Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Re:Good, but not "plug and forget."

[Mr.+Darl+McBride]

If your question is serious, I'll tell you this: If you buy the Cisco and are willing to pay for a support contract, then you'll never ever have to worry about downtime. This will be true no matter what the day, no matter what the hour, no matter how old the hardware.

Linksys will ask you to ship it back and offer a replacement in 3-4 weeks.

heh

[revmoo]

I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.

Which was the last I heard about it.

Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.

So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).

Not really

[Halvard]

I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.

I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.

Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.

My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.

Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.

Good reasons to buy an Apple Airport

[goombah99]

As has been noted these routers are not plug and forget. YOu do need to apply patches . you need to know your new drivers will work with what ever version of OS and other software you are using. And frankly you need a freindly GUI interface so you know you aren't doing something stupid when you infrequently have to remember how to maintain your system.

hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.