Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Good, but not "plug and forget."

[Mr.+Darl+McBride]

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Re:Good, but not "plug and forget."

[uradu]

> It's quite likely that the company producing the hardware
> isn't going to be bothered to repair a product

Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

morph

[m0rph3us0]

NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

Two things to remember

[PD]

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.