Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Re:Two things to remember

[jerde]

The Germans didn't plow through the Maginot Line, they went around it, plowing through Belgium and the Netherlands.

So always wear pants while surfing the web -- don't let hackers get at your netherlands.

- Peter

Re:heh

[Asprin]

"...people who can't tell the LAN cable from the WAN cable..."

The mental image I had on reading this was priceless - A dad sitting at home on the phone with a red RJ45 patch cable in one hand and a green RJ45 patch cable in the other.

"So the WAN cable is red, you say? ... hold on a second.... HONEY, GO UNPLUG THE RED EXTENSION CORD FROM THE GARAGE - SOMEONE MIGHT TRY TO HACK OUR WEEDWHACKER!"

Yeah, I know, it's early.

Re:Good, but not "plug and forget."

[Glonoinha]

-And here I am, subscribed to a half-dozen newsgroups!

The answers you seek are probably not going to be found in A.B.P.E.*

Re:rubbish, my $10 linksys has all sorts of featur

[Glonoinha]

Actually you can do bandwidth shaping, but it requires physical access to the network switch and a basic knowledge of which wire goes to which computer. Oh yea, and the shaping is binary, either that computer gets some bandwidth, or it doesn't.

It is very effective, in a Pavlovian sort of way.

Funnily enough..

[wraith0x29a]

I used to build Linux based NAT/Firewall machines for small businesses. One of my clients complained that their network had been (badly) compromised over the course of a week and blamed my product for this. The language he used was unacceptable even by my broad standards. After a hurried flight to his office (in another country) I noticed that nearly every PC on his network had a shiny new modem plugged into the wall. A quick check and - yes - no firewalling on any of these NT4 machines. It turned out he had been having complaints that the offices' 56kbps modem connection serviced by our NAT/Firewall box was too slow for the forty or so machines on his network to use concurrently so in an effort to save some money he had paid his daughter's boyfriend to install modems in all the office machines (rather than upgrade to DSL as I had suggested at installation time). This ham-fisted luser had set the modems up for dial-on demand then misconfigured some services that kept the lines up 24/7 allowing some script-kiddie to wreak havok on his network. My client's argument was that as our NAT/Firewall box was a security product it should have protected his network whatever other changes he made to the network and that we were liable for damages. Rather than risk talking at this juncture I simply pointed out a section in our four-page, large print, plain-english manual that was sitting, unread, on his desk - 'Under no circumstances allow computers or devices on your network a direct connection to the Internet. Using other methods of Internet access such as a modem will completely bypass the security features of our product.' I aslo helpfully drew his attention to the bit in our support contract that said 'On-site support visits related to issues arising from an inability on the part of the purchaser to read the included documentation will be billed at our consultancy rates of 150 per hour (or part thereof) including travelling time and expenses. These costs are not covered by the purchaser's support contract.' He'd started going purple by this point so I thought I'd do him a favour and warned him his next phone bill may be a wee bit high. "Oh, no problem there" he said, relaxing a little, "Dave used a free Internet Service Provider". "Ah", said I, "is that free access or free calls?" "Er" he said then called British Telecom Billing. "What's our next bill currently standing at?" he enquired politely. The next sentence was complex and largely unintelligable save from the phrases "bastard bloody bastard idiot bastard boyfriend", "so far up", "chew my toes", "bloody girl too" and the concluding "Gnnnaarrgh!" In a rare moment of BOFH compassion I made him a cup of tea at this point, coincidentally taking me across another 150-an-hour-or-part-thereof boundary. The moral of this slightly rambling story is.. 'a network is only as secure as it's dumbest user whatever NAT/Firewall you install'.