I don’t think there is any security-focused firmware.
The problem is that security is not a product. You can easily be insecure, like the stars of the SOHOpeless series, but you can’t just get a thing and be secure. Security is a spectrum, where you yourself are a more important component than the router, and it’s all about what specific things you’re secure against. And what you’re willing to spend to get there.
OpenWRT comes closest, but that’s just a matter of being open. You can make OpenWRT into whatever you want. It has an extensive Wiki, and it has a clever Kconfig-based build system so you can try your own ideas easily. One guy has recently been playing with installing security features in OpenWRT.
I would posit that you can’t ever be completely secure with a WRT-based system. It’s Linux, so it excludes the “slow” security features from OpenBSD. It works on devices with less than 10MB of storage and less than 100MB of RAM and a lack of CPU features like NX and VT, so it doesn’t have the aggressive isolation like Qubes OS, or the wacky policy files of SELinux. Its default installation is a read-only image containing everything, so updates are tedious, especially if you practice that customization that I mentioned in the last paragraph.
Probably if you want a secure network, then you will have to be vigilant, and isolate and update each service individually with all the current best practices like immutable virtual machines. (Not immutable containers. I do not trust Docker/LXC as a security mechanism.) A WiFi router needs these pieces:
- A kernel that runs the machine, schedules jobs, etc.
- A bunch of tools to control the system and make sure everything is running
- A configuration utility, often in a web service
- A driver that runs the WiFi controller. Two controllers, if you have dual-band WiFi. Usually containing closed-source firmware or binary blobs.
- A driver that runs the Ethernet controller. Two controllers, in many cases. Often containing closed-source firmware or binary blobs.
- A bridging service that connects WiFi and Ethernet
- An IPv4 routing service that does NAT
- An IPv6 routing service
- A DHCP client, a PPPoE client, or whatever to connect to the ISP
- A DHCP server
- A caching DNS server
- A RA (IPv6 numbering) server
That’s an impressive amount of stuff to fit in less than 10MB, not even counting extra features like USB file sharing and BitTorrent clients. We typically save a lot of space by combining these functions. 1, 4, 5, 6, 7, 8: The monolithic kernel. 2, sometimes 3, 9: Busybox. 10, 11, 12: Dnsmasq. But if we want to be more secure, we should be running them on separate machines. And run them on something like Xen with no device drivers configured, because Xen device drivers turn out to suck. Clearly, this would take a more powerful system with more storage and RAM and electricity use than the typical home router, so global warming consumes us all. Security fail.
Even if you make your network secure, that is time and money you are not spending on building a moat, so you’re killed by marauders with spears. Again, security fail. You need to watch out about what security risks are most likely to affect you, because there’s not enough time to control everything.
There’s a reason people like kjal just outsource the whole headache to AVM.de.
EDIT: Oh yeah:
13. A time-keeping service, usually NTP, especially if you want to do DNSSEC validations locally