Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Good, but not "plug and forget."

[Mr.+Darl+McBride]

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Re:Good, but not "plug and forget."

[uradu]

> It's quite likely that the company producing the hardware
> isn't going to be bothered to repair a product

Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

morph

[m0rph3us0]

NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

Two things to remember

[PD]

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

Do you have the time?

[pillohead]

You don't gain much by using a dedicated computer, just more complexity and knowledge. While you do get to customize and tweak a computer far more than the little firewall/nat routers you also run the risk of misconfiguring it and making it worse than no firewall at all.

It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.

Linux/Ipchains isn't very good either

[TheLink]

ipchains is stateless. iptables is ok.

As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?

Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.

The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.

The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).

In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.

NAT's stop outside connections in...

[WoTG]

but the best trojans make OUTGOING connections to IRC or other systems. So, assuming that your NAT functions as advertised, your network is protected from all remote attacks. However, if an internal machine gets a virus or trojan through email or installing bugged software, you still have a serious security problem. NAT's by default, let internal machines make any connections to the outside that they want.

So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...