Secure WiFi Router Features
Per Device Passwords
SPR supports one WiFi password per device. It uses the password and MAC address combination to establish the identity of the device on the network. Never worry about changing all of your WiFi passwords again. Multiple passwords on the same SSID also improve airtime because beaconing is not needed for each SSID as with most legacy WiFi security designs.
SPR supports both WPA3 and WPA2 for this feature.
Per Device Network Isolation
SPR places each device into its own isolated network, and then uses firewall rules to securely connect devices together again. We do this automatically through the use of VLANs. Don't know what a VLAN is, don't worry, you don't need to and neither do your devices!
The SPR provides a /30 "tiny" network, and routes all LAN communications through the router. Together, the subnets create a supernetwork. On most WiFi APs, devices can choose to talk directly to each other with the Group encryption key, but we force device isolation.
Also, there's no need to worry about number of VLANs or performance with how SPR is designed.
A Supernetwork is a type of overlay network that allows multiple smaller networks to be connected together.
Pivot Protections
In the event that somehow an attacker obtains WiFi network access, they might attempt to bypass the VLAN via traditional layer two attacks like ARP spoofing and MAC address spoofing. That's going to be pretty challenging, because we also automatically use firewall rules to enforce the MAC address for the authenticated device to block MAC spoofing. We've also configured the SPR-OS to block ARP spoofing from interfaces on a VLAN. The packet forwarding to other devices is default deny. If a device has the LAN policy, or is in a group with other devices, then traffic will be allowed.
GTK are unique per VLAN so devices can't bypass the router to communicate. TDLS is disabled.
These rules are also enforced with mesh networking, supported today in SPR PLUS over wired backhaul.
Notably, SPR was not affected by MACStealer.
Multicast Isolation
By default, the multicast proxy will relay multicast traffic to all devices. Proxying can be turned off altogether or enforced with policy with tags. Optionally, a tag can be applied to a service to apply proxying to only a subset of devices that have the same tag.
See the firewall settings guide
Upstream LAN Traffic Blocked By Default
Typically, users of SPR will plug the SPR into their existing network which will be called an upstream LAN. By default, SPR will block traffic to upstream Private LANs rfc1918 for devices, unless the lan_upstream tag is enabled. This prevents SPR devices from accessing upstream private addresses.
WPA3 Support
WPA3 uses the Simultaneous Authentication of Equals (SAE) protocol for authentication. The Key Exchange cannot be sniffed and cracked as with WPA2 (PBKDF2 based) because it's a zero knowledge-proof of the password.
WPA3 Also provides for Management Frame Protection (MFP) 802.1w which is optional for WPA2 but mandatory in WPA3.
Practical Limitations of WPA3
iOS Device QR-Code WPA2 Downgrade
iOS has a long standing flaw where networks with WPA3 that are scanned with a QR Code are later saved as WPA2. As a result, SPR supports both WPA2 and WPA3 for devices.
Many devices don't support WPA3 yet, some still require WPA1 even
Since not all devices support WPA3, a bssid, SPR runs MFP with mixed mode (ieee80211w=1).
Network Visibility
SPR provides for DNS, traffic monitoring capabilities as well as authentication logs for the APIs.
Secure Software Stack
SPR is built with secure languages and frameworks where possible, favoring Golang, Rust, and React. The DNS server, CoreDNS, runs with Golang. And we are working to replace our remaining C dependencies (pppd, hostapd, WiFi stacks).