There's a device sitting in your house right now that you're paying monthly rent on, that you'll never own, and that is almost certainly the least secure piece of technology on your entire network. It's the router your internet provider gave you. The one that just works when you plug it in. You might even see the word "security" on the side of the box but that is just "security theater" dressed up as marketing.
Think about that. 90 million homes. Every one of them paying somewhere between $10 and $15 per month to rent a piece of hardware they will never own. Over five years that's $600 to $900 spent on a device that was never designed to protect you. It was designed to get you online as cheaply as possible while generating recurring revenue for your internet provider.
Here is the easy math. Let's take the low $10/mo and multiply that by 90 million. That is a nearly One Billion A MONTH industry and it rides on the back of cheap plastic boxes with tiny ARM chips about 1/10th the power of my 3 year old smart watch.
Let's talk about what that box does. Your ISP router does three things:
- It connects your home to the internet.
- It assigns IP addresses to your devices using DHCP.
- And it runs a basic NAT firewall that blocks unsolicited inbound connections.
That's it. That's what you're paying $600-$900 every FIVE years for. Ouch. Right?
Still with me so far?
The "firewall" your ISP advertises is not what security professionals mean when they say firewall. NAT was never designed as a security feature. It was designed to solve an addressing problem because we ran out of IPv4 addresses. The fact that it incidentally blocks some inbound traffic is a side effect, not a security strategy.
A real firewall inspects traffic, matches it against threat signatures, blocks known malicious domains, segments your network into isolated zones, and gives you visibility into what's happening on your network. Your ISP router does none of this. Zero.
It gets worse. Let's break it down. Hammer-style... STOP!
D.O.N.E. Devices on One Network Naked
Your ISP router puts every device in your house on the same network. Your work laptop, your kid's tablet, your smart TV, your Ring doorbell, your robot vacuum, your guest's phone. All of them can see each other. All of them can communicate freely. I call this: D.O.N.E. Devices on One Network Naked. Your entire network and every device on it is toast if your teen hits a C2 server on usenet and downloads a trojan.
No Intrusion Detection/Prevention
Your ISP router doesn't run an IDS or IPS. It has no threat signatures. It doesn't know what a malware command-and-control callback looks like. It doesn't know what a phishing domain looks like. It doesn't know what a port scan looks like. It just passes traffic. Enterprise networks run intrusion detection systems with hundreds of thousands of signatures that are updated daily. Your ISP router runs nothing. The gap between what businesses consider acceptable security and what your ISP provides you at home is ginormous.
DNS Wide Open
By default your ISP router sends all your DNS queries to your ISP's DNS servers. Unencrypted. Your ISP can see every website you visit, every search you make, every service you connect to. They can build a complete profile of your online activity. And depending on your ISP, they may be selling that data to advertisers and data brokers or complying with data requests (aka administrative warrants) you'll never know about. Even the basic privacy step of encrypting your DNS queries (DNS over TLS or DNS over HTTPS) is not available on most ISP routers. The option simply doesn't exist.
No Ad Blocking
Your ISP router does nothing about the tracking and advertising infrastructure that follows you across the internet. Every device on your network is exposed to third-party trackers, advertising scripts, and telemetry collection. Browser extensions help on one device at a time but they don't protect your smart TV, your kid's tablet, or any IoT device that connects to the internet.
Network-level DNS filtering, the kind you run on a real router, can block ads and trackers across every device simultaneously. It's not a new technology. Businesses have done this for decades. Your ISP router just doesn't offer it.
The Money Problem - This is the legit, "wHy wON't TheY dO tHe sMaRT tHInG?!"
Here's where it gets frustrating. You're not just getting bad security. You're paying a buttload for it.
At $12 per month (a common rental fee), you'll spend $720 over five years for a device you will never own. When you cancel service or switch providers, you return the hardware and have nothing to show for it. Meanwhile the ISP has made back the cost of that $40 device many, many, many times over.
For roughly the same amount of money, you could own enterprise-grade security hardware outright with a two-year warranty. Hardware that actually segments your network, runs intrusion detection, filters DNS, blocks ads, and encrypts your queries. Hardware that keeps working and keeps protecting you for years after you've paid it off.
The average American household will spend $1,440 over ten years renting an ISP router. That's enough to buy some sweet sweet professional network security equipment twice over and still have money left for Christmas presents.
"So Skip... what does a proper home network look like?" Glad you asked!
The technology to properly secure a home network exists and has existed for years. It's the same technology businesses use. Proper routers run on laptop CPUs with just as much RAM. The problem isn't the hardware or the software. It has always been accessibility. Setting up an OPNsense firewall, configuring VLANs, tuning Suricata rulesets, setting up DNS filtering... that's a 25 to 35 hour project for someone who's never done it before and you won't remember enough to troubleshoot your network later. Most people understandably don't want to become network engineers just to protect their family.
But the core components are super straightforward:
Network segmentation. Separate your devices by trust level. Your computers on one network. IoT devices on another. Guest devices on another. Smart TVs on another. If one gets compromised, the damage stops at that segment. This is what VLANs do and every enterprise network uses them.
Intrusion detection. Run an IDS/IPS with real threat signatures that update daily. Suricata with rulesets from Abuse.ch and Emerging Threats can monitor for active malware campaigns, phishing attempts, exploit kits, and command-and-control traffic. This is what your ISP router's "firewall checkbox" pretends to do.
DNS filtering. Block known malicious domains and advertising trackers at the DNS level before any connection is made. This protects every device on your network without installing anything on each device. Over a million domains can be filtered using well-maintained community blocklists.
Local network traffic inspection. Sounds scary but it's come a long way. Zenarmor gives you pretty graphs you can click into and easy to read lists. It also lets you monitor your teens and set policies like "No social media after 9pm".
A VPN. Encrypted DNS helps but what does your computer do right after a DNS lookup? It goes to the website. Your ISP sees the website IP. Unless it's behind Cloudflare they know exactly where you went and will sell that website visit to the highest bidder. Still, for untunneled traffic send your DNS queries over TLS so your ISP can't see what websites you're visiting. Simple, effective, and your ISP router almost certainly doesn't offer it.
What You Can Do About It. For one? JUST DO EEEET!!!
The first step is to stop freaking renting security theater. Buy your own modem, router, and wireless access point. Preferably all separate devices like an audiophile. Then call your ISP and tell them you are breaking up and give them your new modem's serial number. This sets you up for step two.
The second step depends on how much time you want to invest. If you're technically inclined and want to learn, OPNsense is free, open-source, and runs on affordable hardware like Protectli Vaults. There are excellent community resources for getting started. Expect to spend 25 to 35 hours on a first-time build and a few hours per month on maintenance.
If you want the same result without the project, that's what we built SecureNet for. Professional configuration on the same hardware, 8 isolated networks, 200,000+ threat signatures, DNS filtering of over a million domains, and a 25-minute onboarding call. You own everything. No subscriptions required for core security.
Download the AI Whitepaper and ask any AI assistant your questions, or schedule a free 10-minute intro call with an OSS engineer. No pressure. No commitment.