GRYPHON GUARDIAN Advanced Parental Control System & Mesh WiFi Enhanced Security Router (up to 1800sqft) Hack Protection w/AI-Intrusion Detection & ESET Malware Protection Smart Mesh WiFi System AC1200
As a senior network engineer and cybersecurity expert I am exposed to a lot of firewalls/routers/NGFW and UTM appliances. So when I tell you something is great, you can bet it is great! First we will run through the hardware of this device, followed by the setup/configuration of it, then the testing and result of it. Sit back and get ready for the ride!
First things first.. The packaging is great, giving off a real premium feel. The box is so nice I think I want to put it on display. Hardware wise, this is a beast. Far above the most powerful consumer routers.
Gryphon has a Quad Core Arm Cortex A7 processor with 1GB of RAM and 4GB of Flash ram
3 Radios (2.4 and 2x5.0)
Beamforming and WiFi Priority
In comparison, a top of the line ASUS RT-AC3200 has a Broadcom BCM4709 dual-core 1GHz processor with 256MB of DDR 3 system memory and 128MB of flash storage. Which is absolutely ANEMIC compared to the Gryphon. Especially considering a Dual Core Broadcom will spike to 100% CPU use on anything over 500Mbps and will struggle to 900Mbps. Contrary to the Gryphon, which can run at wire-speed 1000/1000Mbps without breaking a sweat.
Software: (the basics, more later)
Gryphon runs on LuCI, which is a fork of OpenWRT - highly customized and locked down.
Intrusion Protection isn't signature based, rather it works off traffic anomaly inspection.
Web Filtration is by ESET, and ESET uses licensed zVelo web filtration. (one of the top 5 in the world)
Speed testing of your connection along with Up/Down Status of your WAN
Anti-Spoofing (MAC/ARP), Rogue AP Detection
Extreme Device and Parental Control
Setup is extremely easy and amounts to installing the iOS or Android App then following the instructions. Those instructions are, you register for an account, plug in the router, scan the QR code and the router is paired with your account and app and is ready to be configured. Initial setup from unboxing to an active WiFi signal ready for connection is less than 5 minutes. It should be noted that all of this is conducted over encrypted channels. There are a few things i would like to inform you of regarding setup;
1) You should unplug and fully disconnect your existing router. (with the assumption you have a Modem+Router setup right now)
2) The Gryphon plugs into the ethernet going to your modem.
3) Gryphon defaults to a 192.168.1.1/24 network, you CAN change this now. (Gateway 192.168.9.1)
4) Gryphon defaults to DNS 18.104.22.168/22.214.171.124, you CAN change this.
5) Gryphon allows multiple SSID's and allows you to segregate them by bands.
6) Gryphon has NO configuration via web portal. Hitting the firewall gateway of 126.96.36.199 yields a device (the one you are on) landing page with statistics, and the ability to request access to specific websites you are blocked from.
After setup is completed you'll go into the app and start examining devices connecting to the Gryphon. Each new device connects automatically to the 'Guest' user profile. From there, it's up to you to select the device, label the type of device it is, then assign it to a user group for granular restrictions/control over the device. This is the meat and potatoes of the Gryphon because device assignment largely controls the type of protection a device will have. Some important information about this;
1) Some devices can't be user assigned once you designate the type of device. This is by design. If you pause the internet for a user with 4 devices, you don't want to pause their camera, thermostat or alarm system! So specific, critical devices are outside of the user profile area and designed as 'Things' by Gryphon.
2) Device designation controls the intrusion protection for the device. For example computers have a lot of random activity, so they will be 'softened' for IPS. While your thermostat essentially does the same thing, and the AI/Machine Learning knows what it does, so it has a hardened intrusion protection level. If you assign a computer to a thermostat category you are going to be bombarded with warnings about HTTP/HTTPS activity, open ports, etc.. Don't do this.
3) Device categories are 'somewhat' limited, about 29 different types. But strangely, they are missing some basic types like DVR, Network Switch, Servers and Robotic Vacuums. I would recommend assigning DVR to 'TV' category and vacuums to 'Other' for now. I've notified them of my request to add additional categories for some common devices. Most folks probably won't have an issue here, as every other device is included.
Once you assign each device to a category, and if it applies, to a user group then you can go in and configure the device access at the granular level and this is VERY powerful! Gryphon functions at the application layer, so it can determine application use on the individual device level, and control access to individual applications and when they can be used. For example if you don't want your kids on Snapchat after 10PM at night, you can control this with a simple slider. This is a very powerful system that far outstrips any other router in the world other than SMB/Corporate UTM offerings costings many times more money. We'll go into important points about parental control below;
1) You can control 'Homework' hours. Which means only homework/educational sites can be visited during X to Y hours on a specific device.
2) Actively PAUSE the internet for specific devices, anytime you wish. (and it does NOT use ARP poisoning like Fingbox and others)
3) Schedule internet time of day. On/Off, specific times, etc.
4) Enable safe-search for all search engines, and disable all youtube comments, automatically on all devices!
5) Store browsing history, with a snapshot of each page browsed.
6) Allow/Disallow VPN activity on each device.
7) Control individual application use, when you want and how you want. (No snapchat after 10pm kids!)
8) Click on the 'i' for age groups for more information and what is filtered. Adult 18+ will filter malware+porn only. Unfiltered will filter malware only. Unfiltered isn't clarified on the fact it still filters malware but it does. Toddler is the equivalent of full whitelisting mode. Essentially blocking everything except what you allow. That's a great profile age group for things like servers and limited IoT devices!
9) Blocked sites bring up a portal page, from there your users can 'request' access. Which then sends a screen capture of the page they want access to and the ability for you to one-click allow/deny. Impressive!
10) Users can go to the gateway IP on their device (192.168.9.1) and request a laundry list of sites for you to unblock.
Security (my favorite category)
Gryphon is an incredibly secure router/UTM. It's running LuCI on OpenWRT, completely custom designed. All of the common 'hacking' ingress on it are completely closed off. No SSH, no web admin access, no HTTP/HTTPS configuration panel access. No default passwords. No WAN OR LAN facing configuration AT ALL. This in and of itself closes off many thousands of potential attacks and cannot be overstated about why it is important. Your typical home router comes out of the box with a default password and HTTP WAN/LAN access. Your typical home consumer opens it up, plugs it in and leaves all of this alone, and in the process gives even the most basic hacker complete access to their router, home network, and potentially all devices on the home network. So right out of the gate Gryphon is incredibly hacker resistant, there just isn't anything to hack on it. I ran port scans and penetration testing. Gryphon does very well here with full stealth on all service ports right out of the box. Some highlights about security;
1) All ports automatically stealthed.
2) No SSH/Telnet/HTTP/HTTPS admin access (lan or wan) Config is only through app.
3) No default passwords/logins. You setup a strong password for your account on the app, which is paired (encrypted) to the app. Only YOU can access your device, period. End of story.
4) ESET Technology for Web Scanning (HTTP/HTTPS), which is a subset of the powerful zVelo web categorization system.
5) Machine Learning/AI system for device anomalies with the capability to quarantine infected devices.
6) ARP/MAC spoofing detection/blocking.
7) New device control (including default blocking of new devices)
and much more...
With the bullet points out of the way, for security buffs I am going to tell you how to ramp this Gryphon up to new levels, essentially making it UTM-Like in functionality. First, I recommend instead of creating User Profiles, you create DEVICE profiles. This is easy to do, all you need to do is create a user profile for a specific goal you wish to accomplish. For example let's say you want to block some specific devices from ALL internet connectivity, let's say you run cameras with a local DVR or Blue Iris on the network and you DO NOT need your cameras talking to the internet. To accomplish this task with Gryphon all you need to do is create a 'Camera' user profile, assign a device type as 'Computer' to your cameras, move them to the Camera User Profile, then go in and edit the camera profile and pause the internet AND/OR set it to 'Toddler'. Your cameras will never be able to communicate outside of your network or be able to be hacked, or send telemetry to China, etc. This functions as a sort of policy based routing with some level of granular control and I feel is one of the most powerful aspects of Gryphon when configured correctly.
Instead of user categories, I have: Tablets, Phones, Desktops, Laptops, Servers, Cameras. Then I group devices within those categories and assign specific rules/controls to control them on a more granular level. For example my 'Servers' user profile is set to Toddler, then I go for the first day of use, look at the pages the server is trying to access, and whitelist/blacklist based on the activity I want to permit. That way the servers still get windows updates, but can't do things like have ransomware on them dialing out, telemetry from installed applications, etc. This is exceptionally powerful and a largely undisclosed (but major) benefit of Gryphon. The best part, I can do all of this and manage my entire network from my phone laying in bed! Here are some security tips that would likely make the Gryphon one of the most secure routers in the world;
1) Since all devices connect to 'Guest' user profile until you categorize them - I recommend restricting Guest Profile to Toddler and/or setting that profile to be permanently paused. That way it's a full lockdown on all new devices, until you approve those devices individually.
2) I recommend device categories for user profiles over individual users in many cases. This allows you to group all devices, then control them. Servers with limited access out the WAN. Cameras or other junk you might want to totally block from the internet, etc.
3) I recommend setting SCHEDULES for all computers. For example group your computers into a computer user profile, then set a schedule to disable the internet from 2AM-7AM each night. This will reduce your threat surface during off hours and provide additional security.
4) Go into malware protection, and toggle it to 'All Threats'. There is no reason to degrade security in any way.
Bottom line, out of the box this is one of the most secure router in the world. With minor tweaks, it IS the most secure one in the world, probably even above many SMB/Corporate offerings.
Wireless (how good is it?)
REALLY GOOD. My home is quite large, and this device covers all three floors and the entire floor plan with full bars in almost every area. To give you an idea of how good this is, I previously required 3 FortiAP units when I used Fortinet, and when I switched to Ubiquity I required a top of the line Unifi AC-HD Pro unit AND a Mesh Lite unit to cover the home. This unit performs better than any other wireless solution I have tested. Google WiFi, Velop, Orbi, all of them are childrens toys compared to this!
Speed wise, it's 3000Mbps 'total' maximum throughput. Obviously you won't get that if your connection is 300 Mbps, what it means is the absolute maximum from all devices and radios combined will be 3000Mbps. That's throughput on the LAN, WAN, and all three radius. But it does live up to it's potential far better than any other router I have tested - you can trust me on that! Top of the line ASUS routers are nothing but trinkets compared to this. They've really done their homework regarding this system.
No cons to this device at all. But I would recommend they implement a few basic things to take it to the next level. ICMP shouldn't respond from WAN. Even with ports all stealthed I'd like to see ICMP responsed blackholed. Not a huge issue. I'd like to see a 'custom' web filtration category where I can setup custom fields about what to block. A few more device categories would be nice.
In close - this is the best possible router (hybrid UTM) device you can purchase for your home. Period. Bar none. Nothing else comes close. You can toss every other gadget out (Fingbox, Dojo, Norton Sphere, Cujo, etc), they're all basically junk compared to this. This is the only consumer router to get my 100% seal of approval. In fact, for prosumers, you can probably forget about your Sophos and Fortinet's and run with this. You won't be disappointed! Another recommendation to Gryphon Company would be to improve information and FAQ with more detailed question/answers, especially for the Prosumer market. I'd like to see whitepapers, some test results, and maybe technical documentation. Information is a bit too vague IMO, and I have provided more information in my review here than you'll ever find anywhere on Gryphon, and it was done through my own testing/research over a 24 hour period.