Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Good, but not "plug and forget."

[Mr.+Darl+McBride]

I don't know of anyone who's been compromised, however it's worth a reminder that most of these boxes actually run an OS of some sort. We've seen that even Linux (upon which many of the Netgear and Linksys products are based) has had its kernel network exploits -- no major OS has been completely free of security problems.

It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.

My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.

Two things to remember

[PD]

1) You've got to keep your firewalls up to date with the rest of your software

2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.

IPCop

Get an older computer, two nic's and IPCop, and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

cheap test

[DuctTape]

One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

And of course, for the Windows users, there's our free friend Zone Alarm to help put another layer between your machine and the bad ol' Internet.

DT

Funnily enough..

[wraith0x29a]

I used to build Linux based NAT/Firewall machines for small businesses. One of my clients complained that their network had been (badly) compromised over the course of a week and blamed my product for this. The language he used was unacceptable even by my broad standards. After a hurried flight to his office (in another country) I noticed that nearly every PC on his network had a shiny new modem plugged into the wall. A quick check and - yes - no firewalling on any of these NT4 machines. It turned out he had been having complaints that the offices' 56kbps modem connection serviced by our NAT/Firewall box was too slow for the forty or so machines on his network to use concurrently so in an effort to save some money he had paid his daughter's boyfriend to install modems in all the office machines (rather than upgrade to DSL as I had suggested at installation time). This ham-fisted luser had set the modems up for dial-on demand then misconfigured some services that kept the lines up 24/7 allowing some script-kiddie to wreak havok on his network. My client's argument was that as our NAT/Firewall box was a security product it should have protected his network whatever other changes he made to the network and that we were liable for damages. Rather than risk talking at this juncture I simply pointed out a section in our four-page, large print, plain-english manual that was sitting, unread, on his desk - 'Under no circumstances allow computers or devices on your network a direct connection to the Internet. Using other methods of Internet access such as a modem will completely bypass the security features of our product.' I aslo helpfully drew his attention to the bit in our support contract that said 'On-site support visits related to issues arising from an inability on the part of the purchaser to read the included documentation will be billed at our consultancy rates of 150 per hour (or part thereof) including travelling time and expenses. These costs are not covered by the purchaser's support contract.' He'd started going purple by this point so I thought I'd do him a favour and warned him his next phone bill may be a wee bit high. "Oh, no problem there" he said, relaxing a little, "Dave used a free Internet Service Provider". "Ah", said I, "is that free access or free calls?" "Er" he said then called British Telecom Billing. "What's our next bill currently standing at?" he enquired politely. The next sentence was complex and largely unintelligable save from the phrases "bastard bloody bastard idiot bastard boyfriend", "so far up", "chew my toes", "bloody girl too" and the concluding "Gnnnaarrgh!" In a rare moment of BOFH compassion I made him a cup of tea at this point, coincidentally taking me across another 150-an-hour-or-part-thereof boundary. The moral of this slightly rambling story is.. 'a network is only as secure as it's dumbest user whatever NAT/Firewall you install'.