Slashdot Mirror
Are Consumer Firewall/NAT Boxes Really Secure?
blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"
It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.
My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.
The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity.
Then your 'gurus' are dumbasses. Practially nothing gets past NAT. About the only thing that can compromise it is a trojan.
Your linux box is far more prone to hack attacks than an embedded device.
NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.
1) You've got to keep your firewalls up to date with the rest of your software
2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.
If tits were wings it'd be flying around.
Get an older computer, two nic's and IPCop, and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.
It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.
Back when I was still in High School, I was lucky enough to land a job as the network admin of a small business, consisting of about 30 people or so. The entire shop was Open Source/Free software because cost was a major concern and that was what I was most experienced in (I basically did everything from running the copper across the ceiling to building the [admittedly crappy] webpage).
That being as it may, I was relatively inexperienced with ipTables, and honestly didn't know my ass from my forhead when it came to admin-ing. As such, I deployed one of the cheaper netgear firewalls; and to great success, I might add. Though it caused some isolated problems, it did its job and protected our network. Thus I can say I was happy with its performance.
As I've progressed in my techy career, I moved from such 'off-the-shelf' solutions, to building my own (extensive) iptables ruleset, to actually engineering my own 'blackbox' devices - these self-engineered devices were a product of my more ingenious years in college.
Well, this ramble can be summarized thus: "depends upon your application." Yes, Netgear et. al. produce a decent, well designed product. These solutions don't often attract much attention from the geek crowd due to their boilerplate nature, but they are function.
Now maintaining a rather massive network of thousands of people, I put my trust in a standalone, (sometimes) load-balanced front end consisting of an old x86 box running OpenBSD. The ruleset I carry with me is the product of several years of gradual modification, and is the best solution available (IMO).
Not to speak of security, but I have tried a couple of these small firewall boxes, a linksys and an SMC, up against Roadrunner's DHCP and SBC DSL's PPPoE connections. The biggest problems I had were that these boxes would drop connection big time if there was any kind of service ripple, and more often were unable to reconnect without restarting the box (power cycle or via the web interface). The SMC couldn't run for more than a couple of days over PPPoE without a reset.
Both FreeBSD and Linux have proven to be much more reliable against sometimes quirky network conditions. My current machine will have a new IP address and have updated my dyndns.org entries within 30 seconds of plugging in my DSL modem.
If you're going to get a firewall/router
appliance, get one that has something like Linux or BSD at its core.
fans and power supplies and hard drives to fail.
These "gurus" you know aren't really gurus. It seems "security-by-obscurity" is the new network security buzzword. If something obscures some piece of information, then that is suddenly its goal.
:]
Think about this. If you did use ipchains, what would your first and most important rule be? My answer to that question is "deny all" (for a home network anyway). A side effect of NAT's inability to automatically map incoming connections is essentially a "deny all" rule. Because you probably need more than one IP address, you'll probably use NAT anyway. Therefore, you get this "deny all" rule for free. It, of course, doesn't hurt to use a linux-based firewall in addition to the NAT machine.
To sum it up, I wouldn't worry too much about it. It's not like anyone really wants your porn anyway
I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.
Which was the last I heard about it.
Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.
So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
ipchains is stateless. iptables is ok.
As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?
Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.
The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.
The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).
In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.
I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.
That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.
Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.
The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.
Linux (Redhat 6.1-ish?) firewall/occasional web and ftp server with a mix of Windows clients. The Linux machine was never compromised but it did begin crashing on a regular basis, I believe due to DoS attacks of an unknown form. I retired this box due to the crashes.
OpenBSD (3.0?) replaced this box with the same client load. No problems and no compromises, but keeping up with patches, particularly rebuilding the kernel, was a pain on such a slow machine.
Linksys box replaced that in the same environment. Again no compromises, but still no services really exposed. The lack of configurability compared to Linux/OpenBSD boxes was a pain.
Current setup of 3 static IP's, 2 with Linksys boxes protecting web/dns servers and 1 with a DLink WAP/NAT firewall box protecting client boxes. The servers (1 OpenBSD 3.3 and 1 Windows 2000) have had no compromises and the Linksys boxes have given me no problems at all. The DLink box is a pain because it apparently drops idle tcp connections after about 5 minutes. It's much more configurable than the Linksys boxes though. Still no compromises through the DLink firewall either.
So in short, I've never had a compromise through any firewall, hardware or unix-ish box. The only compromise I've had (except the DoS crashes on the Linux firewall) was a trojan from a downloaded piece of software.
I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.
- That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
- IP sessions blocked by gateway firewall: 4072
- IP sessions blocked by local firewalls: 0 (that's zero!)
- Probes of FTP server: 1
- Probes of HTTP server: 16 (looks like Nimda's nearly dead)
- Probes of SMTP server: 0 (that's suprising!)
- Probes of SSH server: 0 (ditto)
So, yes, it does look like these things are very effective, if you set them up properly of course!UNIX? They're not even circumcised! Savages!
And of course, for the Windows users, there's our free friend Zone Alarm to help put another layer between your machine and the bad ol' Internet.
DT
Is this thing on? Hello?
I think there's been some noise about ISPs being able to figure out you're NATting from the packet info. I think you can obscure that with OpenBSD. With the Linksys et al you can't. Who cares? When the ISP decides to charge per computer on your LAN...
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Ciscos's 675 modem/firewall comes with the DSL in this area. Cisco publishes security vulnerabilities frequently, but will only give updates if you have a Cisco contract, for more than $200. So, vulnerabilities go unpatched. Cisco says the telephone company is its customer, not the user. The telephone company has often been cited by the Oregon state government for bad service. The telephone company certainly will not support another company's products.
One possibility is to spend some more money and get the low-end model in a series of routers manufactured by a real router company. After having problems with Netgear and SMC, I bought a Netopia R910. It runs the same software as their more expensive routers. The firewall features, while not as fancy as what you can do with a dedicated PC, are adequate for my needs.
Mea navis aericumbens anguillis abundat
Cisco's products have a curious quality: They die! And you can't even read the death web page unless you pay Cisco money. This has been a VERY high total cost of ownership product. And now Cisco wants users to buy something else.
Why buy a product from a company that kills its products? Why buy a closed-source product? Frankly, I think there will come a time when there are no closed-source products.
I may not be able to defend myself now from aggressive business practices like those of Microsoft and Cisco, but I will remember. If there are enough people like me, the Ciscos and Microsofts will eventually go out of business.
Mod parent up!!! Great advice.
That said, I do have a Linksys packet filtering router that I use behind an OpenBSD packet filtering bridge.
It makes more sense to have my servers sitting behind the bridge, and my desktops behind the router. I think Zwicky et. al in Building Internet Firewalls call this a "screened subnet."
Having the packet filtering bridge operating on the outside edge of your network means that the number of people who have access to the machine have been dramatically decreased; since it exists on the link layer, the only machine that has access to it is on the other side of the wire plugged into it. For all intents and purposes (a cracker may have) the machine is invisible.
Notes From Under *nix: blas.phemo.us
I'm sorry, but it is. Even when it's disabled, I've known it to cause problems for people. Personally, I'd much rather use Kerio Personal Firewall, with a preference for the 2.x over the 4.x series. AtGuard was great in it's day, too, but Norton ruined it.
but the best trojans make OUTGOING connections to IRC or other systems. So, assuming that your NAT functions as advertised, your network is protected from all remote attacks. However, if an internal machine gets a virus or trojan through email or installing bugged software, you still have a serious security problem. NAT's by default, let internal machines make any connections to the outside that they want.
So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...
Interesting, I just finished setting up this on one of these.
I was pretty damn impressed with m0n0wall, it's freebsd-based and fits on an 8MB CF card, and has a nice web interface. Of course it's free software so you can hack it and improve it all you like (you need another FreeBSD box to do it on).
Check out this combo, it's the best of "play and play" and "high quality free software" in one Institutional Green sheet metal case!!
I too have wondered if there were any exploits for consumer NAT/firewall boxes. Judging from posts so far, it would seem that at least there are none known :).
I started using the Linksys cable/routers when they first came out. I have insisted that all my neighbors, friends, and family with fast connections use a Linksys box (or similar).
There are a few points to bear in mind:
Observation (1) comes from running with both a Linux and Windows box exposed directly to the Internet. Both boxes had all unnecessary ports closed, were up-to-date on all patches, and carefully monitored. Neither machine was ever compromised. Periodic review of the logs showed a remarkable lack of intelligence on the part of the attacker. Practically all the activity was from a small number of popular crack-of-the-month scripts. Tracing the attacks back to their source - and getting the script kiddie kicked off their account - was seldom difficult.
So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence.
Keep (2) in mind when you weigh the risk of failure. If a software firewall fails to run (for whatever reason) most likely your machine will be completely exposed. If the hardware NAT/firewall fails you will be safe (if without internet access). The software on your PC probably changes regularly. If any of those changes disables your firewall, the you might first notice when your machine is already subverted. The software in your NAT/firewall box never changes (discounting upgrades) so the chance of failure is less.Keep (3) in mind when evaluating effectiveness. Most folks with fast connections are not techies. A solution that works well and reliably for the bulk of the population is in the end far more effective.
I just tried out this floppy distro called BBIagent and it's pretty easy to setup (GPL too!). You configure it through a java window and it's much cooler then my old linksys box. I hate to say it but one of the cool features is a live graph of my incoming/outgoing. There's also way more features.
later,
ajay
PS. I'm not affiliated with them in anyway, blah blah blah...
I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.
I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.
Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.
My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.
Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.
port forwarding
d f
port triggering
dynamic routing
AOL parental controls
ftp://ftp.linksys.com/pub/manuals/befsru31_ug.p
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The consumer level firewalls that you mention can be secure but, they can also be compromised depending on the situation. The most important issue is the proper setup and on going maintenance of any security device. You cannot hope to be secure with a "fire and forget" security solution.
The first issue is proper installation and configuration. Does the installer really know what they are doing and why? In many/most cases, the answer is no. The initial default configurations of these devices is usually very secure using a combination of NAT, which does indeed increase the level of security, and restrictive firewall rules. However, far too many people find the default configurations too restrictive for their needs and start opening holes in order to permit certain desired services like gaming. This is where the problems start. As unknowing installers open various ports or enable port forwarding or installing certain machines in "DMZ" zones the inadvertently open their systems up to the world.
The second issue is with the actual OS of the device itself. There have been a few vulnerabilities in the devices that you mention that allow for compromise of the actual firewall. I have personally found two Linksys devices that were compromised and reconfigured as open proxies for the purpose of relaying spam. The vulnerabilities were known and there were fixes available to resolve the issue but, people frequently do not know about these vulnerabilities and the firmware updates are not applied. In most cases they are never even aware that they have been compromised. Do you know how to determine if you have been compromised and how often do you check to make sure? So, regular maintenance is very important but very few ever check for, let alone install firmware updates.
The biggest issue is a true understanding of the risks and how to defend against them. I frequently see "qualified" network engineers with years of experience who still do not completely grasp the many facets of the IP protocol and how it can be used to invade a network. This does not however impact their belief that they are effectively installing and configuring firewalls of all varieties(shudder).
To answer your question directly, depending on the precise situation and the requirements of the network, a Linksys or Netgear firewall can be just as secure as a CheckPoint firewall but, all three must be configured correctly, monitored constantly and maintained regularly.
A thorough understanding of TCP/IP and its security is the most important step towards true security and this is in fact what most people lack. Look at this article asking about private IP addressing and the slew of comments that illustrate the person does not even understand subnetting. Yet, I'll wager that most of these people would not think twice about setting up a firewall and probably regard themselves as "experts" in network security.
The actual firewall is not as critical as the understanding of the firewall. Switching from Linksys to a Linux firewall isn't helpful if you don't truly understand what you are looking at with ipchains -Lvn or iptables -Lvn. In fact, if you don't truly understand the many facets of securing an IP network as well as hardening the Linux OS, you are far better off with the Linksys. At least, in the default configuration, it is more likely to be secure.
But can it do bandwidth shaping? No, and that's the killer ADSL feature if someone ever includes it in a consumer level device.
Anyway the principal is the same in both cases. Both Linux and these devices offer you a firewall and both offer you NAT and a few other features. The NAT devices offer you ease of configuration and ease of use, while Linux, BSD, or any other UNIX type OS that has built in firewalling offers you a little more control over the firewalling. AFAIK you cant deal with frag packets in these NAT devices and specify various tcp flags or things. All they do is allow or deny various types of traffic. Also you cant set them up to do DNS / mail like you could a Linux / BSD system.
In the end it is a matter of preference IMHO and affordability. If you can afford one and don't want to deal with all the updates that you'd be applying to a Linux box or BSD system then that would be the way to go.
Only 'flamers' flame!
Does slashdot hate my posts?
I have a linksys router thingy, and It sits in front of several computers and other networked home appliances (Tivo, Playstation).
It works great, never had a problem with it at all, but...
I have a linux server running on that network and traffic on port 22 is forwarded to the linux box. Add an old version of sshd and viola! Rooted.
Because I was behind that firewall though I didn't pay as much attention to the box as I should have and it took me a week to realize something was wrong.
Moral: The firewall can't protect you from yourself. You still have to be carefull behind it.
...Because
1) if you're familiar with Linux it's easy
2) Great web/SSH interface esp. to snort output
3) Works really well
4) Quick and easy to install -very flexible about DMZ configs
5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)
hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.
Some drink at the fountain of knowledge. Others just gargle.
A good firewall would mean setting up a Linux/BSD box, putting a couple NICs in it and setting it all up, right.
But 95% of the people who read a couple FAQs or books won't do it perfectly.
So the small appliances work great, as long as you can live with their limited functionality. If you just want 30 users to surf the web it'll be fine, but getting servers etc involved can be tricky with some models.
The worst thing is when they have poor security by default. We used to scan entire IP blocks, looking for open telnet ports, and we'd just use the default logins to get in. Anyone remember 'wradmin'?
You could telnet in, shut the DHCP off, or disable routing, telnet to other computers/printers inside their private networks, if it was an ISDN router you could change the dial out phone numbers...
or firewall, etc.
webpages, books w/author would be appreciated.
https://grc.com/x/ne.dll?bh0bkyd2
Steve Gibson's site has a section to test all the ports associated with your network connection. Go there, scroll down and click on 'All Service Ports' - it will tell you if your system is vulnerable.
Behind a Linksys or SMC home router, you are invisible to the rest of the world. Not sure how much better it can get than that.
Glonoinha the MebiByte Slayer
Actually you can do bandwidth shaping, but it requires physical access to the network switch and a basic knowledge of which wire goes to which computer. Oh yea, and the shaping is binary, either that computer gets some bandwidth, or it doesn't.
It is very effective, in a Pavlovian sort of way.
Glonoinha the MebiByte Slayer
I see posts telling me that I should understand my network and my device and that there are holes in security, but my question is if you've got one of these routers with remote management off, no ports forwarded, block WAN request, etc, what can anyone do?
I hear people saying, well they run Linux, and Linux is hackable. With no ports open, how is it hackable? (DoS attacks don't count and neither do trojans running inside)
-twb
How about an OpenBSD firewall? Secure by default, easy to patch, and you can actually do it all by reading the man pages and the OpenBSDFAQ. I consider myself an internediate Linux user but I was never able to get a Linux firewall up and running but OpenBSD 3.2 was simple and well laid out. The man pages spoil you w/ their easy to understand language and completeness. I've bought a few Open Source OSs' but OpenBSD was the best investment by far. Uptime is at 114 days, using about 34 megs of RAM and that's since I first got it up and running and patched.
This guy is way out there
I have Linksys BFGwhatever wireless AP / router / switch thing.
As a habit, every once in a while I go to the web sites that test your firewall for open ports - couple of the sites were aready mentioned in the discussion.
About a year ago I was surprised to see that my Linksys (that had only incoming SSH open for months) now showed Microsoft ports 13* open as well!!
I immediately flashed the sucker with Linksys firmware upgrade (which I neglected to do for long time) and reconfigured.
I have not seen this since then. Would not do attacker any good as all the boxes behind the Linksys were Linuxes.
I remember feeling like this. Safe and secure behind my impenetrable shield of carefully tweaked and tuned software and hardware firewalls/NAT routers which was continually monitored and kept up to date. Sure in the knowledge that the only incidents I would have to deal with would be caused by office staff installing the "latest aquarium screensaver" and easily contained with judicious blocking of outbound ports (ie. SMTP).
Then one day you are trying out the latest tcpdump frontend and sniff a few packets of the wire at random...
You zoom in on a few ICMP replies you captured, check out the frontends rendering of the packet header, and data, and... hey! WTF?
Fscking command line fragments embedded in unused parts of the packets! Ping is disallowed mind, these are port unavailable, throttle back etc. style ICMP packets from seemingly valid hosts.
Cut a long story short, we eventually found a trojan on one of the windows machines that would request a series of web pages in order to open the firewall to the return ICMP packets. Whacky.
I assume any and all machines may be compromised at any time now. I keep my own disguised process reporting binaries on all important machines. I basically live paranoid, but that doesn't mean I'm wrong. :)
Scuse the waxing lyrical, and meandering from 2nd to 1st person with casual aplomb. It's late here...
Q.
Insert Signature Here
I used to build Linux based NAT/Firewall machines for small businesses. One of my clients complained that their network had been (badly) compromised over the course of a week and blamed my product for this. The language he used was unacceptable even by my broad standards. After a hurried flight to his office (in another country) I noticed that nearly every PC on his network had a shiny new modem plugged into the wall. A quick check and - yes - no firewalling on any of these NT4 machines. It turned out he had been having complaints that the offices' 56kbps modem connection serviced by our NAT/Firewall box was too slow for the forty or so machines on his network to use concurrently so in an effort to save some money he had paid his daughter's boyfriend to install modems in all the office machines (rather than upgrade to DSL as I had suggested at installation time). This ham-fisted luser had set the modems up for dial-on demand then misconfigured some services that kept the lines up 24/7 allowing some script-kiddie to wreak havok on his network. My client's argument was that as our NAT/Firewall box was a security product it should have protected his network whatever other changes he made to the network and that we were liable for damages. Rather than risk talking at this juncture I simply pointed out a section in our four-page, large print, plain-english manual that was sitting, unread, on his desk - 'Under no circumstances allow computers or devices on your network a direct connection to the Internet. Using other methods of Internet access such as a modem will completely bypass the security features of our product.' I aslo helpfully drew his attention to the bit in our support contract that said 'On-site support visits related to issues arising from an inability on the part of the purchaser to read the included documentation will be billed at our consultancy rates of 150 per hour (or part thereof) including travelling time and expenses. These costs are not covered by the purchaser's support contract.' He'd started going purple by this point so I thought I'd do him a favour and warned him his next phone bill may be a wee bit high. "Oh, no problem there" he said, relaxing a little, "Dave used a free Internet Service Provider". "Ah", said I, "is that free access or free calls?" "Er" he said then called British Telecom Billing. "What's our next bill currently standing at?" he enquired politely. The next sentence was complex and largely unintelligable save from the phrases "bastard bloody bastard idiot bastard boyfriend", "so far up", "chew my toes", "bloody girl too" and the concluding "Gnnnaarrgh!" In a rare moment of BOFH compassion I made him a cup of tea at this point, coincidentally taking me across another 150-an-hour-or-part-thereof boundary. The moral of this slightly rambling story is.. 'a network is only as secure as it's dumbest user whatever NAT/Firewall you install'.
~ Better a freak than a sheep. ~
i'm still waiting for my ADSL PCI modem to use with linux NAT/Firewall box, but alas ;)
no luck. so here it is the netgear router. works flaw-less. the only crappyy thing about it is configuration via web-browser (same with HP Colorlaser 1500). when i use the browser to change the ip addresse of the netgear router, well iexplorer can't find the router anymore
i've been running a linux powered x86 box for a few years now, first an aging P-200 running LRP and now a PII 400 running RedHat8 and shorewall. all inbound connections (SSH, HTTP, FTP) are bound to certain external IP's only (3 to be exact, the IP of my friendly neighborhood linux guru, who helped me set the stuff up, the LAN party HQ (owned by same guru) and my school), likewise, all internal requests are bound to certain boxes (only HTTP goes through the gateway, even that's not on 80) FTP and SSH stop cold at the gateway. during the peak of the Blaster worm, even with near zero internet activity from lan boxes (the switch showed no activity, likewise the LAN-side NIC), the cable modem was having a field day, thankfully i have logging disabled, else i fear all those iris hits would have overwhelmed the thing's 2GB HD.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
The NAT boxes will stop your garden-variety worm searching for vulnerable services on a default-configured Windows box, provided you don't open those ports.
But a lot of them support "UPNP", which allows programs on the to automatically open up ports they need. This is a great convenience, but you're now giving the keys to your network to any random Windows program. Now any trojans don't need to actively call out -- they can just open up your firewall FOR you and wait for connections. This strikes me as definitely not a good idea.
OK, I have a separate firewall, two NICs, running iptables.
The question I have is this: I have some ports open from the outside, for specific purposes (ssh, for example). Now if I'm going to have ports open, what do I need to have blocked to avoid spoofing?
For instance, I currently am blocking incoming traffic:
1) with a source IP of 127.x.x.x
2) with a source IP from inside my firewall
3) with any other non-routable source IP
What else do I need to block, before forwarding it on to the appropriate machine/port internally?
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
After scanning through the comments it struck me that one of the most important settings for security seems to be left out. On my Linksys there is a setting to make the router not pingable. This setting is one of the first and best defenses against hackers. Most will move on if they can't ping an address. I have run several security scans from Broadband Reports and have always come up clean. While not fool proof, nothing is, it's an important setting if you want to hide yourself from the rest of the net.
Comment removed based on user account deletion
Really, you don't even need a P2. I had a little P233MMX that worked fine (power consumption nominal, as was noise as it ran nicely with just a heatsink and no CPU fan).
Ah, the days when you didn't need a heatsink the size of the eiffel tower and a fan capable of running a hovercraft... old machines do just fine for Routers/NAT and save power/noise/heat too.
I've got a switched hub at home which has recently started exhibiting very bizarre behaviour, sending huge streams of packets even though the connected machines shouldn't be sending data.
Shouldn't meaning that any machine I plug (3 different OS's) into the switch and it starts a blazing trail of packets. Plug it into itself (normal port into uplink port) and it blazes away too. A reboot fixes it.
I haven't figured out the cause yet, or why... but it often seems to start with a lot of data passing through the uplink port (which is connected to the ADSL modem), making me wonder if I'm receiving some form of odd packet that causes the thing to go haywire. It's also started around the same time on two days 11:00pm+, with anytime before that having it operating without issue.
Anyone else had an issue like this... it could just by dying but otherwise I'd wonder if I can firmware upgrade my switch?
I work as a tech and I've seen several routers that come setup with a telnet and wev port open direct to the net as default. (used as access points to configure it, nobody seems to have thought to lock them to the LAN only) Many people configure their routers and leave them with the default password so if somebody port scanned and 'fingerprinted' the router they could log right into them. It's quite likely there would be too little in the embedded system to hack the internal network (I'm not expert just guessing..) but you could quite likely steal the adsl login id and password from it. So I personally don't trust any routers because you never know how much thought was put into security when building it, especially the less know small companies...
The biggest problem with hardware firewalls/NATs is the lack of configurability. Sure you can upgrade the firmware, etc. but only to a degree and it never seems to be the amount that you would like. I prefer a simple BSD box running IPFW..it's decently easy to configure and BSD seems to be significantly more stable than most flavors of Linux(no flame wars here...Linux is mostly a developers' platform where releases come out every week which inherently makes it a bit unstable for *nix(it still beats M$ hands down), while BSD is more commonly used for servers and such). Admitedly it's not as easy to configure the firewall since it doesn't have a pretty GUI but sheesh whattayawant?
0x09F911029D74E35BD84156C5635688C0