Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Consumer Firewall/NAT Boxes Really Secure?

Posted by Cliff on from the are-there-unexpected-holes-in-this-box dept.

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

13 of 166 comments (clear)

  1. Good, but not "plug and forget." by Mr.+Darl+McBride · · Score: 5, Insightful
    I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

    It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

    My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

    1. Re:Good, but not "plug and forget." by uradu · · Score: 4, Insightful

      > It's quite likely that the company producing the hardware
      > isn't going to be bothered to repair a product

      Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

    2. Re:Good, but not "plug and forget." by Glonoinha · · Score: 2, Insightful

      -We had a bad D-Link D614+, wireless access point/router, and used the credit card to "pay" for the new one to a let them "immeadiately" ship the replacement, it still took 4 weeks to get the replacement.

      Jesus man, you are talking about a $60 piece of hardware. If your Internet connectivity is important to you, as in business grade connectivity important, just buy two and put one on the shelf. If your primary goes down go back to the parts closet and grab your spare, swap it out and you are back up and running in about 10 minutes. Assuming you wrote down the WEP generation key and other settings when you installed the first one you are bingo ready before Pizza Hut can deliver a well deserved pizza, your reward for keeping the network connected to the Net.

      If you were offline for a month , or worse yet limping along connecting a single machine directly to the cablemodem / DSL (exposed to the net with no firewall,) waiting on a replacement on a $60 part ... not sure what to say here.

      --
      Glonoinha the MebiByte Slayer
  2. morph by m0rph3us0 · · Score: 4, Insightful

    NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

    1. Re:morph by Lost2Home · · Score: 2, Insightful
      It is true that OpenBSD systems may be more expensive in terms of TCO than a $50 home router, but only if your time has value.

      Or if you have to pay for electricity, or if space is limited.

      The big question is whether the consumer router lets you do what you want/need with your network. The Linux/OpenBSD solution gives you the ability to do a lot of things that would otherwise require commercial grade equipment.

  3. Two things to remember by PD · · Score: 5, Insightful

    1) You've got to keep your firewalls up to date with the rest of your software

    2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

    --
    If tits were wings it'd be flying around.
  4. Do you have the time? by pillohead · · Score: 3, Insightful
    You don't gain much by using a dedicated computer, just more complexity and knowledge. While you do get to customize and tweak a computer far more than the little firewall/nat routers you also run the risk of misconfiguring it and making it worse than no firewall at all.

    It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.

  5. If not secure, then more reliable by BusterB · · Score: 2, Insightful

    Not to speak of security, but I have tried a couple of these small firewall boxes, a linksys and an SMC, up against Roadrunner's DHCP and SBC DSL's PPPoE connections. The biggest problems I had were that these boxes would drop connection big time if there was any kind of service ripple, and more often were unable to reconnect without restarting the box (power cycle or via the web interface). The SMC couldn't run for more than a couple of days over PPPoE without a reset.

    Both FreeBSD and Linux have proven to be much more reliable against sometimes quirky network conditions. My current machine will have a new IP address and have updated my dyndns.org entries within 30 seconds of plugging in my DSL modem.

    If you're going to get a firewall/router
    appliance, get one that has something like Linux or BSD at its core.

  6. NAT, meet Britney by _iris · · Score: 2, Insightful

    These "gurus" you know aren't really gurus. It seems "security-by-obscurity" is the new network security buzzword. If something obscures some piece of information, then that is suddenly its goal.

    Think about this. If you did use ipchains, what would your first and most important rule be? My answer to that question is "deny all" (for a home network anyway). A side effect of NAT's inability to automatically map incoming connections is essentially a "deny all" rule. Because you probably need more than one IP address, you'll probably use NAT anyway. Therefore, you get this "deny all" rule for free. It, of course, doesn't hurt to use a linux-based firewall in addition to the NAT machine.

    To sum it up, I wouldn't worry too much about it. It's not like anyone really wants your porn anyway :]

  7. Linux/Ipchains isn't very good either by TheLink · · Score: 3, Insightful

    ipchains is stateless. iptables is ok.

    As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?

    Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.

    The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.

    The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).

    In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.

    --
  8. NAT's stop outside connections in... by WoTG · · Score: 3, Insightful

    but the best trojans make OUTGOING connections to IRC or other systems. So, assuming that your NAT functions as advertised, your network is protected from all remote attacks. However, if an internal machine gets a virus or trojan through email or installing bugged software, you still have a serious security problem. NAT's by default, let internal machines make any connections to the outside that they want.

    So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...

  9. Re:NAT Issues by acidrain69 · · Score: 2, Insightful

    I'd like to see them try. I do tech support for one of the larger DSL co's in the US, and I couldn't imagine the outcry if they started instituting that. The only damage having a NAT does to the ISP is for the people who don't know what they are doing who call up for help to setup the NAT/router. We only support the NAT's and routers that we sell, if they call up about a linksys or a netgear, we send them to those manufacturers.

    I remember the noise about this, but I haven't seen any ISP's take notice or do anything about it. They won't. Because as long as the customer sets it up correctly, it doesn't affect the service at ALL, the ISP has done NOTHING to give the customer more value, so they shouldn't be able to charge for it.

    --
    -- Having a Creationist Museum is like having an Atheist place of worship
  10. Words of Warning by schulzdogg · · Score: 2, Insightful

    I have a linksys router thingy, and It sits in front of several computers and other networked home appliances (Tivo, Playstation).

    It works great, never had a problem with it at all, but...

    I have a linux server running on that network and traffic on port 22 is forwarded to the linux box. Add an old version of sshd and viola! Rooted.

    Because I was behind that firewall though I didn't pay as much attention to the box as I should have and it took me a week to realize something was wrong.

    Moral: The firewall can't protect you from yourself. You still have to be carefull behind it.