Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Good, but not "plug and forget."

[Mr.+Darl+McBride]

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Re:Good, but not "plug and forget."

[Mr.+Darl+McBride]

If your question is serious, I'll tell you this: If you buy the Cisco and are willing to pay for a support contract, then you'll never ever have to worry about downtime. This will be true no matter what the day, no matter what the hour, no matter how old the hardware.

Linksys will ask you to ship it back and offer a replacement in 3-4 weeks.

Re:Good, but not "plug and forget."

[uradu]

> It's quite likely that the company producing the hardware
> isn't going to be bothered to repair a product

Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

morph

[m0rph3us0]

NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

Two things to remember

[PD]

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

Re:Two things to remember

[jerde]

The Germans didn't plow through the Maginot Line, they went around it, plowing through Belgium and the Netherlands.

So always wear pants while surfing the web -- don't let hackers get at your netherlands.

- Peter

IPCop

Get an older computer, two nic's and IPCop, and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

Re:IPCop

[Awptimus+Prime]

I attempted to do the same thing a while back. I have an aging P2 400, 4 port ethernet card, and small HDD in the system. I figure it burns probably around 75-100 watts sitting there, plus it generates some noise.

When Compusa had a sale on those silver netgear routers, I grabbed one for ~$50. It sounded so simple, just plug it in, configure via web interface and you are done.

Then I tried to get it to work with SecuRemote VPN, and no luck. The box said in big, bold letters 'Supports VPN!'. So I dropped them an email and found they had shipped them without a VPN enabled firmware and I upgraded so it would work as advertised. The new firmware worked with my VPN client, but only one session at a time. Then it started hanging and not passing traffic every couple of hours. I'd have to reboot the thing several times a day. After reading on forums, I found the VPN firmware was buggy as all get out.

So I take it back and grab an SMC. This worked flawlessly, then started requiring a daily reboot after a couple of weeks usage. There were no firmware revisions to swap out, so I took it back to the store.

Since then, I hooked up my old P2 400 with IPCop and found it to be rock solid. It's been up for about 4 months without a reboot and, not once, have I had to trouble-shoot any problems with it.

If you get paranoid, Snort is there and simple to use via the web interface. I would definitely suggest this distro to anyone who's a Linux noob. You can download the ISO, burn it, pop it in, answer it's questions and have a very stable router running in about 30 minutes.

Yes, for security's sake OpenBSD would be a better choice, but this Linux distro will make setup much less painful. If you are concerned about security enough to point out the flaws of Linux and preach BSD, you don't need to be running this distribution anyway, as you are likely versed enough to set up your own BSD solution. In my case, I'm lazy and the ability to just grab security updates via a web interface fits my needs a bit better.

Do you have the time?

[pillohead]

You don't gain much by using a dedicated computer, just more complexity and knowledge. While you do get to customize and tweak a computer far more than the little firewall/nat routers you also run the risk of misconfiguring it and making it worse than no firewall at all.

It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.

Depends on the application!

[Lacertus]

Back when I was still in High School, I was lucky enough to land a job as the network admin of a small business, consisting of about 30 people or so. The entire shop was Open Source/Free software because cost was a major concern and that was what I was most experienced in (I basically did everything from running the copper across the ceiling to building the [admittedly crappy] webpage).

That being as it may, I was relatively inexperienced with ipTables, and honestly didn't know my ass from my forhead when it came to admin-ing. As such, I deployed one of the cheaper netgear firewalls; and to great success, I might add. Though it caused some isolated problems, it did its job and protected our network. Thus I can say I was happy with its performance.

As I've progressed in my techy career, I moved from such 'off-the-shelf' solutions, to building my own (extensive) iptables ruleset, to actually engineering my own 'blackbox' devices - these self-engineered devices were a product of my more ingenious years in college.

Well, this ramble can be summarized thus: "depends upon your application." Yes, Netgear et. al. produce a decent, well designed product. These solutions don't often attract much attention from the geek crowd due to their boilerplate nature, but they are function.

Now maintaining a rather massive network of thousands of people, I put my trust in a standalone, (sometimes) load-balanced front end consisting of an old x86 box running OpenBSD. The ruleset I carry with me is the product of several years of gradual modification, and is the best solution available (IMO).

heh

[revmoo]

I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.

Which was the last I heard about it.

Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.

So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).

Re:heh

[cicadia]

Why would you call tech support about that sort of thing?

Linksys has an email address, security@linksys.com set up so that you can report things like this. Tech support is for people who can't tell the LAN cable from the WAN cable, or need to be told to power-cycle their routers.

And if you don't hear anything back for a while after emailing them there, try posting it to Bugtraq -- that'll get their attention, if nothing else.

Re:heh

[Asprin]

"...people who can't tell the LAN cable from the WAN cable..."

The mental image I had on reading this was priceless - A dad sitting at home on the phone with a red RJ45 patch cable in one hand and a green RJ45 patch cable in the other.

"So the WAN cable is red, you say? ... hold on a second.... HONEY, GO UNPLUG THE RED EXTENSION CORD FROM THE GARAGE - SOMEONE MIGHT TRY TO HACK OUR WEEDWHACKER!"

Yeah, I know, it's early.

Linux/Ipchains isn't very good either

[TheLink]

ipchains is stateless. iptables is ok.

As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?

Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.

The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.

The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).

In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.

Cheap and easy to use!

[hbackert]

I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.

That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.

Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.

The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.

My Experience

[Ratbert42]

I've run the following firewall/host setups:

Linux (Redhat 6.1-ish?) firewall/occasional web and ftp server with a mix of Windows clients. The Linux machine was never compromised but it did begin crashing on a regular basis, I believe due to DoS attacks of an unknown form. I retired this box due to the crashes.

OpenBSD (3.0?) replaced this box with the same client load. No problems and no compromises, but keeping up with patches, particularly rebuilding the kernel, was a pain on such a slow machine.

Linksys box replaced that in the same environment. Again no compromises, but still no services really exposed. The lack of configurability compared to Linux/OpenBSD boxes was a pain.

Current setup of 3 static IP's, 2 with Linksys boxes protecting web/dns servers and 1 with a DLink WAP/NAT firewall box protecting client boxes. The servers (1 OpenBSD 3.3 and 1 Windows 2000) have had no compromises and the Linksys boxes have given me no problems at all. The DLink box is a pain because it apparently drops idle tcp connections after about 5 minutes. It's much more configurable than the Linksys boxes though. Still no compromises through the DLink firewall either.

So in short, I've never had a compromise through any firewall, hardware or unix-ish box. The only compromise I've had (except the DoS crashes on the Linux firewall) was a trojan from a downloaded piece of software.

It's another layer, and more layers is good

[Zocalo]

Given that most devices on the market today come with firewalling included by default, you might as well use it! There's nothing to stop you putting a Linux/BSD based firewall behind it if you wanted too, and of course, you *do* have a personal firewall on each of the Internet connected PCs, right?

I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.

• That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
• IP sessions blocked by gateway firewall: 4072
• IP sessions blocked by local firewalls: 0 (that's zero!)
• Probes of FTP server: 1
• Probes of HTTP server: 16 (looks like Nimda's nearly dead)
• Probes of SMTP server: 0 (that's suprising!)
• Probes of SSH server: 0 (ditto)

So, yes, it does look like these things are very effective, if you set them up properly of course!

cheap test

[DuctTape]

One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

And of course, for the Windows users, there's our free friend Zone Alarm to help put another layer between your machine and the bad ol' Internet.

DT

NAT's stop outside connections in...

[WoTG]

but the best trojans make OUTGOING connections to IRC or other systems. So, assuming that your NAT functions as advertised, your network is protected from all remote attacks. However, if an internal machine gets a virus or trojan through email or installing bugged software, you still have a serious security problem. NAT's by default, let internal machines make any connections to the outside that they want.

So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...

Effectiveness of consumer NAT/firewall boxes

[pbannister]

I too have wondered if there were any exploits for consumer NAT/firewall boxes. Judging from posts so far, it would seem that at least there are none known :).

I started using the Linksys cable/routers when they first came out. I have insisted that all my neighbors, friends, and family with fast connections use a Linksys box (or similar).

There are a few points to bear in mind:

1. Most crack attempts are from brain-dead script kiddies.
2. Hardware firewalls fail-safe, where software firewalls fail-unsafe.
3. You don't want your average folk running only a software firewall.

Observation (1) comes from running with both a Linux and Windows box exposed directly to the Internet. Both boxes had all unnecessary ports closed, were up-to-date on all patches, and carefully monitored. Neither machine was ever compromised. Periodic review of the logs showed a remarkable lack of intelligence on the part of the attacker. Practically all the activity was from a small number of popular crack-of-the-month scripts. Tracing the attacks back to their source - and getting the script kiddie kicked off their account - was seldom difficult.

So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence.

Keep (2) in mind when you weigh the risk of failure. If a software firewall fails to run (for whatever reason) most likely your machine will be completely exposed. If the hardware NAT/firewall fails you will be safe (if without internet access). The software on your PC probably changes regularly. If any of those changes disables your firewall, the you might first notice when your machine is already subverted. The software in your NAT/firewall box never changes (discounting upgrades) so the chance of failure is less.

Keep (3) in mind when evaluating effectiveness. Most folks with fast connections are not techies. A solution that works well and reliably for the bulk of the population is in the end far more effective.

Not really

[Halvard]

I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.

I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.

Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.

My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.

Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.

Re:um

Practially nothing gets past NAT

You can create packets that a NAT will convieniently route to it translated LAN. We frequently see packets that are addressed to the 192.168.0.x range on the LAN. Really cool, especially given that folks seldom change the default address ranges. Kids, if you didn't know this, try it -- it's a good time!

NetGear ProSafe firewalls are the better bet as they are true stateful packet inspection firewalls. Of course, with great power comes great responsibility.

Firewall tips:
1. Don't run your firewall on the same box as your web server or anything else for that matter. You don't want a CGI or mail exploit allowing an intruder to change your firewall rules
2. Block/Log outgoing ports such as SMTP to see if machines on your network are sending mail when they shouldn't be. Always block/log SSH, Telnet, FTP, TFTP, HTTP (high ports too)
3. Make it difficult. If a server doesn't need DNS for outgoing connections, don't configure DNS on the machine. Only install what is absolute necessary to run whatever daemons you may be running
4. Never allow PING
5. Never assign a Default DMZ
6. If your firewall is a NAT type, run a software firewall on your desktops (http://www.zonelabs.com has one free for personal use
7. Use a non-standard IP address range for your LAN
8. Log everything and review daily
9. Don't run Kazaa, Weatherbug, Gator, blah, blah, blah -- Use spybot or pest patrol to keep clean.
10. Windows machines should always be updated. ...there's plenty more that can be done.

(Former BH now WH)

Why IPCop instead of OpenBSD

[Glasswire]

...Because

1) if you're familiar with Linux it's easy

2) Great web/SSH interface esp. to snort output

3) Works really well

4) Quick and easy to install -very flexible about DMZ configs

5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)

Good reasons to buy an Apple Airport

[goombah99]

As has been noted these routers are not plug and forget. YOu do need to apply patches . you need to know your new drivers will work with what ever version of OS and other software you are using. And frankly you need a freindly GUI interface so you know you aren't doing something stupid when you infrequently have to remember how to maintain your system.

hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.

They're good, but...

[vasqzr]

A good firewall would mean setting up a Linux/BSD box, putting a couple NICs in it and setting it all up, right.

But 95% of the people who read a couple FAQs or books won't do it perfectly.

So the small appliances work great, as long as you can live with their limited functionality. If you just want 30 users to surf the web it'll be fine, but getting servers etc involved can be tricky with some models.

The worst thing is when they have poor security by default. We used to scan entire IP blocks, looking for open telnet ports, and we'd just use the default logins to get in. Anyone remember 'wradmin'?

You could telnet in, shut the DHCP off, or disable routing, telnet to other computers/printers inside their private networks, if it was an ISDN router you could change the dial out phone numbers...

Funnily enough..

[wraith0x29a]

I used to build Linux based NAT/Firewall machines for small businesses. One of my clients complained that their network had been (badly) compromised over the course of a week and blamed my product for this. The language he used was unacceptable even by my broad standards. After a hurried flight to his office (in another country) I noticed that nearly every PC on his network had a shiny new modem plugged into the wall. A quick check and - yes - no firewalling on any of these NT4 machines. It turned out he had been having complaints that the offices' 56kbps modem connection serviced by our NAT/Firewall box was too slow for the forty or so machines on his network to use concurrently so in an effort to save some money he had paid his daughter's boyfriend to install modems in all the office machines (rather than upgrade to DSL as I had suggested at installation time). This ham-fisted luser had set the modems up for dial-on demand then misconfigured some services that kept the lines up 24/7 allowing some script-kiddie to wreak havok on his network. My client's argument was that as our NAT/Firewall box was a security product it should have protected his network whatever other changes he made to the network and that we were liable for damages. Rather than risk talking at this juncture I simply pointed out a section in our four-page, large print, plain-english manual that was sitting, unread, on his desk - 'Under no circumstances allow computers or devices on your network a direct connection to the Internet. Using other methods of Internet access such as a modem will completely bypass the security features of our product.' I aslo helpfully drew his attention to the bit in our support contract that said 'On-site support visits related to issues arising from an inability on the part of the purchaser to read the included documentation will be billed at our consultancy rates of 150 per hour (or part thereof) including travelling time and expenses. These costs are not covered by the purchaser's support contract.' He'd started going purple by this point so I thought I'd do him a favour and warned him his next phone bill may be a wee bit high. "Oh, no problem there" he said, relaxing a little, "Dave used a free Internet Service Provider". "Ah", said I, "is that free access or free calls?" "Er" he said then called British Telecom Billing. "What's our next bill currently standing at?" he enquired politely. The next sentence was complex and largely unintelligable save from the phrases "bastard bloody bastard idiot bastard boyfriend", "so far up", "chew my toes", "bloody girl too" and the concluding "Gnnnaarrgh!" In a rare moment of BOFH compassion I made him a cup of tea at this point, coincidentally taking me across another 150-an-hour-or-part-thereof boundary. The moral of this slightly rambling story is.. 'a network is only as secure as it's dumbest user whatever NAT/Firewall you install'.