Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are Consumer Firewall/NAT Boxes Really Secure?

Cliff posted more than 10 years ago | from the are-there-unexpected-holes-in-this-box dept.

Security 166

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

cancel ×

166 comments

Good, but not "plug and forget." (5, Insightful)

Mr. Darl McBride (704524) | more than 10 years ago | (#6885073)

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Re:Good, but not "plug and forget." (1)

PoiBoy (525770) | more than 10 years ago | (#6885136)

Is there an advantage to spending four times the price of a Linksys to get a Cisco PIX? Is PIX better than Linux for firewalls?

Re:Good, but not "plug and forget." (3, Interesting)

Mr. Darl McBride (704524) | more than 10 years ago | (#6885165)

If your question is serious, I'll tell you this: If you buy the Cisco and are willing to pay for a support contract, then you'll never ever have to worry about downtime. This will be true no matter what the day, no matter what the hour, no matter how old the hardware.

Linksys will ask you to ship it back and offer a replacement in 3-4 weeks.

Re:Good, but not "plug and forget." (1)

DA-MAN (17442) | more than 10 years ago | (#6891459)

Linksys is Cisco now, so I guess the only difference would be the support contract.

Re:Good, but not "plug and forget." (4, Insightful)

uradu (10768) | more than 10 years ago | (#6885435)

> It's quite likely that the company producing the hardware
> isn't going to be bothered to repair a product

Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

Re:Good, but not "plug and forget." (1)

Richard_at_work (517087) | more than 10 years ago | (#6886266)

How do you find out what the OEM is? I have a 7401BRA barricade adsl router and would love to see what else there is for it :)

Re:Good, but not "plug and forget." (2, Informative)

uradu (10768) | more than 10 years ago | (#6887238)

Don't know about the 7401BRA, but my 7004BR was OEM'ed by Amit in Taiwan. Products from Asante, 3Com and GVC used the same base hardware, and their firmware is interchangeable. You'll just have to do some googe grouping to find out.

Re:Good, but not "plug and forget." (1)

FFFish (7567) | more than 10 years ago | (#6888154)

Intriguing. What sort of alternative firmware exists for the SMC products? Got any resource recommendations? Search term suggestions?

Re:Good, but not "plug and forget." (1)

uradu (10768) | more than 10 years ago | (#6889270)

Depends on the model. My 7004BR was OEM'ed by Amit, but other models weren't necessarily. Just google on "<model> firmware" or something like that.

Re:Good, but not "plug and forget." (1)

FFFish (7567) | more than 10 years ago | (#6889668)

Mine's an SMC-branded product. How do I find out who the OEM is?

Re:Good, but not "plug and forget." (1)

uradu (10768) | more than 10 years ago | (#6890545)

You really have to do the legwork to search this stuff. Google groups (a.k.a. usenet) is your friend. I guess you could also take it apart and see if there is any info on the circuit board.

Re:Good, but not "plug and forget." (1)

FFFish (7567) | more than 10 years ago | (#6891398)

k, thx. Off I bound, screwdriver in hand!

Hadn't occured to me to search Usenet. And here I am, subscribed to a half-dozen newsgroups!

Re:Good, but not "plug and forget." (1)

casret (64258) | more than 10 years ago | (#6889494)

Whose firmware are you running now? I googled and found that the DLink704 is the same amit box as yours, but looking on the amit site, I couldn't find any firmware upgrades.

Re:Good, but not "plug and forget." (1)

uradu (10768) | more than 10 years ago | (#6890534)

It's been a while, but I know that google groups contains a fair bit of postings about it, that's where I found the links to the downloads. I believe it was a Taiwanese ftp site. Also, the SMC Germany site contains newer firmware updates, though not as new as what Amit have. Mine involved a bit of song and dance to convince the SMC box to accept the OEM firmware, but it's working fine now.

Re:Good, but not "plug and forget." (1)

Istealmymusic (573079) | more than 10 years ago | (#6891000)

Can you provide intimate details on how to achieve this? I have the same model as yours (but wireless model), and would love to hear how to do it from someone that already has, instead of flashing my box incorrectly and ending up with a 4-port wireless paperweight. Thanks.

Re:Good, but not "plug and forget." (2, Informative)

uradu (10768) | more than 10 years ago | (#6891206)

I believe I was following directions from http://www.dslreports.com [dslreports.com] . Just search for your model number (I assume 7004WBR--if it's not that, it isn't the same Amit hardware). I really wouldn't remember what all I did, it's been months. It involves cross-grading the firmware from SMC to an earlier version of Amit, then upgrading from there to 1.96h3, and also involves hard resetting the router to perform crash recoveries. Anyway, dslreports is a great resource to know.

Re:Good, but not "plug and forget." (2, Informative)

RzUpAnmsCwrds (262647) | more than 10 years ago | (#6885764)

"It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short."

Not with Linksys, at least. The Firewall/NAT box I purchased four years ago (BEFSR11) is still being sold, and I still get firmware upgrades for it.

Good reasons to buy an Apple Airport (3, Interesting)

goombah99 (560566) | more than 10 years ago | (#6889801)

As has been noted these routers are not plug and forget. YOu do need to apply patches . you need to know your new drivers will work with what ever version of OS and other software you are using. And frankly you need a freindly GUI interface so you know you aren't doing something stupid when you infrequently have to remember how to maintain your system.

hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.

um (2, Informative)

Anonymous Coward | more than 10 years ago | (#6885084)

The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity.

Then your 'gurus' are dumbasses. Practially nothing gets past NAT. About the only thing that can compromise it is a trojan.

Your linux box is far more prone to hack attacks than an embedded device.

Re:um (2, Informative)

Mr. Darl McBride (704524) | more than 10 years ago | (#6885100)

Your linux box is far more prone to hack attacks than an embedded device.

Half of the current embedded devices are Linux boxes. :) The only difference is that most script kiddies don't know how to rewrite flash memory, so you can undo the eventual compromise with a power cycle.

Think of it as a little gateway box running Linux off CD, but without the ability to run intrusion detection software.

Re:um (1)

karmavore (618727) | more than 10 years ago | (#6885193)

That was a very informative comment Mr. McBride. Now that I know this intellectual property of yours, does that mean that SCO owns my brain and any IP it produces from now on?

Re:um (0)

Anonymous Coward | more than 10 years ago | (#6885463)

Now that really would be hilarious, if the real Darl McBride had a slashdot account and spent his evening posting helpful technical comments.

But it doesn't seem that plausible, does it? In reality he probably spends his evenings inventing lies and dreaming up new scams. And maybe even dressing up like a girl and shouting "it puts the dog, in the basket" down into a hole in the floor of his back room.

Re:um (1)

Mr. Darl McBride (704524) | more than 10 years ago | (#6885287)

The umm... beer in your sig seems to be about the right price for an even swap?

God, I'd love some of that right now.

Re:um (0)

Anonymous Coward | more than 10 years ago | (#6885299)

Psst... Click on "Reply to This" below the comment you want to reply to, not below your own comment.

Re:um (1)

Mr. Darl McBride (704524) | more than 10 years ago | (#6885351)

It was that $699 beer that did me in.

Re:um (3, Informative)

Anonymous Coward | more than 10 years ago | (#6887672)

Practially nothing gets past NAT

You can create packets that a NAT will convieniently route to it translated LAN. We frequently see packets that are addressed to the 192.168.0.x range on the LAN. Really cool, especially given that folks seldom change the default address ranges. Kids, if you didn't know this, try it -- it's a good time!

NetGear ProSafe firewalls are the better bet as they are true stateful packet inspection firewalls. Of course, with great power comes great responsibility.

Firewall tips:
1. Don't run your firewall on the same box as your web server or anything else for that matter. You don't want a CGI or mail exploit allowing an intruder to change your firewall rules
2. Block/Log outgoing ports such as SMTP to see if machines on your network are sending mail when they shouldn't be. Always block/log SSH, Telnet, FTP, TFTP, HTTP (high ports too)
3. Make it difficult. If a server doesn't need DNS for outgoing connections, don't configure DNS on the machine. Only install what is absolute necessary to run whatever daemons you may be running
4. Never allow PING
5. Never assign a Default DMZ
6. If your firewall is a NAT type, run a software firewall on your desktops (http://www.zonelabs.com has one free for personal use
7. Use a non-standard IP address range for your LAN
8. Log everything and review daily
9. Don't run Kazaa, Weatherbug, Gator, blah, blah, blah -- Use spybot or pest patrol to keep clean.
10. Windows machines should always be updated. ...there's plenty more that can be done.

(Former BH now WH)

Re:um (1)

Triumph The Insult C (586706) | more than 10 years ago | (#6888886)

4. Never allow PING
just curious, but, why not? ping is not necessarily evil.

Re:um (1, Informative)

Anonymous Coward | more than 10 years ago | (#6889168)

Ping is very useful for denial-of-service and "Smurf Attacks" where the sender is forged. If you were to monitor activity at your firewall today, you're going to see a lot of ICMP (ping) activity relating to an exploit in CISCO IOS.

morph (4, Insightful)

m0rph3us0 (549631) | more than 10 years ago | (#6885095)

NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

Re:morph (1)

bobthemonkey13 (215219) | more than 10 years ago | (#6885291)

However, if you don't need more than what the consumer firewall provides it is a very cheap solution.

It is true that OpenBSD systems may be more expensive in terms of TCO than a $50 home router, but only if your time has value. If you're a bored student with too much free time like me, you can get an OpenBSD router/firewall up and running literally for free, using old commodity hardware. I've used OpenBSD as a router on machines from a Pentium MMX 266MHz all the way down to a Pentium 60MHz, with no problem routing the full capacity of my cable modem. I even ran it on an AlphaStation for a brief period of time (though the OpenBSD/Alpha kernel seems to have some nasty crash issues relating to the router/NAT system -- anyone know how to fix this?)

Re:morph (2, Insightful)

Lost2Home (674278) | more than 10 years ago | (#6885395)

It is true that OpenBSD systems may be more expensive in terms of TCO than a $50 home router, but only if your time has value.

Or if you have to pay for electricity, or if space is limited.

The big question is whether the consumer router lets you do what you want/need with your network. The Linux/OpenBSD solution gives you the ability to do a lot of things that would otherwise require commercial grade equipment.

rubbish, my $10 linksys has all sorts of features (2, Informative)

DrSkwid (118965) | more than 10 years ago | (#6886645)

port forwarding
port triggering
dynamic routing
AOL parental controls

ftp://ftp.linksys.com/pub/manuals/befsru31_ug.pd f

Re:rubbish, my $10 linksys has all sorts of featur (0)

Anonymous Coward | more than 10 years ago | (#6887185)

But can it do bandwidth shaping? No, and that's the killer ADSL feature if someone ever includes it in a consumer level device.

Two things to remember (5, Insightful)

PD (9577) | more than 10 years ago | (#6885103)

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

Re:Two things to remember (2, Informative)

PD (9577) | more than 10 years ago | (#6885116)

Duh, I made a mistake. Don't run a router on each box. Run a FIREWALL on each box. Ipchains or Iptables or whatever.

Re:Two things to remember (1)

neden (228436) | more than 10 years ago | (#6885144)

Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses.

The Germans didn't plow through the Maginot Line, they went around it, plowing through Belgium and the Netherlands.

K.

Re:Two things to remember (4, Funny)

jerde (23294) | more than 10 years ago | (#6885364)

The Germans didn't plow through the Maginot Line, they went around it, plowing through Belgium and the Netherlands.

So always wear pants while surfing the web -- don't let hackers get at your netherlands.

- Peter

Re:Two things to remember (1)

jazman_777 (44742) | more than 10 years ago | (#6885519)

Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses

Just as a historical nitpick, the Maginot Line _did_ in fact work--the Germans didn't attack it directly, but went around it, quite successfully.

Re:Two things to remember (1)

roseblood (631824) | more than 10 years ago | (#6886212)

Goal of the Maginot defensive line - To protect France from an invasion from central and eastern European powers

How well it did it's job? A+ until Invasion Day, then it failed.

Re:Two things to remember (1)

Halvard (102061) | more than 10 years ago | (#6886527)

No, the Germans didn't go through the Maginot Line but the Eqyptions went through the Bar Lev Line is something like 12 hours. The point is still good.

Re:Two things to remember (1)

wolf- (54587) | more than 10 years ago | (#6887561)

To follow up on #2, a firewall at the top of your broadband connection is a great thing.

But when that moron down in dials up to AOL or his favorite ISP from his office machine, your defenses have just been breeched. His insecure windows system is now like a hooker waiting for the navy to come in. Every port open and ready.

So, yes, in addition to a strong firewall, be sure to regularly scan the internal network for problems.

Re:Two things to remember (0)

Anonymous Coward | more than 10 years ago | (#6887725)

And don't use Outlook for a mail client.
True!

But then as long as Outlook is predominant
my client won't be hacked because of lack of interest.

IPCop (5, Informative)

Anonymous Coward | more than 10 years ago | (#6885114)

Get an older computer, two nic's and IPCop [sourceforge.net] , and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

Re:IPCop (1)

Dan Ost (415913) | more than 10 years ago | (#6887016)

Why get a Linux distro that's trying to be OpenBSD when
you can get OpenBSD for the same price?

Re:IPCop (0)

Anonymous Coward | more than 10 years ago | (#6887554)

I doubt a novice could achieve the same level of setup with OpenBSD in the time.

Why IPCop instead of OpenBSD (4, Informative)

Glasswire (302197) | more than 10 years ago | (#6889389)

...Because

1) if you're familiar with Linux it's easy

2) Great web/SSH interface esp. to snort output

3) Works really well

4) Quick and easy to install -very flexible about DMZ configs

5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)

Re:IPCop (1)

michael_cain (66650) | more than 10 years ago | (#6890309)

Having recently replaced the antique Linux box that functioned as our household router/NAT box for the past six years, I feel obligated to explain why it got replaced: for $40 plus tax, the new router/NAT consumer appliance uses 7.5W versus the 150W power supply, is completely silent versus the power supply in the old box that has always been fairly noisy, and occupies a few cubic inches next to the cable modem versus the cubic foot or better of the old desktop enclosure. On the down side, the appliance is not as flexible as the Linux box was, and certain network services (like printing) had to be moved to other computers.

As our children start to move out of the house, we are trying to simplify our lives and the household network. $40 seemed like a reasonable price to pay to replace the old box with something small and silent.

Re:IPCop (1)

bogie (31020) | more than 10 years ago | (#6891544)

Should have bought a SMC router, many of them have print servers built into them. The new cheapie SMC's even have real SPI Firewalls in them doing more then just blocking all inbound packets. Sure it isn't a highend firewall, but they are really quite impressive for what your spending. I mean something that costs less than $50 and emails you if someone is trying to SYN scan or DOS you is pretty cool.

If my 7004BR wasn't so dam reliable(been running for years with barely any reboots) I'd replace it for another SMC just for the Firewall stuff.

Re:IPCop (0)

Anonymous Coward | more than 10 years ago | (#6891006)

why go for the overkill and hassle????.. a basic Linksys for 80$ can blocked all ports.. let see hacker get through no open ports..then get yourself something like zonealarm or sygate for 40$ and protect outbound

Do you have the time? (3, Insightful)

pillohead (553676) | more than 10 years ago | (#6885118)

You don't gain much by using a dedicated computer, just more complexity and knowledge. While you do get to customize and tweak a computer far more than the little firewall/nat routers you also run the risk of misconfiguring it and making it worse than no firewall at all.

It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.

Depends on the application! (3, Informative)

Lacertus (171358) | more than 10 years ago | (#6885125)

Back when I was still in High School, I was lucky enough to land a job as the network admin of a small business, consisting of about 30 people or so. The entire shop was Open Source/Free software because cost was a major concern and that was what I was most experienced in (I basically did everything from running the copper across the ceiling to building the [admittedly crappy] webpage).

That being as it may, I was relatively inexperienced with ipTables, and honestly didn't know my ass from my forhead when it came to admin-ing. As such, I deployed one of the cheaper netgear firewalls; and to great success, I might add. Though it caused some isolated problems, it did its job and protected our network. Thus I can say I was happy with its performance.

As I've progressed in my techy career, I moved from such 'off-the-shelf' solutions, to building my own (extensive) iptables ruleset, to actually engineering my own 'blackbox' devices - these self-engineered devices were a product of my more ingenious years in college.

Well, this ramble can be summarized thus: "depends upon your application." Yes, Netgear et. al. produce a decent, well designed product. These solutions don't often attract much attention from the geek crowd due to their boilerplate nature, but they are function.

Now maintaining a rather massive network of thousands of people, I put my trust in a standalone, (sometimes) load-balanced front end consisting of an old x86 box running OpenBSD. The ruleset I carry with me is the product of several years of gradual modification, and is the best solution available (IMO).

old x86 box, good idea! (0)

Anonymous Coward | more than 10 years ago | (#6885198)

fans and power supplies and hard drives to fail.

Re:old x86 box, good idea! (1)

ralphclark (11346) | more than 10 years ago | (#6885493)

Plus you have to put up with the racket they make before they do fail. That part can last for a year or more.

OTOH, when a firewall box does finally die, you shouldn't lose much. The only thing of value on there was your config. And you did back that up, right?

Re:old x86 box, good idea! (1)

evalhalla (581819) | more than 10 years ago | (#6886239)

Not only I did back it up: since the x86 box came for free I just configured two or three of them in the same way, so that when one fails I can replace it in no time.

Or at least this is what i'd do if I had a small network for something serious, and enough space.

Re:Depends on the application! (1)

arcadum (528303) | more than 10 years ago | (#6885243)

I generally think of a black box as something I do not have access to... How can you design such a system and be unknowledgeable about it's workings?

If not secure, then more reliable (2, Insightful)

BusterB (10791) | more than 10 years ago | (#6885147)

Not to speak of security, but I have tried a couple of these small firewall boxes, a linksys and an SMC, up against Roadrunner's DHCP and SBC DSL's PPPoE connections. The biggest problems I had were that these boxes would drop connection big time if there was any kind of service ripple, and more often were unable to reconnect without restarting the box (power cycle or via the web interface). The SMC couldn't run for more than a couple of days over PPPoE without a reset.

Both FreeBSD and Linux have proven to be much more reliable against sometimes quirky network conditions. My current machine will have a new IP address and have updated my dyndns.org entries within 30 seconds of plugging in my DSL modem.

If you're going to get a firewall/router
appliance, get one that has something like Linux or BSD at its core.

Re:If not secure, then more reliable (1)

uradu (10768) | more than 10 years ago | (#6885482)

I up your negative anectode with a positive one. I'm running an ancient SMC 7004BR flashed with the latest OEM firmware with all sorts of goodies, and it's never let me down. There were a few weak firmware releases, but you just check the buzz on the relevant forums and avoid them. I have it on Comcast, and while they're generally quite stable around here, they do have periodic outages. The little box handles that quite gracefully and always comes back up nicely. I only ever have to reboot it when fiddling with settings. Of course, I pity the fool who must use PPPoE.

NAT, meet Britney (2, Insightful)

_iris (92554) | more than 10 years ago | (#6885261)

These "gurus" you know aren't really gurus. It seems "security-by-obscurity" is the new network security buzzword. If something obscures some piece of information, then that is suddenly its goal.

Think about this. If you did use ipchains, what would your first and most important rule be? My answer to that question is "deny all" (for a home network anyway). A side effect of NAT's inability to automatically map incoming connections is essentially a "deny all" rule. Because you probably need more than one IP address, you'll probably use NAT anyway. Therefore, you get this "deny all" rule for free. It, of course, doesn't hurt to use a linux-based firewall in addition to the NAT machine.

To sum it up, I wouldn't worry too much about it. It's not like anyone really wants your porn anyway :]

Re:NAT, meet Britney (0)

Anonymous Coward | more than 10 years ago | (#6885400)

mod parent up. he checked to see what was on the authors hard drive by breaking into his Linksys box.

Re:NAT, meet Britney (1)

jerde (23294) | more than 10 years ago | (#6885406)

To sum it up, I wouldn't worry too much about it. It's not like anyone really wants your porn anyway :]

And you weren't bothered at all by the extra traffic generated by CodeRed or slammer?

Network security is something that affects the entire network -- any compromized host is a bad thing. Worms can only work if there are vulnerable hosts waiting.

I don't worry about Grandma's port collection being compromised... I worry that Grandma's machine will be hijacked to send out worms and spam.

- Peter

Re:NAT, meet Britney (1)

uradu (10768) | more than 10 years ago | (#6885491)

> I worry that Grandma's machine will be hijacked to send out worms and spam.

And again, how exactly is this a NAT vulnerability? After all, if you remember, that's what we're talking about here.

Re:NAT, meet Britney (0)

Anonymous Coward | more than 10 years ago | (#6885650)

Not all worms use email, some scan for vulnerabilities like the XP RPC one. A NAT box would protect you from that.

heh (4, Interesting)

revmoo (652952) | more than 10 years ago | (#6885366)

I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.

Which was the last I heard about it.

Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.

So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).

Re:heh (0)

Anonymous Coward | more than 10 years ago | (#6885512)

I'm dying to ask how that was done (since I'm running a Linksys right now). But since posting the exploit here isn't exactly ethical, a more pertinent question would be:

Is there anything I can do to minimise the chances that someone succeeds with such an attack? (settings changes, etc?)

Re:heh (1)

revmoo (652952) | more than 10 years ago | (#6885550)

Is there anything I can do to minimise the chances that someone succeeds with such an attack? (settings changes, etc?)

Disable file sharing :)
Actually, you could probaly set windows to ignore requests from anything other than 192.168.* I imagine, though I'm better versed in *nix networking for that sort of thing.

Re:heh (1)

Jonathan the Nerd (98459) | more than 10 years ago | (#6887834)

Is there anything I can do to minimise the chances that someone succeeds with such an attack? (settings changes, etc?)

I'd recommend putting a software firewall (like ZoneAlarm) on all your Windows machines, in addition to using a hardware firewall. That'll stop any NetBIOS packets from getting in.

Re:heh (3, Informative)

cicadia (231571) | more than 10 years ago | (#6885533)

Why would you call tech support about that sort of thing?

Linksys has an email address, security@linksys.com [mailto] set up so that you can report things like this. Tech support is for people who can't tell the LAN cable from the WAN cable, or need to be told to power-cycle their routers.

And if you don't hear anything back for a while after emailing them there, try posting it to Bugtraq [securityfocus.com] -- that'll get their attention, if nothing else.

Re:heh (4, Funny)

Asprin (545477) | more than 10 years ago | (#6886784)


"...people who can't tell the LAN cable from the WAN cable..."

The mental image I had on reading this was priceless - A dad sitting at home on the phone with a red RJ45 patch cable in one hand and a green RJ45 patch cable in the other.

"So the WAN cable is
red, you say? ... hold on a second.... HONEY, GO UNPLUG THE RED EXTENSION CORD FROM THE GARAGE - SOMEONE MIGHT TRY TO HACK OUR WEEDWHACKER!"


Yeah, I know, it's early.

Linux/Ipchains isn't very good either (3, Insightful)

TheLink (130905) | more than 10 years ago | (#6885372)

ipchains is stateless. iptables is ok.

As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?

Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.

The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.

The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).

In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.

Cheap and easy to use! (4, Informative)

hbackert (45117) | more than 10 years ago | (#6885384)

I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.

That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.

Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.

The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.

Re:Cheap and easy to use! (2, Interesting)

fm6 (162816) | more than 10 years ago | (#6885967)

I agree with you on every point, but one of your points needs further elaboration.

It might seem strange that a cheap router could provide such high level of security. It's effective for the same reason that it's cheap: the technology is very simple. Machines on the local network can open connections to remote machines, but no remote machine can access a local machine. In fact, remote machines can't even address local machines -- the network IP addresses are meaningless outside the local network. This is fundamentally more effective than all the complicated, expensive "firewall" solutions.

Of course, this doesn't meet everybody's needs. Some people have to have remote access to the local machine, or support P2P. But my experience with routers that isolate you from the internet at large makes me more than willing to give up a few network features.

I'm actually talking more from my experience with company networks than with these cheap routers. But the principle is the same. When you access the internet through a firewall proxy, you can only do things the proxy lets you do. And in a security conscious company, that is usually not much. While on a private network, there's nothing to stop you from opening any kind of connection you want.

My Experience (3, Informative)

Ratbert42 (452340) | more than 10 years ago | (#6885387)

I've run the following firewall/host setups:

Linux (Redhat 6.1-ish?) firewall/occasional web and ftp server with a mix of Windows clients. The Linux machine was never compromised but it did begin crashing on a regular basis, I believe due to DoS attacks of an unknown form. I retired this box due to the crashes.

OpenBSD (3.0?) replaced this box with the same client load. No problems and no compromises, but keeping up with patches, particularly rebuilding the kernel, was a pain on such a slow machine.

Linksys box replaced that in the same environment. Again no compromises, but still no services really exposed. The lack of configurability compared to Linux/OpenBSD boxes was a pain.

Current setup of 3 static IP's, 2 with Linksys boxes protecting web/dns servers and 1 with a DLink WAP/NAT firewall box protecting client boxes. The servers (1 OpenBSD 3.3 and 1 Windows 2000) have had no compromises and the Linksys boxes have given me no problems at all. The DLink box is a pain because it apparently drops idle tcp connections after about 5 minutes. It's much more configurable than the Linksys boxes though. Still no compromises through the DLink firewall either.

So in short, I've never had a compromise through any firewall, hardware or unix-ish box. The only compromise I've had (except the DoS crashes on the Linux firewall) was a trojan from a downloaded piece of software.

It's another layer, and more layers is good (4, Informative)

Zocalo (252965) | more than 10 years ago | (#6885445)

Given that most devices on the market today come with firewalling included by default, you might as well use it! There's nothing to stop you putting a Linux/BSD based firewall behind it if you wanted too, and of course, you *do* have a personal firewall on each of the Internet connected PCs, right?

I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro [agnitum.com] on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.

  • That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
  • IP sessions blocked by gateway firewall: 4072
  • IP sessions blocked by local firewalls: 0 (that's zero!)
  • Probes of FTP server: 1
  • Probes of HTTP server: 16 (looks like Nimda's nearly dead)
  • Probes of SMTP server: 0 (that's suprising!)
  • Probes of SSH server: 0 (ditto)
So, yes, it does look like these things are very effective, if you set them up properly of course!

Re:It's another layer, and more layers is good (1)

hattmoward (695554) | more than 10 years ago | (#6888988)

Wow! and you're hiding what? :)

cheap test (5, Informative)

DuctTape (101304) | more than 10 years ago | (#6885483)

One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site [grc.com] and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

And of course, for the Windows users, there's our free friend Zone Alarm [zonelabs.com] to help put another layer between your machine and the bad ol' Internet.

DT

Great advice. (1)

Futurepower(R) (558542) | more than 10 years ago | (#6885735)

Mod parent up!!! Great advice.

ZoneAlarm is crap (0)

Anonymous Coward | more than 10 years ago | (#6885765)

I'm sorry, but it is. Even when it's disabled, I've known it to cause problems for people. Personally, I'd much rather use Kerio Personal Firewall [kerio.com] , with a preference for the 2.x over the 4.x series. AtGuard was great in it's day, too, but Norton ruined it.

Re:cheap test (2, Informative)

rafa (491) | more than 10 years ago | (#6887498)

If you feel like running some other scans, get a friend to give you a good probing with nmap [insecure.org] or nessus [nessus.org] (which performs an nmap scan as well).

Re:cheap test (1)

FCKGW (664530) | more than 10 years ago | (#6888427)

When I take my laptop to work, I like to run Nmap on my home IP address. I can make sure the only ports open are the ones I opened myself, and when I get home I'll make sure my IDS logged the scan.

NAT Issues (2, Informative)

jazman_777 (44742) | more than 10 years ago | (#6885554)

I think there's been some noise about ISPs being able to figure out you're NATting from the packet info. I think you can obscure that with OpenBSD. With the Linksys et al you can't. Who cares? When the ISP decides to charge per computer on your LAN...

Re:NAT Issues (2, Insightful)

acidrain69 (632468) | more than 10 years ago | (#6888011)

I'd like to see them try. I do tech support for one of the larger DSL co's in the US, and I couldn't imagine the outcry if they started instituting that. The only damage having a NAT does to the ISP is for the people who don't know what they are doing who call up for help to setup the NAT/router. We only support the NAT's and routers that we sell, if they call up about a linksys or a netgear, we send them to those manufacturers.

I remember the noise about this, but I haven't seen any ISP's take notice or do anything about it. They won't. Because as long as the customer sets it up correctly, it doesn't affect the service at ALL, the ISP has done NOTHING to give the customer more value, so they shouldn't be able to charge for it.

Cisco 675 (1)

Futurepower(R) (558542) | more than 10 years ago | (#6885628)

Ciscos's 675 modem/firewall comes with the DSL in this area. Cisco publishes security vulnerabilities frequently, but will only give updates if you have a Cisco contract, for more than $200. So, vulnerabilities go unpatched. Cisco says the telephone company is its customer, not the user. The telephone company has often been cited by the Oregon state government for bad service. The telephone company certainly will not support another company's products.

Cisco's products die. (1)

Futurepower(R) (558542) | more than 10 years ago | (#6885691)


Cisco's products have a curious quality: They die! [cisco.com] And you can't even read the death web page unless you pay Cisco money. This has been a VERY high total cost of ownership product. And now Cisco wants users to buy something else.

Why buy a product from a company that kills its products? Why buy a closed-source product? Frankly, I think there will come a time when there are no closed-source products.

I may not be able to defend myself now from aggressive business practices like those of Microsoft and Cisco, but I will remember. If there are enough people like me, the Ciscos and Microsofts will eventually go out of business.

Re:Cisco's products die. (1)

oDDmON oUT (231200) | more than 10 years ago | (#6886303)

Didn't Cisco buy Linksys? If so, wonder what that bodes for future support policy.

Netopia R910 (2, Interesting)

Detritus (11846) | more than 10 years ago | (#6885656)

One possibility is to spend some more money and get the low-end model in a series of routers manufactured by a real router company. After having problems with Netgear and SMC, I bought a Netopia R910. It runs the same software as their more expensive routers. The firewall features, while not as fancy as what you can do with a dedicated PC, are adequate for my needs.

More is better (1)

tres (151637) | more than 10 years ago | (#6885763)

Personally I'd never put one of these on the open Internet and expect to be secure.

That said, I do have a Linksys packet filtering router that I use behind an OpenBSD packet filtering bridge.

It makes more sense to have my servers sitting behind the bridge, and my desktops behind the router. I think Zwicky et. al in Building Internet Firewalls call this a "screened subnet."

Having the packet filtering bridge operating on the outside edge of your network means that the number of people who have access to the machine have been dramatically decreased; since it exists on the link layer, the only machine that has access to it is on the other side of the wire plugged into it. For all intents and purposes (a cracker may have) the machine is invisible.

NAT's stop outside connections in... (3, Insightful)

WoTG (610710) | more than 10 years ago | (#6885870)

but the best trojans make OUTGOING connections to IRC or other systems. So, assuming that your NAT functions as advertised, your network is protected from all remote attacks. However, if an internal machine gets a virus or trojan through email or installing bugged software, you still have a serious security problem. NAT's by default, let internal machines make any connections to the outside that they want.

So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...

Re:NAT's stop outside connections in... (1)

oDDmON oUT (231200) | more than 10 years ago | (#6886336)

If you're runnning Wintel boxes, you add another layer with a rules based, software firewall that does an MD5 checksum of all applications accessing the outside.

Kerio Personal Firewall [kerio.com] (2.0M d/l [kerio.com] ) is a great little app that does just that.

Run a service pack, then bring up a Search window to see what I mean.

m0n0wall + embedded board = best of both worlds! (2, Interesting)

Anonymous Coward | more than 10 years ago | (#6885905)

Interesting, I just finished setting up this [m0n0.ch] on one of these [soekris.com] .

I was pretty damn impressed with m0n0wall, it's freebsd-based and fits on an 8MB CF card, and has a nice web interface. Of course it's free software so you can hack it and improve it all you like (you need another FreeBSD box to do it on).

Check out this combo, it's the best of "play and play" and "high quality free software" in one Institutional Green sheet metal case!!

Effectiveness of consumer NAT/firewall boxes (3, Informative)

pbannister (221251) | more than 10 years ago | (#6886210)

I too have wondered if there were any exploits for consumer NAT/firewall boxes. Judging from posts so far, it would seem that at least there are none known :).

I started using the Linksys cable/routers when they first came out. I have insisted that all my neighbors, friends, and family with fast connections use a Linksys box (or similar).

There are a few points to bear in mind:

  1. Most crack attempts are from brain-dead script kiddies.
  2. Hardware firewalls fail-safe, where software firewalls fail-unsafe.
  3. You don't want your average folk running only a software firewall.

Observation (1) comes from running with both a Linux and Windows box exposed directly to the Internet. Both boxes had all unnecessary ports closed, were up-to-date on all patches, and carefully monitored. Neither machine was ever compromised. Periodic review of the logs showed a remarkable lack of intelligence on the part of the attacker. Practically all the activity was from a small number of popular crack-of-the-month scripts. Tracing the attacks back to their source - and getting the script kiddie kicked off their account - was seldom difficult.

So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence.

Keep (2) in mind when you weigh the risk of failure. If a software firewall fails to run (for whatever reason) most likely your machine will be completely exposed. If the hardware NAT/firewall fails you will be safe (if without internet access). The software on your PC probably changes regularly. If any of those changes disables your firewall, the you might first notice when your machine is already subverted. The software in your NAT/firewall box never changes (discounting upgrades) so the chance of failure is less.

Keep (3) in mind when evaluating effectiveness. Most folks with fast connections are not techies. A solution that works well and reliably for the bulk of the population is in the end far more effective.

Re:Effectiveness of consumer NAT/firewall boxes (1)

stevey (64018) | more than 10 years ago | (#6887239)

Judging from posts so far, it would seem that at least there are none known :).

I think it's fair to say that if they're setup properly, and you don't go frobbing configuration values you don't understand you're fine.

However there are several NAT boxes which are configured via your web browser - and some of those have been known to listen upon the external interface.

Read your documentation, or probe from outside to see if that's the case - if it is and you can't disable it make sure you pick a good password...

a linux firewall is easy too... (2, Informative)

ajayrockrock (110281) | more than 10 years ago | (#6886268)

I just tried out this floppy distro called BBIagent [bbiagent.net] and it's pretty easy to setup (GPL too!). You configure it through a java window and it's much cooler then my old linksys box. I hate to say it but one of the cool features is a live graph of my incoming/outgoing. There's also way more features.

later,
ajay

PS. I'm not affiliated with them in anyway, blah blah blah...

Re:a linux firewall is easy too... (0)

Anonymous Coward | more than 10 years ago | (#6889322)

Wow, this IS cool! Thank you so very much for that link, I used FLi4L until now which is fine, but requires manual config edit -> bootdisk, so most changes in the config required rewriting the boot image, then rebooting the router... THANKS!!

Not really (3, Interesting)

Halvard (102061) | more than 10 years ago | (#6886563)

I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.

I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.

Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.

My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.

Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.

Maybe yes, maybe no. (2, Informative)

FreeLinux (555387) | more than 10 years ago | (#6887153)

The consumer level firewalls that you mention can be secure but, they can also be compromised depending on the situation. The most important issue is the proper setup and on going maintenance of any security device. You cannot hope to be secure with a "fire and forget" security solution.

The first issue is proper installation and configuration. Does the installer really know what they are doing and why? In many/most cases, the answer is no. The initial default configurations of these devices is usually very secure using a combination of NAT, which does indeed increase the level of security, and restrictive firewall rules. However, far too many people find the default configurations too restrictive for their needs and start opening holes in order to permit certain desired services like gaming. This is where the problems start. As unknowing installers open various ports or enable port forwarding or installing certain machines in "DMZ" zones the inadvertently open their systems up to the world.

The second issue is with the actual OS of the device itself. There have been a few vulnerabilities in the devices that you mention that allow for compromise of the actual firewall. I have personally found two Linksys devices that were compromised and reconfigured as open proxies for the purpose of relaying spam. The vulnerabilities were known and there were fixes available to resolve the issue but, people frequently do not know about these vulnerabilities and the firmware updates are not applied. In most cases they are never even aware that they have been compromised. Do you know how to determine if you have been compromised and how often do you check to make sure? So, regular maintenance is very important but very few ever check for, let alone install firmware updates.

The biggest issue is a true understanding of the risks and how to defend against them. I frequently see "qualified" network engineers with years of experience who still do not completely grasp the many facets of the IP protocol and how it can be used to invade a network. This does not however impact their belief that they are effectively installing and configuring firewalls of all varieties(shudder).

To answer your question directly, depending on the precise situation and the requirements of the network, a Linksys or Netgear firewall can be just as secure as a CheckPoint firewall but, all three must be configured correctly, monitored constantly and maintained regularly.

A thorough understanding of TCP/IP and its security is the most important step towards true security and this is in fact what most people lack. Look at this [slashdot.org] article asking about private IP addressing and the slew of comments that illustrate the person does not even understand subnetting. Yet, I'll wager that most of these people would not think twice about setting up a firewall and probably regard themselves as "experts" in network security.

The actual firewall is not as critical as the understanding of the firewall. Switching from Linksys to a Linux firewall isn't helpful if you don't truly understand what you are looking at with ipchains -Lvn or iptables -Lvn. In fact, if you don't truly understand the many facets of securing an IP network as well as hardening the Linux OS, you are far better off with the Linksys. At least, in the default configuration, it is more likely to be secure.

Its the same thing! (2, Interesting)

josepha48 (13953) | more than 10 years ago | (#6888209)

Supposedly Linksys, uses Linux in their devices. There was a discussion about this on the linux kernel mailing list or slashdot a little while ago.

Anyway the principal is the same in both cases. Both Linux and these devices offer you a firewall and both offer you NAT and a few other features. The NAT devices offer you ease of configuration and ease of use, while Linux, BSD, or any other UNIX type OS that has built in firewalling offers you a little more control over the firewalling. AFAIK you cant deal with frag packets in these NAT devices and specify various tcp flags or things. All they do is allow or deny various types of traffic. Also you cant set them up to do DNS / mail like you could a Linux / BSD system.

In the end it is a matter of preference IMHO and affordability. If you can afford one and don't want to deal with all the updates that you'd be applying to a Linux box or BSD system then that would be the way to go.

Re:Its the same thing! (1)

josepha48 (13953) | more than 10 years ago | (#6891328)

assuming this link is still active read here about netgear and smc http://story.news.yahoo.com/news?tmpl=story&cid=74 &ncid=74&e=4&u=/cmp/20030906/tc_cmp/147000 57

In either case you have to keep them updated

Words of Warning (2, Insightful)

schulzdogg (165637) | more than 10 years ago | (#6889074)

I have a linksys router thingy, and It sits in front of several computers and other networked home appliances (Tivo, Playstation).

It works great, never had a problem with it at all, but...

I have a linux server running on that network and traffic on port 22 is forwarded to the linux box. Add an old version of sshd and viola! Rooted.

Because I was behind that firewall though I didn't pay as much attention to the box as I should have and it took me a week to realize something was wrong.

Moral: The firewall can't protect you from yourself. You still have to be carefull behind it.

They're good, but... (3, Informative)

vasqzr (619165) | more than 10 years ago | (#6891411)


A good firewall would mean setting up a Linux/BSD box, putting a couple NICs in it and setting it all up, right.

But 95% of the people who read a couple FAQs or books won't do it perfectly.

So the small appliances work great, as long as you can live with their limited functionality. If you just want 30 users to surf the web it'll be fine, but getting servers etc involved can be tricky with some models.

The worst thing is when they have poor security by default. We used to scan entire IP blocks, looking for open telnet ports, and we'd just use the default logins to get in. Anyone remember 'wradmin'?

You could telnet in, shut the DHCP off, or disable routing, telnet to other computers/printers inside their private networks, if it was an ISDN router you could change the dial out phone numbers...

what resources to learn how to configure a router? (0)

Anonymous Coward | more than 10 years ago | (#6891708)

or firewall, etc.

webpages, books w/author would be appreciated.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...