP.

Speaking of speed, you will see manufacturers marketing numbers like AC1900, AC2200 and AC2600. These indicate the theoretical total bandwidth the router can produce on both the 2.4GHz and 5.0GHz bands. They are more an indicator of throughput than they are of speed, though the two can go hand-in-hand. A larger number is better able to handle a greater number of devices connected to it. MU-MIMO (multi-user, multi-input, multi-output) is a newer protocol that allows compatible devices to receive bandwidth without having to queue for it. Normally, routers distribute bandwidth in sequence based on which device needs it first, whereas MU-MIMO just does it to compatible devices simultaneously.

Here’s a look at some of the top mesh Wi-Fi systems to help you out.

Best All-Around Wi-Fi Mesh Router: Linksys Velop

A play on the word, “envelop”, the Velop is a powerful starter pack trio of routers that can deliver the best combination of range, throughput and administrative features. It also blends in well no matter where you want to place the three units within your home. All three units are identical, so it doesn’t matter which one is used to plug into the modem, thereby simplifying the setup process.

The simplicity extends to the connections underneath each unit, too. There are two Gigabit LAN (local area network) Ethernet ports, plus the plug for the power adapter. None of the units have USB ports, unfortunately. LEDs at the top provide a visual indicator of connection status. Each unit has a maximum range of 2,000 square feet, so you can get 6,000 sq. ft. of coverage with a three-pack. That’s higher than competing mesh systems

Since each unit is effectively an AC2200 router with tri-band networking, each is capable of 400Mbps of bandwidth throughput on the 2.4GHz network, and 867Mbps plus 867Mbps on the 5.0GHz network. These are theoretical limits, as real-world performance won’t hit that high, but the Velop funnels bandwidth very well.

Using the iOS and Android app to setup and manage the Velop is easy, and its assortment of controls is fairly broad. Parental controls, guest network, device prioritization, MU-MIMO for supported devices, Amazon Alexa integration, and other more advanced options make this system a standout.

Size: 3.1 x 3.1 x 7.3 in. per node

Speed: AC2200 with MU-MIMO

Ethernet jacks: 2 per node

Parental controls: Yes

Price: 1-Pack is $198 on Amazon, 2-Pack is $329 on Amazon, 3-Pack is $450 on Amazon

Best for setting up a smart home: Samsung Connect Home

Samsung has taken the mesh Wi-Fi system setup others have gone with and added its own twist by throwing in a SmartThings Hub into the mix. It mirrors much of what others do in the sense that you can use the Connect Home app on Android and iOS to set up and manage the mesh system, but is also clearly aimed at users who want both a Wi-Fi mesh and smart home setup.

Doubling as a SmartThings hub, it’s possible to program and control compatible smart home devices www.smartthings.com/products from other manufacturers. It supports the Zigbee and Z-Wave protocols that are common in smart home products, and thus, can “talk” to popular devices like Philips Hue lights, Nest Thermostat, Netgear Arlo Pro and iRobot Roomba vacuums, among others. That negates having to buy a separate hub to automate and control these types of products.

As a router, the Connect Home comes in a three-pack, though a two-pack or single unit could be purchased as well, if you live in a smaller space. Each unit covers up to 1,500 sq. ft., and five is the max number for one system. Throughput is more moderate at AC1300 equivalents, so while it says 400Mbps on the 2.4GHz band and 866Mbps on the 5.0GHz band, this trio won’t be quite as potent as others, like the Linksys Velop, for instance. Alternatively, the Samsung Connect Home Pro bumps up speed and throughput to AC2600.

Still, for the ease-of-use and smart home compatibility, the Connect Home is worthy of consideration.

Size: 4.72 x 4.72 x 1.16 in. per node

Speed: AC1300 (or AC2600 for Connect Home Pro)

Ethernet jacks: 2 per unit

Parental controls: Yes

Price: Connect Home 3-Pack is $325 on Amazon, Connect Home 1-Pack is $150 on Amazon, Connect Home Pro 1-Pack is $200 on Amazon

Best for included security: TP-Link Deco M5

The only way to set up and manage TP-Link’s Deco M5 mesh system is via the iOS and Android app, since there is no web-based interface for computers. It presents a clear and concise menu to get around, aiming to keep it simple wherever it can. The built-in security software, courtesy of Trend Micro, is pre-installed and does not incur any additional fees. The antivirus screens for malicious content, infected devices and outside intrusions. It does this automatically, so you don’t have to give it much thought unless something significant happens.

Bearing in mind it’s not a super extensive security suite, the fact it’s there and working constantly is good to have. It does extend out to every device connected to the network for added peace of mind. Infected devices logging onto the network will be blocked from infecting other healthy devices too. A history section in the app lists what was caught and quarantined, including the date and time it happened. Parental controls are fairly robust as well.

As a mesh system, the Deco M5 is quite capable, offering solid range and throughput with a good feature set. The small size of each unit makes it easier to nestle into different parts of the home, and the small LED always indicates the network’s overall health and performance.

Size: 4.72 x 4.72 x 1.50 in. per node

Speed: AC1300

Ethernet jacks: 2 per unit

Parental controls: Yes

Price: 3-Pack is $240 on Amazon, 1-Pack is $100 on Amazon

Best for parental controls: Asus Lyra

Like TP-Link’s Deco M5, Asus has equipped the Lyra to offer anti-virus and anti-malware security software it calls AiProtection to help protect the Wi-Fi mesh system from outside intruders. Beyond that, however, is an impressive set of parental controls that digs deep enough to moderate and protect children’s usage.

Parental controls are available in just about every Wi-Fi mesh system, except the Lyra makes it very easy to automate how restrictions apply, so that you don’t need to always go back and change things manually. It would be possible to set a time each day that blocks Internet access entirely, or only for specific apps and websites. That would make it possible to block social media sites when it’s time to get homework done, for example. The Family Overview dashboard is the hub for all things parental control, and it’s always accessible, either at home or away.

Unfortunately, there is limited effect on mobile devices. While it’s easy to block Wi-Fi access to a smartphone or tablet, for instance, it wouldn’t be possible to allow access, yet block specific apps running on iOS or Android, for example. The true depth of the parental controls features is only found on laptop and desktop computers. To achieve something similar with mobile devices, a VPN (virtual private network) product like the Disney Circle would help.

As a mesh network, the Lyra performs very well, and is most similar to TP-Link’s system, based on performance, setup and management.

Size: 5.90 x 5.90 x 1.95 in. per node

Speed: AC2200

Ethernet jacks: 2 per unit

Parental controls: Yes

Price: 3-Pack is $400 on Amazon

Best for easiest setup: Google Wifi

When Google entered the Wi-Fi mesh category, it wanted to create something that was extremely easy to setup, and it managed to do so. The Google Wifi Android and iOS app can expedite setup by scanning the QR code at the bottom of any of the units, which then goes through a clear-cut step-by-step process.

Much of that process will feel automated because most of the work is being done in the background. To have everything up and running in as little as five minutes wouldn’t be a stretch. The hand-holding carries over to the features within the app, where navigating most of the settings and options is spelled out.

A big oversight in Google’s system is the lack of parental controls, so there is no way to filter out inappropriate content or block websites. While it is possible to block Wi-Fi access to a device for even one hour with a quick tap, it’s not as intricate as others.

Range and throughput is superb, especially when three units are working together in unison.

Size: 3.79 x 3.79 x 5.42

Speed: AC1200

Ethernet jacks: 1 on base, 2 per node

Parental controls: No

Price: 3-Pack is $270 on Amazon, 1-Pack is $119 on Amazon

Best for discreet installation: eero

The beauty of mesh Wi-Fi is that each node extends the reach of your network. But what if there isn’t a good place to seat a node? eero, which launched the mesh Wi-Fi product category, has you covered with new tiny nodes, called eero Beacon, which plug directly into outlets, making installation possible and discreet in places like hallways. The Beacons also have nightlights built-in with automatic dimming during the daytime.

While the flexibility of installation is a big selling point for the eero, it also excels in other areas. The 2nd generation eero is one of the fastest systems on the market, rated at AC2200 with MU-MIMO. And, if you’re willing to pay for the Eero Plus service ($9.99 per month or $99 for the year), you’ll get anti-malware protection for all devices and parental controls, including content blocking.

Size: 4.76 x 4.76 x 1.24 inches for the hub, 4.76 x 2.91 by 1.18 inches for the eero Beacon

Speed: AC2200 with MU-MIMO

Ethernet jacks: 1 on eero hub, 0 on eero Beacon

Parental controls: Yes, with subscription to Eero Plus ($9.99 per month or $99 per year)

Price: One eero and 1 eero Beacon: $299 on Amazon, One eero and 2 eero Beacons: $399 on Amazon

Best for range expansion: Ubiquiti AmpliFi HD

The AmpliFi system is unique in that it uses nodes that look like antennas, rather than identical units that look the same. The base unit that plugs into the modem is distinct by its design, including a small LCD to visualize network speed, among other things.

The other mesh points plug directly into power outlets with flexible antennas to angle them any which way. They are a little unseemly if in plain sight, and they need to be unencumbered by outlets above. The advantage is that they pack a real punch in achieving a wider range. Six high-density antennas in the base system (the main unit, plus two mesh point antennas) are capable of covering a theoretical max of 20,000 sq. ft. Expanding it with another mesh point would only drive that number up higher.

Blue LEDs on the mesh points illustrate the signal strength, and the AmpliFi app for iOS and Android is fairly straightforward in managing the network.

Being unique mesh points that plug in and stick out from outlets, there are no Ethernet ports onboard to use as wired ports for devices to connect via Ethernet. The AmpliFi HD might also be overkill for smaller homes, whereas the less expensive AmpliFi LR (Long Range) can cover the same ground, albeit with four high-density antennas inside the main unit.

Size: 3.91 x 3.85 x 3.92 for the base, 1.81 x 7.05 x 1.06 for the mesh points

Speed: AC1750

Ethernet jacks: 4 outputs, 1 input on the base

Parental controls: No

Price: High Density system is $312 on Amazon, Long Range system is $306 on Amazon, Mesh Point HD is $109 on Amazon

[Image credit: Linksys, Samsung, TP-Link, Asus, Google, eero, Ubiquiti]