Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Good, but not "plug and forget."

[Mr.+Darl+McBride]

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Re:Good, but not "plug and forget."

[uradu]

> It's quite likely that the company producing the hardware
> isn't going to be bothered to repair a product

Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.

morph

[m0rph3us0]

NAT generally is equivalent to a firewall that disallows incoming connections. Some consumer firewalls allow a DMZ (connections made to the firewall are forwarded to the DMZ box). If you need more advanced rules than that then you need something like Linux. Personally, for a free OS based firewall I would use OpenBSD, lots of cool features. However, if you don't need more than what the consumer firewall provides it is a very cheap solution. Just keep the firmware up to date and disable the external administration.

Two things to remember

[PD]

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

Re:Two things to remember

[jerde]

The Germans didn't plow through the Maginot Line, they went around it, plowing through Belgium and the Netherlands.

So always wear pants while surfing the web -- don't let hackers get at your netherlands.

- Peter

IPCop

Get an older computer, two nic's and IPCop, and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

Re:IPCop

[Awptimus+Prime]

I attempted to do the same thing a while back. I have an aging P2 400, 4 port ethernet card, and small HDD in the system. I figure it burns probably around 75-100 watts sitting there, plus it generates some noise.

When Compusa had a sale on those silver netgear routers, I grabbed one for ~$50. It sounded so simple, just plug it in, configure via web interface and you are done.

Then I tried to get it to work with SecuRemote VPN, and no luck. The box said in big, bold letters 'Supports VPN!'. So I dropped them an email and found they had shipped them without a VPN enabled firmware and I upgraded so it would work as advertised. The new firmware worked with my VPN client, but only one session at a time. Then it started hanging and not passing traffic every couple of hours. I'd have to reboot the thing several times a day. After reading on forums, I found the VPN firmware was buggy as all get out.

So I take it back and grab an SMC. This worked flawlessly, then started requiring a daily reboot after a couple of weeks usage. There were no firmware revisions to swap out, so I took it back to the store.

Since then, I hooked up my old P2 400 with IPCop and found it to be rock solid. It's been up for about 4 months without a reboot and, not once, have I had to trouble-shoot any problems with it.

If you get paranoid, Snort is there and simple to use via the web interface. I would definitely suggest this distro to anyone who's a Linux noob. You can download the ISO, burn it, pop it in, answer it's questions and have a very stable router running in about 30 minutes.

Yes, for security's sake OpenBSD would be a better choice, but this Linux distro will make setup much less painful. If you are concerned about security enough to point out the flaws of Linux and preach BSD, you don't need to be running this distribution anyway, as you are likely versed enough to set up your own BSD solution. In my case, I'm lazy and the ability to just grab security updates via a web interface fits my needs a bit better.

heh

[revmoo]

I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.

Which was the last I heard about it.

Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.

So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).

Re:heh

[Asprin]

"...people who can't tell the LAN cable from the WAN cable..."

The mental image I had on reading this was priceless - A dad sitting at home on the phone with a red RJ45 patch cable in one hand and a green RJ45 patch cable in the other.

"So the WAN cable is red, you say? ... hold on a second.... HONEY, GO UNPLUG THE RED EXTENSION CORD FROM THE GARAGE - SOMEONE MIGHT TRY TO HACK OUR WEEDWHACKER!"

Yeah, I know, it's early.

Cheap and easy to use!

[hbackert]

I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.

That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.

Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.

The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.

It's another layer, and more layers is good

[Zocalo]

Given that most devices on the market today come with firewalling included by default, you might as well use it! There's nothing to stop you putting a Linux/BSD based firewall behind it if you wanted too, and of course, you *do* have a personal firewall on each of the Internet connected PCs, right?

I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.

• That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
• IP sessions blocked by gateway firewall: 4072
• IP sessions blocked by local firewalls: 0 (that's zero!)
• Probes of FTP server: 1
• Probes of HTTP server: 16 (looks like Nimda's nearly dead)
• Probes of SMTP server: 0 (that's suprising!)
• Probes of SSH server: 0 (ditto)

So, yes, it does look like these things are very effective, if you set them up properly of course!

cheap test

[DuctTape]

One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

And of course, for the Windows users, there's our free friend Zone Alarm to help put another layer between your machine and the bad ol' Internet.

DT

Why IPCop instead of OpenBSD

[Glasswire]

...Because

1) if you're familiar with Linux it's easy

2) Great web/SSH interface esp. to snort output

3) Works really well

4) Quick and easy to install -very flexible about DMZ configs

5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)

Funnily enough..

[wraith0x29a]

I used to build Linux based NAT/Firewall machines for small businesses. One of my clients complained that their network had been (badly) compromised over the course of a week and blamed my product for this. The language he used was unacceptable even by my broad standards. After a hurried flight to his office (in another country) I noticed that nearly every PC on his network had a shiny new modem plugged into the wall. A quick check and - yes - no firewalling on any of these NT4 machines. It turned out he had been having complaints that the offices' 56kbps modem connection serviced by our NAT/Firewall box was too slow for the forty or so machines on his network to use concurrently so in an effort to save some money he had paid his daughter's boyfriend to install modems in all the office machines (rather than upgrade to DSL as I had suggested at installation time). This ham-fisted luser had set the modems up for dial-on demand then misconfigured some services that kept the lines up 24/7 allowing some script-kiddie to wreak havok on his network. My client's argument was that as our NAT/Firewall box was a security product it should have protected his network whatever other changes he made to the network and that we were liable for damages. Rather than risk talking at this juncture I simply pointed out a section in our four-page, large print, plain-english manual that was sitting, unread, on his desk - 'Under no circumstances allow computers or devices on your network a direct connection to the Internet. Using other methods of Internet access such as a modem will completely bypass the security features of our product.' I aslo helpfully drew his attention to the bit in our support contract that said 'On-site support visits related to issues arising from an inability on the part of the purchaser to read the included documentation will be billed at our consultancy rates of 150 per hour (or part thereof) including travelling time and expenses. These costs are not covered by the purchaser's support contract.' He'd started going purple by this point so I thought I'd do him a favour and warned him his next phone bill may be a wee bit high. "Oh, no problem there" he said, relaxing a little, "Dave used a free Internet Service Provider". "Ah", said I, "is that free access or free calls?" "Er" he said then called British Telecom Billing. "What's our next bill currently standing at?" he enquired politely. The next sentence was complex and largely unintelligable save from the phrases "bastard bloody bastard idiot bastard boyfriend", "so far up", "chew my toes", "bloody girl too" and the concluding "Gnnnaarrgh!" In a rare moment of BOFH compassion I made him a cup of tea at this point, coincidentally taking me across another 150-an-hour-or-part-thereof boundary. The moral of this slightly rambling story is.. 'a network is only as secure as it's dumbest user whatever NAT/Firewall you install'.