D-Link Apologizes For Router Security

Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

Words without actions are meaningless

[TWX]

An apology doesn't really mean anything in this case, does it?

Re:Words without actions are meaningless

[gstoddart]

Depends on how we define "mean anything".

"We're sorry we have sold you shitty products but won't fix it" is just PR.

"We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.

I suspect this is one of those corporate apologies designed to say "fuck you, but thanks for playing, hopefully we've minimized the fallout of writing shitty products by issuing a half-assed apology".

I'm hoping the absence of my DIR-615 isn't "we're sorry to tell you we made a shitty product and forgot to check if it was vulnerable".

I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.

Re:Words without actions are meaningless

[ron_ivi]

"We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.

The ideal response in my mind would be: "We're sorry - so here's how to unlock the boot-loader and here are third-party open source firmware providers that we tested for you."

Re:Words without actions are meaningless

The DIR-615 IS a shitty product and even D-Link figures it isn't worth the time to fix only one issue with it - as something else will break anyway if they did

Re:Words without actions are meaningless

I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.

It's not a firewall. It's a router.

I'm not defending D-Link in any way. But it is extremely important to know the difference. These devices do not offer much in the way of security.. NAT is not a security measure.

Re:Words without actions are meaningless

You observe correctly that NAT is not a security feature. Congrats, far too many people don't get that. That said, and making no guarantees that the following is true for D-Link products, most routers include firewall functionality, i.e. they come with the stateful packet filter in the Linux kernel enabled and configured.

Re:Words without actions are meaningless

[Stewie241]

http://www.devttys0.com/wp-con...

I don't know if that is the same issue or ont.

Re:Words without actions are meaningless

[ruir]

Firewall and linksys does not compute.

Re:Words without actions are meaningless

[epyT-R]

Well, if it's running linux, it's probably using netfilter so it probably does have a firewall..at least a drop policy with dynamically opened ports for established/related connections. NAT's security is from the fact that the rfc1918 hosts' addresses are not directly routable, but that's about it. It does not replace a firewall.

Re:Words without actions are meaningless

[LordLimecat]

NAT provides implicit security, even if it is not explicit. Being on an unroutable subnet means theres really nothing an intruder can do to get to your PC short of static port mappings.

Re:Words without actions are meaningless

It's not a firewall. It's a router.

The setup pages has a "Firewall Settings" section. If it's not a firewall then it is fraud.
Fraud is far worse than incompetence.

Re:Words without actions are meaningless

[Ravaldy]

I worked for D-Link for over 7 years. The major issue have always been software, same as most low cost product. The competitors were also plagued with some of these issues because they used the same H/W and software with a different plastic case and different looking web interface. So chances are that not just D-Link has these issues but possibly Retail+, SOHO, and many of the other off brands you see at Wal-Mart, Best Buy and Staples.

When I worked there, the biggest issue was competitor launching products before standards were ratified. This almost always resulted in rushed firmware and hardware which was a big issue for both D-Link and it's competitors. Around 2003 a smart individual convinced the company to create a north American QC team. This team was comprised of people that had worked in technical support as well as technology experts. The results were much better products released in the US and Canada. Regardless, these types of security issues would not have been caught in QC due to it's complex nature and the limited amount of resources available to the QC team.

Nobody can ever tell me a PR apology is sincere since it's all about saving face but what do I really care about an apology? What matters is that the company issues a fix for the current issue and makes internal changes to avoid future issues.

Re:Words without actions are meaningless

Don't speak of things you don't understand. Unless the packet filter is enabled and configured, NAT in a typical Linux based router does not prevent someone on the external interface from talking to any port and any host on the internal network, not even if the internal network uses RFC 1918 addresses (including the usual 192.168.x.x addresses.) If you are considering to refute this claim, please read up on the topic first, lest you make an idiot of yourself in public.

Re:Words without actions are meaningless

Don't speak of things you don't understand. Unless the packet filter is enabled and configured, NAT in a typical Linux based router does not prevent someone on the external interface from talking to any port and any host on the internal network, not even if the internal network uses RFC 1918 addresses (including the usual 192.168.x.x addresses.) If you are considering to refute this claim, please read up on the topic first, lest you make an idiot of yourself in public.

When you find me a consumer who knows what the fuck a packet filter is, THEN I'll believe they are tasked with ensuring it is enabled and configured.

Until then, realize the only idiot here is you, for assuming vendors would actually sell a NAT box configured no better than dumb-ass Linux kiddies who think they're smart enough to roll their own.

They're not.

Re:Words without actions are meaningless

Good luck

Re:Words without actions are meaningless

[LordLimecat]

I understand these things quite well, as I wouldnt be in the field if I didnt. NAT provides some degree of security in the sense that if you are on an IPv4 network (99% of home users) on an RFC 1918 network (99% of home users) with NAT enabled, it is impossible for anyone to send an unsolicited datagram to your computer behind the NAT.

There are technologies which punch holes in this (like uPnP), but that does not change the implicit security.

NAT in a typical Linux based router does not prevent someone on the external interface from talking to any port and any host on the internal network

Then you have a static port mapping. Generally to get through the NAT you need to know the public IP and port (out of 65536) you want to connect to, which is dynamically assigned. Then you need to deal with the fact that anything you send is going to be pinned to a specific client port not of your choosing, and you will not know the correct source port to get the client to accept your unsolicited datagram (whch will thence be dropped).

I never said it was perfect security, but it prevents folks from accessing listening ports (like 135-139) as a listener port wont have a dynamic mapping-- only outbound traffic gets those.

But you seem to think Im wrong, so educate me. Lets set up a scenario.

Gateway Public: 1.2.1.1
Gateway private: 192.168.50.1
Windows XP box: 192.168.50.5

No firewalls, NAT on the gateway, Windows XP listening on port 135-139.
What Layer3/4 headers are you going to use thats gonna get a packet delivered to one of those 4 ports on that XP box?

Re:Words without actions are meaningless

Dont correct people if its just gonna make you look like an ignorant ass.

http://www.cisco.com/c/en/us/s...

Q. What is NAT?

A. Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network.

As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.

Re:Words without actions are meaningless

You'd think people would be more cautious when they've been warned explicitly, but no, you won't even consider not being right.

route add -net 192.168.50.0 netmask 255.255.255.0 gw 1.2.1.1
smbclient -L 192.168.50.5

If you don't understand why that works, I suggest you actually start reading up on the topic this time. I leave figuring out who can do it like that as an exercise to the reader. No, it's not a rare scenario.

Anyone who thinks NAT prevents ingress connections fundamentally misunderstands the purpose of NAT as well as its effect and typical implementation.

Re:Words without actions are meaningless

[LordLimecat]

For starters, I have read up on it, and many many vendors agree that it IS security.
Sources:
Cisco (Top 2 paragraphs of intro)
http://www.cisco.com/web/about...
SANS institute (Page 5, 2nd paragraph)

And so on.

As to your solution, it has a massive issue. Route tables must use next hops as their gateway; you could not enter a command like that targetting my WAN, and have it work, because my WAN IP would not be a next hop for your computer. The only thing your route table can do is instruct your computer which IP on your broadcast domain will be willing to handle your datagrams. At that point, it is up to that router to figure out the next hops.

You will note I asked you what the L3 / L4 headers would be on your packet; this was specifically to demonstrate why such attacks would fail. You would have a source address of 9.9.9.9, and a destination of 192.168.50.5, and you would instruct your computer to pass that datagram off to a router at ethernet address 99:99:99:99:99:99 (your router), and he would promptly vomit and say "what the hell I cant route an RFC1918". Add the route on your router, and you've shoved the issue back to your ISP, whose router would either fail to find a route for that subnet, or (more likely) outright reject it as a violation of RFC.

The only scenario in which this attack makes sense is when the attacker IS the next hop, that is your ISP. And for 99.999% of users, this is not a realistic threat model they will face, and NAT will be "acceptable" security.

No one argues that a stateful firewall is BETTER (as it prevents attacks like you mentioned), but to say that NAT adds no security whatsoever is being silly; major infrastructure vendors disagree with you.

Re:Words without actions are meaningless

[Em+Adespoton]

NAT adds security the same way that the two sets of doors into a shopping mall add security -- an extra layer people have to get through while on their way in/out. They both actually stop absolutely nothing, but they provide another point of defense, and a bit more clarity if something odd is going on.

Of course, that's pretty much meaningless if you don't have a security guard *inside* your NAT. Don't expect some random shopper to report the shoplifter/vandal. And the fact that they're a shoplifter/vandal instead of a "potential" shoplifter/vandal means that your other built-in defenses already failed.

Re:Words without actions are meaningless

Look, the moderators agree with you. Idiots all around. The following distinction is important: The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses. You could do that without NAT (by using proxies) and get exactly the same benefits (and drawbacks). Actually that would be more secure because then you'd get away with disabling IP forwarding, which would automatically close the hole I demonstrated.

Packet filters are enabled and configured in most routers, but with just NAT and no filtering, the described attack would be possible in a number of scenarios which are not rare at all, including personal routers in hotels and dorms. Cable is a shared medium as well. Besides, why do you trust your ISP not to snoop around on your network? Source routing shouldn't work anywhere, but it is a possibility as well. In some of these cases, the attack depends on misconfigurations, but these things happen, and NAT does jack shit to prevent the attack then. In fact it doesn't get involved at all. The router receives the packet, looks up the route, and forwards the packet to the internal network. Same for the response. It works exactly the same with or without NAT enabled, no special headers on any layers necessary. The only job an attacker has is to get the packets to the external interface of your router with target addresses on your internal network.

The other aspect is that NAT isn't restricted to mapping private addresses. Let's say you're an admin at one of those companies with a public /8 network that you use for all your hosts. You agree with CISCO and want to "hide" your network behind one IP address for security reasons. Does that work without enabling the packet filter? No, that leaves every host on your network directly accessible, with no special configuration on the side of the attacker or port forwardings required at all. All routes are set up, nothing is filtered, your network is wide open. NAT does nothing.

You're really doing people a disservice by perpetuating the myth that NAT adds security. Let's see what the state of things is on the internet. A couple of tutorials from the first page of Google results for "linux nat router tutorial":

http://www.karlrupp.net/en/computer/nat_tutorial
Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best."
Wrong, and leaves anyone who follows the tutorial vulnerable.

https://www.howtoforge.com/nat_iptables
Not only does this tutorial not configure the packet filter, it explicitly removes all filter rules that might have been there previously. FAIL.

http://www.revsys.com/writings/quicktips/nat.html
Does not set up the packet filter. Do you see the pattern?

http://www.slashroot.in/linux-nat-network-address-translation-router-explained
Motto: "It's better to become ROOT than Administrator" Yeah right, but being root does not deflect packets. You guessed it, this tutorial also stops as soon as NATed outgoing connections from the private network are possible.

Re:Words without actions are meaningless

[LordLimecat]

The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.

Im pretty sure thats what I said, and no one is arguing that point. You're just insisting on being pedantic and condescending.

Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape. If we're agreeing there, then I dont think theres any reason to keep arguing. If youre disagreeing with that, Id ask you to take it up with the links I provided and with stackexchange. I dont have the time to try to make Cisco and SANS' cases on their behalf, if you are unwilling to take their word on it.\

. Besides, why do you trust your ISP not to snoop around on your network?

Because it is an unusual attack scenario, and it would be illegal. It does happen, sure, and defending against a malicious ISP is far beyond the scope of most home security. Luckily for us every consumer OS made in the last 10 years has a stateful firewall, and every consumer router built in the last 10 years has a firewall, so its not an issue.

I mean good grief, 99% of home users are using the ISP provided DNS, and you're worried about probing through NAT in violation of the RFCs? DNS snooping is something that actually happens, and is actually legal. Risk assessment 101: focus on the probable threats.

Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best."
Wrong, and leaves anyone who follows the tutorial vulnerable.
As mentioned already, it is impossible in the absence of a published route to your network for someone to reliably send packets directly into a dynamically natted network. The fact that someone could splice onto your cable network is irrelevant, because at that level of effort they could probably climb in through your window and just steal all of your equipment. You're talking about extremely esoteric attacks.

You're really doing people a disservice by perpetuating the myth that NAT adds security.

Im perpetuating the stance of major infrastructure vendors. Argue with them. I imagine you could contact support@cisco.com and explain why their statement that NAT fulfills a security role is incorrect.

In the meantime I would suggest you cut the condescending attitude.

Re:Words without actions are meaningless

The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.

Im pretty sure thats what I said, and no one is arguing that point. [...] Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape.

Now you're just being dense. NAT doesn't provide any security. Using private IP addresses does provide some (negligible) security, but leaves a big hole which apparently stumps a lot of people. You can do NAT without private IP addresses and vice versa. They're independent concepts.

you're worried about probing through NAT in violation of the RFCs?

No, I don't rely on NAT for security.

The fact that someone could splice onto your cable network is irrelevant

Nobody needs to splice anything. All of your neighbors' modems are on the same cable segment as yours. Everybody in the same dorm is on the same Ethernet as your router.

In the meantime I would suggest you cut the condescending attitude.

I'm as condescending as I want to be to people who reject demonstrable information. Ignoramuses can kiss my ass.

Re:Words without actions are meaningless

[LordLimecat]

3 points.

1) Security measures are measures which mitigate vulnerabilities. Mitigations can involve avoiding an issue, or reducing risk. When you take the potential pool of attackers from "the entire internet" and reduce it to "People with direct access to the link between me and my ISP", you have reduced risk. This is Security 101 stuff, its called "risk assessment".

2) No one is suggesting NAT is the best security ever-- just that it provides some degree of security by way of mitigating some threats. Other threats it does not mitigate, and that doesnt really matter because almost no one relies exclusively on NAT anyways.

3) I've provided sources to a number of vendors; I could easily find more. You still have yet to explain why we should toss out Cisco and SANS' explicit statements that NAT constitutes security, and trust your random internet rant. Put up, or shut up.

Re:Words without actions are meaningless

ad 1) NAT doesn't reduce risk. It doesn't prevent a single connection. That's not what it was designed to do, that's not what it was implemented to do, that's not what it does. This is demonstrable fact. It's not a matter of trust or majority vote. You can ignore this if you like, but that just makes you an ignoramus.

ad 2) NAT doesn't prevent inbound connections. None what so fucking ever. Not a lot, not some, none. If you think it does, you're just plain wrong. Demonstrably wrong. Security isn't achieved through wishful thinking or token gestures.

ad 3) You should toss out those statements because they're wrong. Factually wrong. You can verify that they are wrong by manually setting up a Linux NAT router and testing what goes through and what doesn't, before and after you enable NAT. You would find that NAT does not prevent a single connection, but you prefer to stick to your appeal to authority.

Look, I set you up for failure. I knew some idiot would come along and challenge me on the "NAT is not security" thing. Someone always does, and I made sure that you were in an adversarial mood the whole time, so it was difficult for you to step back from your misconceptions. I knew how it would play out because I've done it before. But on the other hand, you made a whole list of factually wrong statements. Like this one, "it is impossible for anyone to send an unsolicited datagram to your computer behind the NAT", which I proved wrong in the very next comment. At that point you should have overcome your pride and stopped trusting what other people say, and you should have stopped arguing from your preconceptions. You should have put what you thought you knew to an actual test. Instead you stubbornly kept repeating what any rational person at that point knew was wrong. But don't worry, you're not alone. There's no shortage of people who put unshakeable faith in the mistaken belief that NAT provides security. Some of them modded you up. You can even be wrong about something like NAT and write documentation for CISCO.

Re:Words without actions are meaningless

You've also not proven anything at all...

You've stated a bunch of opinions with no link to any real information.

Set up nat on a linux box... did yuou read through the source are you aware if there are any critical flaws in it?

I'm not educated enough on the subject to present on any side of the issue but I can tell you that if my memory serves me correctly NAT works by changing the last two digits of the mac address on the packets going out so that when they come back in the box knows which port to traffic to. This being said that is some level of security even if infinetly small.

Your argument is like saying a deadbolt is considered securing your door because the right key will unlock it. Yes the right key will and anyone could get that key/pick the lock but it's still better then no lock.

Re:Words without actions are meaningless

Last comment on this. Yes, I did prove that statement wrong as conclusively as is possible without setting up an experiment that can be witnessed in person. If you still don't understand it, you will have to do that experiment and see for yourself. That's the beauty of it: You don't have to trust me, LordLimekat or Cisco. I don't have to lend credence to my argument by attaching it to an authoritative name. You can easily verify the fact that NAT doesn't stop inbound connections.

No flaw in the NAT code is necessary. If it works completely as designed, it still doesn't stop any inbound connections. Why would it? That's not what it's meant to do.

Your education regarding the way NAT works is indeed lacking (to put it mildly). You should change that.

Don't tell me what my argument is like if you understand neither the topic nor my argument.

Re:Words without actions are meaningless

[LordLimecat]

Then go get a job at cisco or SANS as their chief security engineer, because you clearly know better than them.

I mean, hey, what would Cisco know. Theyre just the folks behind the PIX, the first device to support NAT.

Re:Words without actions are meaningless

[LordLimecat]

I can tell you that if my memory serves me correctly NAT works by changing the last two digits of the mac address on the packets going out so that when they come back in the box knows which port to traffic to.

Thats not really what it does, though its sort of close.

NAT covers a large number of different scenarios; the specific one we are discussing is known as Source NAT, or dynamic NAT (or PAT, in the Cisco world).

In this scenario you have a range of private IP addresses that are not publicly routable, and a single publicly routable WAN IP address to be shared among those private hosts. Each IP packet sent will have a source IP, source port, destination IP, and destination port. The router takes each outbound packet, tears down the layer 2, 3, (and possibly 4) headers, and re-writes the "source" port and IP address using a "pool" of NAT IPs and ports. It forwards the rewritten packet on, and stores in a table the mapping of the private host's IP and source port to the NAT IP/port. Return packets matching that pair of NAT IP/port will be translated (rewritten) to target the private host that originally sent them.

The argument being made is that technically this mechanism does not, in itself, identify and block unsolicited traffic-- which is correct. Technically if you were to guess a mapped pair, you could sneak an unsolicited packet through; if I've opened a connection to Google, (my private IP: 192.168.50.5) and my NAT'd IP/port is "5.5.5.5 / 5238", ANYONE could send a packet to that pair and it should get forwarded through.

In reality, there are problems with this that make it difficult to do, the most obvious being that the private host will simply reject that packet as it does not match an active TCP connection that it recognizes. Additionally, this does not work with listening services (which will not have a PAT mapping, as they arent generally initiating connections), and if there are no active conversations no one on the internet will be able to get their traffic to the private host as the router simply wont have any active NAT mappings-- it wont know what to do with the unsolicited traffic, and will dump it.

The "attack" being described is simply to set up a static route on your machine which tells it "ah, but _I_ know how to get to 192.168.50.5-- its through 5.5.5.5!". This could work, as indeed the router would know how to handle the 192.168.50.5 address; the problem is that no other router on the internet will accept a packet destined for that IP address, and you cant just tell those routers how to route the packet. So this attack only works if you are right next to your target-- either their ISP, or some hacker who is on the same cable drop as your neighborhood.

This is why I call it security: if you have no other firewall, NAT (of the sort we mean when discussing consumer routers) will at least ensure that no geographically removed attackers can access your private network, simply by virtue of every other router on the internet refusing to carry the traffic.

The real crux of this argument is that the AC is being pedantic and obnoxious, and conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall. If someone is setting up an iptables NAT, they almost certainly are aware of what doing a default policy of ACCEPT will do: it will remove any sort of filtering and all security. But thats not what the context of the conversation was, which is why theres a disagreement here.

Re:Words without actions are meaningless

conflating static NAT (his iptables examples) with the sort of NAT found on every consumer firewall

No. I'm talking about exactly the same kind of NAT that you are talking about, except I know what it doesn't do. Try it yourself (and I mean an actual experiment, not just thinking about what might happen), you might learn something. I don't expect you to come here and admit that you were wrong, but if it stops you from spreading misinformation, I'm good. On the first page of Google results, more than half the tutorials for setting up a NAT router leave people with a configuration that allows inbound connections into their entire LAN. If it takes pedantry to get it right, I'm happy to be pedantic.

Re:Words without actions are meaningless

Thanks,

    I don't know a whole lot but I do know a bit... I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.

    There are also cases of nat behind nat (we use it at work a lot) and that's basically just a shit show to say the least... basically nothing gets through unless you poke the hole first.

    While I would not say it's the best security it's most liekly better then having your machine plugged directly to the modem. That being said it's one of those cases where security via obscurity is kind of a false sense of security. I read a bit on it and found a website that kind of explains it in easier terms but I'm sure they don't explain all the details.

    Yes NAT would leave you vulnerable to attacks from the same network segment as long as your machine has made a request for outside information. That being said if I have one router and set one machine behind it as a proxy and all my machine go via the proxy would this prevent attacks from reaching any other host on my lan except for the proxy? (Only machine that would have made a request for an external connection to the wan?)

    I know this is not the ideal setup but I'm really just curious to know if NAT is broken by default or only broken when you access something on the other side of it.

Re:Words without actions are meaningless

I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.

Then you're still in lala-land. It doesn't do that.

Re:Words without actions are meaningless

[LordLimecat]

If you want to run a test, I will turn off my stateful firewall and give you my current WAN address, and the private IP of a host running a web server; the test would be to see whether you are able to determine what the text of that webserver is.

You wont be able to, however, because as we all know no ISP in the world is going to route your packet because the destination address will be RFC1918-- not because theyre good guy ISPs, but because they cant. This proves the point: The use of NAT-- even in the absence of a firewall-- removes you from the pool of potential attackers, along with anyone not living in the same geographical area as me.

On the first page of Google results, more than half the tutorials for setting up a NAT router leave people with a configuration that allows inbound connections into their entire LAN.

Thats not my deal. People shouldnt rely on NAT solely; I do not disagree. Stateful firewalls are a dime a dozen. But your constant statement that NAT has no security value whatsoever is clearly incorrect.

You dont fight ignorance with half truths. You can combat incorrect configurations by saying "yea, this is better than nothing, but its extremely poor practice in any case."

I dont admit Im wrong not because Im stubborn, but because the security value given by NAT is affirmed by several vendors, none of whom dispute the potential vulnerability you present, but who nevertheless would mark NAT as a part of a security strategy alongside a firewall. If you want me to reject everything I know about routing, and public / private addressing, and everything these vendors are saying, you need to come in here with a lot more than a simple experiment that wont work on the production internet.

Re:Words without actions are meaningless

[LordLimecat]

I do know that it will prevent unsolicited traffic from the wan port into the lan section as long as the connection was not already open from the lan side.

This is not entirely correct, and is his entire point. Someone who is directly connected to the WAN of your router COULD access a port on the inside by manually supplying a route to your private network.

The security value of NAT is that WAN hosts do not generally have a way of routing traffic to your internal private subnet. However, if an attacker had control of every router between them and you, they could manually set up a route into your network.

In that sense he is correct: NAT doesnt provide any guarantees, because hypothetically a hacker could first hack your ISP, and set up static routes to your internal NATted network, and then directly access your internal network remotely.

The reason I continue to say it IS security is because NO security measures are absolute, and security is about layering to reduce risk. Taking the set of attackers from "Everyone on the internet" to some subset of that is an increase in security.

To demonstrate how this all works, lets use the following:

Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1

WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2
My ISP's router: 9.9.9.2
My router: 9.9.9.1

If I wanted to access your computer, and you had no active connections, I would be unable to: your router would not automatically map any connections to 192.168.50.5, so any connections to 1.1.1.1 / port 80 would just get discarded with your router saying "WTF am I supposed to do with this?". However, if a packet arrived at your router addressed to 192.168.50.5 directly, your router would happily pass that packet on through.

The security here comes from the fact that if my router addresses a packet to 192.168.50.5, it will not know where to send it and will drop it. If I added a manual route to my router saying "packets to 192.168.50.5 go to 9.9.9.2", it will route it to my ISP's router-- who wont know where to send it, and will drop it (I believe it will send a "no route to host" ICMP message). Similarly, traceroute 192.168.50.5 will give "no route to host".

In order for me to break into your network, I would need to take control of both ISP routers (9.9.9.2 and 1.1.1.2), and add a manual route indicating how to route those packets (or modify the OSPF or BGP configuration to distribute those routes). The spec around private addressing in general is where the real security comes from, as it indicates that proper behavior is to not route packets addressed to a private RFC1918 address on the internet.

NAT isnt broken; it isnt designed as a security function, but as a way of stretching addresses. Its ability to hide network details is somewhat of a side effect of that, and that provides the security function-- but its much simpler to just set up a stateful firewall than to set up NAT if all you care about is security.

* RFC1918-- in case this term isnt clear, it refers to non-routable subnets which are not tracked by the public internet addressing authority (IANA). These subnets are what most consumer routers come preconfigured with:
  + 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Re:Words without actions are meaningless

Configure your router and local PC without NAT and without a firewall:

Your private network:
Computer: 192.168.50.5 (listening on port 80)
Router: 192.168.50.1

WAN:
Your router: 1.1.1.1
Your ISP's router: 1.1.1.2

You can run a proxy on the router so that you can get on the internet from your computer if you want to, it doesn't make a difference with regard to the following all-else-equal comparison. Again, no NAT. Make a note of the possible connections.

Now enable NAT. ("iptables -t nat ... -j MASQUERADE"). Note that absolutely nothing changes with regard to inbound connections. Every connection that was possible without NAT is still possible with NAT.

Now, for completeness sake, get a routable subnet for your LAN and configure your computer and router accordingly, but no NAT or firewall. Again, make a note of possible connections.

Now enable NAT, and again note that NAT does not prevent a single inbound connection, because that's not what it's meant to do. You can believe CISCO and any number of tutorials on NAT and people who want NAT for IPv6, etc., or you can make this experiment and understand that NAT doesn't protect your network from any inbound connections at fucking all. What you say NAT does is entirely down to using private IP addresses, which is not NAT.

Friends

Friends don't let Friends buy D-Link products.

Re:Friends

D-Link is a gateway router.

Re:Friends

[rubycodez]

(hand holds egg) This is your home network. (breaks egg into frying pan). This is your home network on D-Link. Any questions?

Re:Friends

[viperidaenz]

Fried eggs taste better than raw eggs.

Re:Friends

[rubycodez]

if we're going with Bad Egg Analogies, then my retort would be "can't make a custard pie with fried eggs"

Automated Testing

Anyone ever consider this at D-Link...

Re:Automated Testing

[Nerrd]

Automated Testing really only works for making sure things work the way they're supposed to work. There really is no such thing as automated Penetration Testing.

Re:Automated Testing

[TechyImmigrant]

What he wants is automated regression testing. They did know about the bug before they tried to fix it.

Re:Automated Testing

[rubycodez]

Yes there is. In fact many types compliance audits, like PCI Level I, require it.

Look up "vulnerability scanner"

Re:Automated Testing

[Nerrd]

yeah, which work great, for *known* vulnerabilities.

Re:Automated Testing

[rubycodez]

Almost all problems that cause actual loss for business are caused by *known* vulnerabilities.

Re:Automated Testing

[bobbied]

Not to mention... How do you know you fixed an unknown vulnerability? I'm waiting for an answer....

Re:Automated Testing

[bobbied]

Automated Testing really only works for making sure things work the way they're supposed to work. There really is no such thing as automated Penetration Testing.

But you can automatically try to find known issues using common attack vectors and avoid shipping the known ones. You can also automatically try randomly generated kinds of potential exploits and see what happens to your software. It's called fuzz testing. And it can expose *possible* exploits, especially if you know something about how your software works. For instance, you can detect that some random packet got passed by the TCP stack and was sent to an application which did something unexpected like logging an exception. You can then take the discovered issue and investigate why the application does what it does and that there isn't an attack vector you can exploit (buffer overflow, SQL injection, or something else).

Re:Automated Testing

[PRMan]

Sony's network hacks were repeatedly done on long-known vulnerabilities.

Re:Automated Testing

[Bob+the+Super+Hamste]

They make these things called fuzzers. Personally I like /dev/urandom and piped into the program.

im sure it took a few tries.

[nimbius]

Dear Customer,
As you may know D-Link recently suffered a security exploit on our routers. Rest assured, as a company that relies on the rock-solid performance of our own affordable, reliable network hardware we took immE8!3#@T@[NO CARRIER]

Re:im sure it took a few tries.

The NO CARRIER jokes were funny 15 years ago when people still used dial-up.

Re:im sure it took a few tries.

I bought a D-Link home router once (years and years ago), returned it the same day after talking with their tech-support.

Joining a Counter-Strike server immediately locked the router up -- had to power-cycle the router (physically remove the power cord) to get it running again. D-Link's tech-support said that there were too many TCP/IP connections, and the lockup was "by design" to prevent DOS attacks. They were adamant is was not a "bug", and this is the way they intended it to function.

I've stayed away from D-Link ever since (and recommend others to do the same).

Re:im sure it took a few tries.

[the_B0fh]

The NO CARRIER jokes were funny when triggered by +++ATH0+++

Good security

[ArhcAngel]

I think D-Link has excellent security. The minute you try to use it the hardware dies. I have some of the old metal box Netgear desktop switches that will outlive me. Almost all of my D-Link products have died prematurely.

Re:Good security

This has also been my experience. My internal wireless segment is currently running on an old WAP54G specifically because the D-Link that was purchased to replace it became flaky and fried itself within six months.

Re:Good security

[SirAudioMan]

Ya, I agree! DLink always has been garbage, and always will! I have owned Linksys (aka crappy Cisco) which is moderately better than DLink, but have had better luck with NetGear. That being said, with any home/small office network device, if possible, I always remove the crappy factory firmware and install DDWRT on it.

Re:Good security

[bill.e.gloat]

While I cannot speak to D-Link product longevity every single Netgear Gbit switch -- yes the "pro" metal box ones -- I've ever owned has died after a few years of use. I had great luck with the 10/100 units though, which is why I made the mistake of buying their Gbit models. This last time I bought Cisco and couldn't be happier. Yes more expensive but now that I've had experience with it I believe it to be a very fair price for the quality of design. I'm not even interested in taking Netgear up on their lifetime warranty -- not worth the hassle, especially given how the last one died.

Re:Good security

Funny that I just replaced a D-Link switch with a Netgear one. Because the D-Link died completely for no reason. I mean, it had no moving parts or anything. Learned my lesson.

Re:Good security

While I cannot speak to D-Link product longevity every single Netgear Gbit switch -- yes the "pro" metal box ones -- I've ever owned has died after a few years of use. I had great luck with the 10/100 units though, which is why I made the mistake of buying their Gbit models. This last time I bought Cisco and couldn't be happier. Yes more expensive but now that I've had experience with it I believe it to be a very fair price for the quality of design. I'm not even interested in taking Netgear up on their lifetime warranty -- not worth the hassle, especially given how the last one died.

I had a real Cisco 2900 rack mount switch for ages, but was getting tired of the fan noise so I bought a little 8-port Netgear Gbit switch to replace it... then went online and saw all the comments about the capacitors popping on them within a year or two. I replaced the caps before even putting it in place of my Cisco (just really poor design is what it boils down to).

Re:Good security

[ruir]

Good for you. The Cisco home business line is rebranded linked sys material. The Enterprise Cisco active equipment, now, we are talking about top tier material.

Re:Good security

[bobbied]

I'm with you, but I generally use OpenWRT myself...

Re:Good security

[bobbied]

I've actually had pretty good luck with the "small business" line born from the Linksys purchase by Cisco. I have 4 of these old Linksys smart switches in my home network and they've run fine for the last 10 years. The problem you will have is that they can only be configured using a version of IE that was last supported on Windows XP so I have to keep a old Virtual Machine with XP on it laying around so I can configure the switches...

Re:Good security

I must be the only one here who hasn't had bad luck with D-Link. First one I bought lasted five years with no issues other than needing a power cycle every few months. Second one is still going for three years and it's only locked up twice that I can remember. I've definitely had better luck with them than the Zyxel routers my local ISP tries to push on customers.

Re:Good security

[bobbied]

The small business stuff isn't that bad actually, once you get past the infant mortality issues in the hardware.. I'd not recommend putting them into a large enterprise network, but for small businesses and home use they are fine. I have 4 of these switches which have been working fine for 10 years now and let me do basic Layer 2 switching, VLAN's and fully functional spanning tree for redundancy. It's a pain to keep the right version of IE laying around so you can manage them, but I just keep an old Windows XP virtual machine for that. Now if you are a large enterprise, don't even think about anything but the full up, enterprise level equipment.

Re:Good security

[SIGBUS]

I have a couple of DIR-825s in my house, and they've been rock solid. Of course, the very first thing I did with them was flash them with DD-WRT. One acts as a router, the other as a WDS station to improve signal coverage throughout the house.

Re:Good security

Probably the Poweradapter. Something similar happened to me. Just died one day. Tested the adapter with a multimeter.. yep was the adapter. Replaced it with a 15€ adapter from an Electronics Shop.

gee thanks

[slashmydots]

It appears that as a countermeasure to getting hacked, all netgear routers freeze up constantly, have the internet connection cut in and out, reset settings for no reason, and fail to load their config pages. Very clever. Maybe they should apologize for the quality of their routers too.

you don't want their actions.

[Lead+Butthead]

Keep in mind this is a company that has a history of doing malicious things; willful violation of GPL that was resolved only when they're drag into the court and lost, hard coding default time server IP address in firmware (imagine hundreds of thousands of them all attempting to sync at the same time daily) It demonstrated a culture of (sociopathical) disregard for others, that alone is reason enough to not buy any of their products.

Re:you don't want their actions.

... only when they're drag into the court and lost ...

Do you mean they went to the court dressed in drag? Now, that is a really ostentatious way to get out of the closet!

Re:you don't want their actions.

Keep in mind this is a company that has a history of doing malicious things; willful violation of GPL that was resolved only when they're drag into the court and lost, hard coding default time server IP address in firmware (imagine hundreds of thousands of them all attempting to sync at the same time daily)

It demonstrated a culture of (sociopathical) disregard for others.

And that's the biggest problem. A complete disregard for the customers because there is ZERO penalty for producing a shitty product.

Re:you don't want their actions.

[ScentCone]

A complete disregard for the customers because there is ZERO penalty for producing a shitty product.

Do you purchase their products? Will you in the future? Will you be recommending their products to any people or businesses that you know? Will you be praising or condemning them in venues like this?

What penalty did you have mind beyond them losing sales?

Should we criminalize imperfect software? Let's see some of your code.

Re:you don't want their actions.

[sjames]

Actual enforced consumer laws should be sufficient. In particular, if the device (which *IS* advertised as having a security function) is unfit for purpose (that is, it has serious security flaws), they should be forced to fix it, replace it, or refund it (and if they want it back, they'll need to send out pre-paid packaging for it).

If they choose to replace it, they should ship the replacements out at their cost and again, include pre-paid packaging if they want the old one back. If they can fix it in firmware, they should be prepared to help a bunch of inexperienced people apply the update and if it bricks, replace it promptly.

No more of this "OOOPS, bye now!"

Our customers won't know

[ITRambo]

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

Re:Our customers won't know

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

Yes, this is absolutely true.

But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.

Re:Our customers won't know

Their letters will also likely be rejected as junk mail.

I've done that with more than a few "legal notifications" that I've gotten.

Some of them were, others were perhaps conceivably legitimate.

Re:Our customers won't know

[LeGarcia]

Most people look at the router ports as some kind of electric outlet; trying to explain them about hackers remotely exploiting access into it is like if you told them that there are ghosts that could come out of the electric outlet and posses your refrigerator. "You watch too many exorcist-like movies".

Re:Our customers won't know

[Ravaldy]

My experience with firmware updates on most devices of the same caliber is that they often reset your configuration which means an auto update would not be advisable. As the devices receive more memory more update options will become available. We probably aren't too far from seeing these types of devices auto update.

Re:Our customers won't know

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

Yes, this is absolutely true.

But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.

And asking vendors to support their products with automated updates goes against everything the Board of Directors is yelling and screaming about.

ESPECIALLY network hardware that most consumers run for years before buying a new one.

You don't sell new hardware by continuing to support old hardware. You sell new hardware by threatening that the old hardware is now crap and will get your daughter pregnant.

Capitalism 101.

Re:Our customers won't know

[geekmux]

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

Yes, this is absolutely true.

But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.

And yet one quality standard of mine is the old mantra that if it is not broken, don't fix it, which runs in direct conflict against the idea of vendors pushing automated updates, especially to devices that can and will destroy the LAN and WAN connections.

I'm wondering where this conversation would be if TFA was titled "D-Link new automated update service pushes out patch, bricks 100,000 routers at once."

Basic standards of quality would be assuming the vendor is more than willing to support that 2-year old router you "just bought" by keeping people on staff to monitor it for hardware or software vulnerabilities...you know, instead of saying Fuck you Very Much by simply telling you to go buy more of their product by getting a newer (supported) version.

For the average $99 consumer router, which support path do YOU think vendors are more likely to take? Or more to the point, how much are you willing to spend on a new (well-supported) router/firewall? $300? Is $400 too much to ask for the device that protects ALL of your other computing devices? Oddly enough, almost every single consumer thinks so. Even the ones standing in line to pre-order a $500 smartwatch.

Re:Our customers won't know

It's not just security. It's our entire industry and all the fields within. People are too content to pay for products which are broken out of the box. Far too often they're broken in ways that wouldn't make sense if there were humans testing them. It's getting worse at an accelerating pace too, more broken products come to replace the less broken products, maybe a fix or two down the line and then the process repeats itself. Its really not until customers that bought the product take it upon themselves to fix it (flashing firmware would be such a measure) that anything really gets done unless it makes news.

Qwality

[xxxJonBoyxxx]

>> The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

Da qwality goes in befo da name goes on, right?

If consumers made informed buying decisions

If consumers made informed buying decisions, D-Link would be out of business. Does anyone still believe that they're not producing "bug backdoors"? Seriously, patches which introduce the exact same kind of bug in a different place while fixing the previous bug? D-Link survives through the power of marketing alone. Their products are worse than flawed.

OpenWRT Anyone?

I'm surprised no one has mentioned alternative firmwares... D-Link should issue a patch that upgrades their routers to openwrt.
Problem solved.

Re:OpenWRT Anyone?

[danbob999]

This. D-Link, and other manufacturers, can't be trusted to develop, and especially maintain, router firmwares.

DIR 868L

[Tenebrousedge]

I have a DIR-868L, it was cheap(-ish) and reviews suggested it had good (unobstructed) wireless speeds. That may well be the case, but unfortunately it has a more serious flaw, only being able to handle about 350 Mbps of my gigabit connection. I'm pretty sure the hardware is capable, but the firmware is crippled. I've already RMA'd one and got another back with the same symptoms. Apparently D-link engineers are trying to reproduce this issue, but I don't really expect them to do anything about it.

So, I'm looking for a little advice here on one or more of the following topics:

• * Choice of Alternate Firmware
• * Firmware Installation Tips
• * Better Gigabit Routers

Additionally, although too long for a bullet point, I'm interested in the viability of simply getting a wireless adapter for my desktop and just using that as the router. The internet is supplied as a simple PPPoE / CAT6 connection, so it's not exactly hard to set up (how D-Link could screw this up would be mystifying but for things like TFA). There are a handful of other devices on the WLAN but wireless throughput is not really a huge concern; I don't yet have any 802.11ac devices so I'm not going to get full speeds to them in any circumstances.

Your sage advice is greatly appreciated. Thanks in advance.

Re:DIR 868L

[ageoffri]

Get an EdgeRouter Lite and a gig switch. I'm finding that the EdgeRouter is very powerful, very fast and being a Linux based appliance is extremely powerful. If you want you could also get one of the EdgeRouter's with more ports and skip the switch, but for me I went with a Lite and a NetGear M4100 12 port switch.

Re:DIR 868L

[Greyfox]

I just picked up municipal fiber in Longmont, Colorado. The company has a page that lists a number of options you could use with their service. I went with the NetGear Nighthawk and am quite pleased with it. Most of the devices in my house are wireless, but I do have a couple of machines plugged into its wired ports and do get ludicrous speed with it. It's a pretty consistent 600 mbps up and down according to speedtest.net, and my one-to-two gigabyte skydiving videos upload to youtube faster than I can type the description of the jump.

Re:DIR 868L

[PRMan]

I used to get 100 Mbps on SpeedTest.net, but the most I've ever seen in the real world is 40 Mbps. I've never seen more from anyone, no matter what. So I recently reduced my internet speed to 50 Mbps and saved $30/month. Why pay for "ludicrous speed" when no company can actually give it to you?

Re:DIR 868L

[Greyfox]

Ah well as I said, my upload speeds to Youtube are ridiculous. I generate two or three skydiving videos a week and it used to take a couple hours to upload them all to youtube. I'll have to make a video of me uploading a video to Youtube, I guess...

I also had a problem, while on Comcast, where my computer waking up from hibernation would not be able to resolve DNS for several minutes. I'd be able to ping numeric IP addresses including Google's DNS servers, which I'd set the machine to use. But it would be several minutes before I could resolve names. That problem went away completely when I switched off Comcast.

So I'm getting gigabit speeds for $59 a month from an ISP that doesn't have the reputation for fuckery that your ISP probably does. Seems worth it to me.

Re:DIR 868L

[Tenebrousedge]

Ironically, the 868L is listed as having the second-highest throughput on the page you linked. It's very strange that mine isn't working correctly. Maybe alternate firmware will help things. The desktop and the ISP-supplied Actiontec get 890 Mbps on speedtest.net, and it's not like PPPoE is computationally expensive. Thanks for the link, it was informative, depressing, and hope-inspiring all at the same time.

LibreWRT, LibreCMC, OpenWRT, etc matter

While I'm not going to suggest making the source code code available is going to solve the problem it's the foundation necessary to begin building a more secure router. The free software router projects might have lots of problems- but what they don't have is a poor base to build from as they're the only bases that are fully free (well, LibreCMC, but LibreCMC is built from OpenWRT without the non-free bits).

They said their router would work with DD-WRT...

[Karmashock]

... It didn't. It installed sort of but it didn't work. The firmware was all screwed up and half the features had to be manually tweaked by modifying files using the terminal. Seriously pissed because the only reason I bought the damn thing was because they said it was DD-WRT compatible. Fuckers.

I'm burned on D-link for a good long time because of that.

OpenWRT

[Shadow+IT+Ninja]

I'm glad I did my recent router shopping by starting with the list of OpenWRT supported devices. OpenWRT is a community supported router firmware. There is more active scrutiny of OpenWRT than proprietary manufacturer firmwares. They support hardware more actively and longer than the manufacturers, themselves, do because they use a common source with many hardware models. There is less likelihood of backdoors being introduced or going unnoticed if they are introduced. I'm talking about backdoors like the famous port 32764 back door which was found and patched but then the patch was reverse engineered and found to just hide the back door better.

Now this story highlights another issue which is that the manufacturers are trying to add features to their routers. This is antithetical to security. The best thing for security is to keep it simple. HNAP, the basis of the vulnerability in this story, is just such a feature which I don't need or want. I think this all adds up to a situation where you want to avoid manufacturer supplied firmware if at all possible.

Re:OpenWRT

Amen. If the router doesn't appear on the openwrt wiki, or at least have proof that OpenWRT can run on it, it's not even on my radar.

Re:OpenWRT

>There is more active scrutiny of OpenWRT than proprietary manufacturer firmwares.

Bzzt, unsupported assertion. How exactly do we know that there's more active scrutiny of OpenWRT than, say, OpenSSL*?

*Heartbleed, in case anyone's wondering why I mention OpenSSL in particular.

It's a good start.

[Lumpy]

No apologise for D-link router hardware quality.

Sue them out of existence

[ggraham412]

Speaking as one who is tired of sorting through consumer grade routers every few years, I'd love it if 90% of these "smart router" crapware products just went away. Someone said that the best technology is that which disappears from the user's consciousness, but somehow router manufacturers think that their best play is to worm their way into your attention like an insecure child "Hey, look what I can do! Look at me me me!

Yeah, I'm DLink and look what I can do. Real smooth.

Do I need to access an app store on my router? No. Do I need a warm, fuzzy javascript interface? No. Do I need to configure my home router when I'm not at home? No, no, no and those sorts of features probably contribute the lion's share of vulnerabilities.

What I need is a simple, CGI interface to set up basic routing parameters and WiFi that goes more than 20 feet and forget all about the router. I would actually pay up for that.

Glad I use ASUS now

[Tighe_L]

Although they could be unsecure for all I know...

Re:Glad I use ASUS now

[bobbied]

Don't buy hardware unless you can load your own firmware on it. OpenWRT or DDWRT are both great options. Personally, I have two Netgear routers. One that runs OpenWRT that is my internet facing router and it is rock stable as long as my ISP doesn't do something stupid (like they did last week when they changed me from PPPoE to DHCP access w/o telling me in advance). The router my ISP provided would reset multiple times a day (got to love that actiontech junk) and the stock firmware on the Netgear would require a hard boot about once a week. However, OpenWRT has been rock stable for months.

Re:Glad I use ASUS now

[PRMan]

I had no issues with Asus except my hard drive (which I was using for file sharing and UPnP) dying. Also, all access to that USB-attached drive was slow and would slow down the router, meaning that any attempt to access a large number of files (such as an in-place backup) would slow everything to a crawl. I recently moved my drive to use an old netbook as a server (14W) and it's much better now.

Re:Glad I use ASUS now

[PRMan]

And again, turn off any feature that you don't need. Especially things like public FTP, configuration from the internet, VPN, WPS setup, etc.

Re:Glad I use ASUS now

[Ravaldy]

ASUS is in the same boat. Their motherboard often come with very broken software that requires updates. I've purchased over 60 motherboards from Asus and of that probably 7 different models total. Even their latest Z97 required a BIOS update due to critical issues found in the 3rd version released. I'm not very familiar with the quality of software of Asus network products but like most network products, security issues aren't noticeable until you get broken into or someone tells you about it.

I'm not criticizing ASUS or D-Link since I'd rather have a software engineering department that willing to fix issues rather than one that appears non-existent.

Re:Glad I use ASUS now

[Ravaldy]

That's only good for a small percentage of the population. I'm highly technical and I wouldn't bother with doing my own custom firmware installation unless it's straight forward. To me a router is like a hard drive. I just want to put it in and have it do what is expected of it. Doing updates is obviously a non issue.

FYI, there are a lot of custom firmware available for D-Link products so it's not just Netgear. Also, note that many of the low cost brands you see out there are spin offs from D-Link or Netgear products.

Re:Glad I use ASUS now

[bobbied]

OpenWRT is pretty much brain dead simple with the default load if you have reasonable hardware and use LuCi. Usually the load of the firmware is exactly like what the factory firmware does. Yea, LuCi is a bit more compex than your average home router product, but it's still easy enough that I was able to figure it out with very little help. Armed with the FAQ and or WiKi it's really easy and takes you about 3 steps.. 1. set the root password, 2. configure your internet connection and 3. turn on the wireless connections. Everything else is optional for most.

One issue they could fix is the default configuration. Something a bit more functional out of the first flash might be nice... Just enough to get everything running out of the box, but the failsafe mode is only a few mouse clicks away from an internet connection.

Re:Glad I use ASUS now

[Ravaldy]

You do understand that most users don't even have the guts to upgrade the firmware on a extremely simple device let alone replace the firmware on an existing router.

There's a reason Apple was the king of smart phones early on. They provided a turn key solution that required little to no knowledge of IT to use.

This is quite old...

[buckfeta2014]

I can't believe they haven't fixed it yet... I've been seeing these in my logs for years.

[Mon Apr 13 14:44:22 2015] [error] [client 104.abc.def.18] File does not exist: /var/www/mywebsite.com/HNAP1