Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Consumer Firewall/NAT Boxes Really Secure?

Posted by Cliff on from the are-there-unexpected-holes-in-this-box dept.

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

6 of 166 comments (clear)

  1. IPCop by Anonymous Coward · · Score: 5, Informative

    Get an older computer, two nic's and IPCop, and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

    1. Re:IPCop by Awptimus+Prime · · Score: 4, Informative

      I attempted to do the same thing a while back. I have an aging P2 400, 4 port ethernet card, and small HDD in the system. I figure it burns probably around 75-100 watts sitting there, plus it generates some noise.

      When Compusa had a sale on those silver netgear routers, I grabbed one for ~$50. It sounded so simple, just plug it in, configure via web interface and you are done.

      Then I tried to get it to work with SecuRemote VPN, and no luck. The box said in big, bold letters 'Supports VPN!'. So I dropped them an email and found they had shipped them without a VPN enabled firmware and I upgraded so it would work as advertised. The new firmware worked with my VPN client, but only one session at a time. Then it started hanging and not passing traffic every couple of hours. I'd have to reboot the thing several times a day. After reading on forums, I found the VPN firmware was buggy as all get out.

      So I take it back and grab an SMC. This worked flawlessly, then started requiring a daily reboot after a couple of weeks usage. There were no firmware revisions to swap out, so I took it back to the store.

      Since then, I hooked up my old P2 400 with IPCop and found it to be rock solid. It's been up for about 4 months without a reboot and, not once, have I had to trouble-shoot any problems with it.

      If you get paranoid, Snort is there and simple to use via the web interface. I would definitely suggest this distro to anyone who's a Linux noob. You can download the ISO, burn it, pop it in, answer it's questions and have a very stable router running in about 30 minutes.

      Yes, for security's sake OpenBSD would be a better choice, but this Linux distro will make setup much less painful. If you are concerned about security enough to point out the flaws of Linux and preach BSD, you don't need to be running this distribution anyway, as you are likely versed enough to set up your own BSD solution. In my case, I'm lazy and the ability to just grab security updates via a web interface fits my needs a bit better.

  2. Cheap and easy to use! by hbackert · · Score: 4, Informative

    I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.

    That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.

    Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.

    The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.

  3. It's another layer, and more layers is good by Zocalo · · Score: 4, Informative
    Given that most devices on the market today come with firewalling included by default, you might as well use it! There's nothing to stop you putting a Linux/BSD based firewall behind it if you wanted too, and of course, you *do* have a personal firewall on each of the Internet connected PCs, right?

    I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.

    • That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
    • IP sessions blocked by gateway firewall: 4072
    • IP sessions blocked by local firewalls: 0 (that's zero!)
    • Probes of FTP server: 1
    • Probes of HTTP server: 16 (looks like Nimda's nearly dead)
    • Probes of SMTP server: 0 (that's suprising!)
    • Probes of SSH server: 0 (ditto)
    So, yes, it does look like these things are very effective, if you set them up properly of course!
    --
    UNIX? They're not even circumcised! Savages!
  4. cheap test by DuctTape · · Score: 5, Informative
    One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

    And of course, for the Windows users, there's our free friend Zone Alarm to help put another layer between your machine and the bad ol' Internet.

    DT

    --
    Is this thing on? Hello?
  5. Why IPCop instead of OpenBSD by Glasswire · · Score: 4, Informative

    ...Because

    1) if you're familiar with Linux it's easy

    2) Great web/SSH interface esp. to snort output

    3) Works really well

    4) Quick and easy to install -very flexible about DMZ configs

    5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)