Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

um

[Anonymous Coward]

The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity.

Then your 'gurus' are dumbasses. Practially nothing gets past NAT. About the only thing that can compromise it is a trojan.

Your linux box is far more prone to hack attacks than an embedded device.

Re:um

[Mr. Darl McBride]

Your linux box is far more prone to hack attacks than an embedded device.

Half of the current embedded devices are Linux boxes. :) The only difference is that most script kiddies don't know how to rewrite flash memory, so you can undo the eventual compromise with a power cycle.

Think of it as a little gateway box running Linux off CD, but without the ability to run intrusion detection software.

IPCop

[Anonymous Coward]

Get an older computer, two nic's and IPCop [sourceforge.net], and you'll be good to go. It's a linux distro customized just for nat/firewall/proxy use, and it's easy even for a novice to setup. A more advancded user can, of course, customize it quite a bit. The latest version even supports traffic prioritization with just a tiny amount of work, and the next version will have a GUI for that.

Re:Two things to remember

[PD]

Duh, I made a mistake. Don't run a router on each box. Run a FIREWALL on each box. Ipchains or Iptables or whatever.

Depends on the application!

[Lacertus]

Back when I was still in High School, I was lucky enough to land a job as the network admin of a small business, consisting of about 30 people or so. The entire shop was Open Source/Free software because cost was a major concern and that was what I was most experienced in (I basically did everything from running the copper across the ceiling to building the [admittedly crappy] webpage).

That being as it may, I was relatively inexperienced with ipTables, and honestly didn't know my ass from my forhead when it came to admin-ing. As such, I deployed one of the cheaper netgear firewalls; and to great success, I might add. Though it caused some isolated problems, it did its job and protected our network. Thus I can say I was happy with its performance.

As I've progressed in my techy career, I moved from such 'off-the-shelf' solutions, to building my own (extensive) iptables ruleset, to actually engineering my own 'blackbox' devices - these self-engineered devices were a product of my more ingenious years in college.

Well, this ramble can be summarized thus: "depends upon your application." Yes, Netgear et. al. produce a decent, well designed product. These solutions don't often attract much attention from the geek crowd due to their boilerplate nature, but they are function.

Now maintaining a rather massive network of thousands of people, I put my trust in a standalone, (sometimes) load-balanced front end consisting of an old x86 box running OpenBSD. The ruleset I carry with me is the product of several years of gradual modification, and is the best solution available (IMO).

Cheap and easy to use!

[hbackert]

I never had any problems with off-the-shelf el-cheapo no-name home routers. I installed 4 such routers, 3 different brands in 3 companies and here at home. The latter one is a temporary solution, the other ones run for about 2 years now. No problems, except PPPoE related issues (MTU size limit and Linksys' inability to fragment them correctly, but this is an old Linksys). Even companies which wanted a more sophisticated router (Yamaha, Cisco) wanted: NAT, nothing incoming, everything outgoing. Not different from cheap home-routers.

That said, while a NATing router might not be the worlds securest solution, it's a very simple one and a pretty effective one too as long as users don't use the 'DMZ' feature, but I don't know anyone using it without knowing what it does in terms of attackability. For the money you pay, you get the ability to connect more than one computer to the Internet, and they are all no longer easily attackable. Great value for money.

Imagine a world where all users had those. Windows viruses/worms would have a much harder life to spread.

The key here is, that it's cheap and easy to use and it actually works. Compare that with a far more complicated Linux/*BSD firewall solution.

My Experience

[Ratbert42]

I've run the following firewall/host setups:

Linux (Redhat 6.1-ish?) firewall/occasional web and ftp server with a mix of Windows clients. The Linux machine was never compromised but it did begin crashing on a regular basis, I believe due to DoS attacks of an unknown form. I retired this box due to the crashes.

OpenBSD (3.0?) replaced this box with the same client load. No problems and no compromises, but keeping up with patches, particularly rebuilding the kernel, was a pain on such a slow machine.

Linksys box replaced that in the same environment. Again no compromises, but still no services really exposed. The lack of configurability compared to Linux/OpenBSD boxes was a pain.

Current setup of 3 static IP's, 2 with Linksys boxes protecting web/dns servers and 1 with a DLink WAP/NAT firewall box protecting client boxes. The servers (1 OpenBSD 3.3 and 1 Windows 2000) have had no compromises and the Linksys boxes have given me no problems at all. The DLink box is a pain because it apparently drops idle tcp connections after about 5 minutes. It's much more configurable than the Linksys boxes though. Still no compromises through the DLink firewall either.

So in short, I've never had a compromise through any firewall, hardware or unix-ish box. The only compromise I've had (except the DoS crashes on the Linux firewall) was a trojan from a downloaded piece of software.

It's another layer, and more layers is good

[Zocalo]

Given that most devices on the market today come with firewalling included by default, you might as well use it! There's nothing to stop you putting a Linux/BSD based firewall behind it if you wanted too, and of course, you *do* have a personal firewall on each of the Internet connected PCs, right?

I have a routed block at home, and my basic setup is to use the embedded firewall (it's BSD running IPF as far as I can tell) to perform basic ingress/egress firewalling, DoS and portscan detection etc. and provide an Internet synched NTP server. All the firewall rule violations get sent back to a Linux box via SysLog and I also monitor network devices via SNMP. *All* my internal kit is restricted access by a local firewall; IPTables on the Linux boxes and Agnitum's excellent Outpost Pro [agnitum.com] on the Windows boxes. On top of all that, I have a slew of other stuff; TCPWrappers, a NAT'd wireless network locked down by MAC address, my switch is also locked to MACs and there is a small battery of IDS stuff running.

• That's the setup. How does it work? Very well it turns out; here are the stats for Friday:
• IP sessions blocked by gateway firewall: 4072
• IP sessions blocked by local firewalls: 0 (that's zero!)
• Probes of FTP server: 1
• Probes of HTTP server: 16 (looks like Nimda's nearly dead)
• Probes of SMTP server: 0 (that's suprising!)
• Probes of SSH server: 0 (ditto)

So, yes, it does look like these things are very effective, if you set them up properly of course!

cheap test

[DuctTape]

One cheap (i.e., no prep) test from the outside is to head over to Gibson Research's site [grc.com] and have it run the Shields UP scanner on your system (links at the bottom of the page). Probably rudimentary, but it'll tell you what you look like from the outside, with pretty pictures, too. It also tells you when your firewall probes them back.

And of course, for the Windows users, there's our free friend Zone Alarm [zonelabs.com] to help put another layer between your machine and the bad ol' Internet.

DT

Re:heh

[cicadia]

Why would you call tech support about that sort of thing?

Linksys has an email address, security@linksys.com [mailto] set up so that you can report things like this. Tech support is for people who can't tell the LAN cable from the WAN cable, or need to be told to power-cycle their routers.

And if you don't hear anything back for a while after emailing them there, try posting it to Bugtraq [securityfocus.com] -- that'll get their attention, if nothing else.

NAT Issues

[jazman_777]

I think there's been some noise about ISPs being able to figure out you're NATting from the packet info. I think you can obscure that with OpenBSD. With the Linksys et al you can't. Who cares? When the ISP decides to charge per computer on your LAN...

Re:Good, but not "plug and forget."

[RzUpAnmsCwrds]

"It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short."

Not with Linksys, at least. The Firewall/NAT box I purchased four years ago (BEFSR11) is still being sold, and I still get firmware upgrades for it.

Effectiveness of consumer NAT/firewall boxes

[pbannister]

I too have wondered if there were any exploits for consumer NAT/firewall boxes. Judging from posts so far, it would seem that at least there are none known :).

I started using the Linksys cable/routers when they first came out. I have insisted that all my neighbors, friends, and family with fast connections use a Linksys box (or similar).

There are a few points to bear in mind:

1. Most crack attempts are from brain-dead script kiddies.
2. Hardware firewalls fail-safe, where software firewalls fail-unsafe.
3. You don't want your average folk running only a software firewall.

Observation (1) comes from running with both a Linux and Windows box exposed directly to the Internet. Both boxes had all unnecessary ports closed, were up-to-date on all patches, and carefully monitored. Neither machine was ever compromised. Periodic review of the logs showed a remarkable lack of intelligence on the part of the attacker. Practically all the activity was from a small number of popular crack-of-the-month scripts. Tracing the attacks back to their source - and getting the script kiddie kicked off their account - was seldom difficult.

So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence.

Keep (2) in mind when you weigh the risk of failure. If a software firewall fails to run (for whatever reason) most likely your machine will be completely exposed. If the hardware NAT/firewall fails you will be safe (if without internet access). The software on your PC probably changes regularly. If any of those changes disables your firewall, the you might first notice when your machine is already subverted. The software in your NAT/firewall box never changes (discounting upgrades) so the chance of failure is less.

Keep (3) in mind when evaluating effectiveness. Most folks with fast connections are not techies. A solution that works well and reliably for the bulk of the population is in the end far more effective.

a linux firewall is easy too...

[ajayrockrock]

I just tried out this floppy distro called BBIagent [bbiagent.net] and it's pretty easy to setup (GPL too!). You configure it through a java window and it's much cooler then my old linksys box. I hate to say it but one of the cool features is a live graph of my incoming/outgoing. There's also way more features.

later,
ajay

PS. I'm not affiliated with them in anyway, blah blah blah...

rubbish, my $10 linksys has all sorts of features

[DrSkwid]

port forwarding
port triggering
dynamic routing
AOL parental controls

ftp://ftp.linksys.com/pub/manuals/befsru31_ug.pd f

Maybe yes, maybe no.

[FreeLinux]

The consumer level firewalls that you mention can be secure but, they can also be compromised depending on the situation. The most important issue is the proper setup and on going maintenance of any security device. You cannot hope to be secure with a "fire and forget" security solution.

The first issue is proper installation and configuration. Does the installer really know what they are doing and why? In many/most cases, the answer is no. The initial default configurations of these devices is usually very secure using a combination of NAT, which does indeed increase the level of security, and restrictive firewall rules. However, far too many people find the default configurations too restrictive for their needs and start opening holes in order to permit certain desired services like gaming. This is where the problems start. As unknowing installers open various ports or enable port forwarding or installing certain machines in "DMZ" zones the inadvertently open their systems up to the world.

The second issue is with the actual OS of the device itself. There have been a few vulnerabilities in the devices that you mention that allow for compromise of the actual firewall. I have personally found two Linksys devices that were compromised and reconfigured as open proxies for the purpose of relaying spam. The vulnerabilities were known and there were fixes available to resolve the issue but, people frequently do not know about these vulnerabilities and the firmware updates are not applied. In most cases they are never even aware that they have been compromised. Do you know how to determine if you have been compromised and how often do you check to make sure? So, regular maintenance is very important but very few ever check for, let alone install firmware updates.

The biggest issue is a true understanding of the risks and how to defend against them. I frequently see "qualified" network engineers with years of experience who still do not completely grasp the many facets of the IP protocol and how it can be used to invade a network. This does not however impact their belief that they are effectively installing and configuring firewalls of all varieties(shudder).

To answer your question directly, depending on the precise situation and the requirements of the network, a Linksys or Netgear firewall can be just as secure as a CheckPoint firewall but, all three must be configured correctly, monitored constantly and maintained regularly.

A thorough understanding of TCP/IP and its security is the most important step towards true security and this is in fact what most people lack. Look at this [slashdot.org] article asking about private IP addressing and the slew of comments that illustrate the person does not even understand subnetting. Yet, I'll wager that most of these people would not think twice about setting up a firewall and probably regard themselves as "experts" in network security.

The actual firewall is not as critical as the understanding of the firewall. Switching from Linksys to a Linux firewall isn't helpful if you don't truly understand what you are looking at with ipchains -Lvn or iptables -Lvn. In fact, if you don't truly understand the many facets of securing an IP network as well as hardening the Linux OS, you are far better off with the Linksys. At least, in the default configuration, it is more likely to be secure.

Re:Good, but not "plug and forget."

[uradu]

Don't know about the 7401BRA, but my 7004BR was OEM'ed by Amit in Taiwan. Products from Asante, 3Com and GVC used the same base hardware, and their firmware is interchangeable. You'll just have to do some googe grouping to find out.

Re:cheap test

[rafa]

If you feel like running some other scans, get a friend to give you a good probing with nmap [insecure.org] or nessus [nessus.org](which performs an nmap scan as well).

Re:um

[Anonymous Coward]

Practially nothing gets past NAT

You can create packets that a NAT will convieniently route to it translated LAN. We frequently see packets that are addressed to the 192.168.0.x range on the LAN. Really cool, especially given that folks seldom change the default address ranges. Kids, if you didn't know this, try it -- it's a good time!

NetGear ProSafe firewalls are the better bet as they are true stateful packet inspection firewalls. Of course, with great power comes great responsibility.

Firewall tips:
1. Don't run your firewall on the same box as your web server or anything else for that matter. You don't want a CGI or mail exploit allowing an intruder to change your firewall rules
2. Block/Log outgoing ports such as SMTP to see if machines on your network are sending mail when they shouldn't be. Always block/log SSH, Telnet, FTP, TFTP, HTTP (high ports too)
3. Make it difficult. If a server doesn't need DNS for outgoing connections, don't configure DNS on the machine. Only install what is absolute necessary to run whatever daemons you may be running
4. Never allow PING
5. Never assign a Default DMZ
6. If your firewall is a NAT type, run a software firewall on your desktops (http://www.zonelabs.com has one free for personal use
7. Use a non-standard IP address range for your LAN
8. Log everything and review daily
9. Don't run Kazaa, Weatherbug, Gator, blah, blah, blah -- Use spybot or pest patrol to keep clean.
10. Windows machines should always be updated. ...there's plenty more that can be done.

(Former BH now WH)

Re:um

[Anonymous Coward]

Ping is very useful for denial-of-service and "Smurf Attacks" where the sender is forged. If you were to monitor activity at your firewall today, you're going to see a lot of ICMP (ping) activity relating to an exploit in CISCO IOS.

Why IPCop instead of OpenBSD

[Glasswire]

...Because

1) if you're familiar with Linux it's easy

2) Great web/SSH interface esp. to snort output

3) Works really well

4) Quick and easy to install -very flexible about DMZ configs

5) Runs nicely on a box I'd need to upgrade (need +10GB HD) to put Astaro on it. (But I might do that at some point)

Re:Good, but not "plug and forget."

[uradu]

I believe I was following directions from http://www.dslreports.com [dslreports.com]. Just search for your model number (I assume 7004WBR--if it's not that, it isn't the same Amit hardware). I really wouldn't remember what all I did, it's been months. It involves cross-grading the firmware from SMC to an earlier version of Amit, then upgrading from there to 1.96h3, and also involves hard resetting the router to perform crash recoveries. Anyway, dslreports is a great resource to know.

They're good, but...

[vasqzr]

A good firewall would mean setting up a Linux/BSD box, putting a couple NICs in it and setting it all up, right.

But 95% of the people who read a couple FAQs or books won't do it perfectly.

So the small appliances work great, as long as you can live with their limited functionality. If you just want 30 users to surf the web it'll be fine, but getting servers etc involved can be tricky with some models.

The worst thing is when they have poor security by default. We used to scan entire IP blocks, looking for open telnet ports, and we'd just use the default logins to get in. Anyone remember 'wradmin'?

You could telnet in, shut the DHCP off, or disable routing, telnet to other computers/printers inside their private networks, if it was an ISDN router you could change the dial out phone numbers...

OP: Answer to your questions

[Glonoinha]

https://grc.com/x/ne.dll?bh0bkyd2

Steve Gibson's site has a section to test all the ports associated with your network connection. Go there, scroll down and click on 'All Service Ports' - it will tell you if your system is vulnerable.

Behind a Linksys or SMC home router, you are invisible to the rest of the world. Not sure how much better it can get than that.

Re:IPCop

[Awptimus Prime]

I attempted to do the same thing a while back. I have an aging P2 400, 4 port ethernet card, and small HDD in the system. I figure it burns probably around 75-100 watts sitting there, plus it generates some noise.

When Compusa had a sale on those silver netgear routers, I grabbed one for ~$50. It sounded so simple, just plug it in, configure via web interface and you are done.

Then I tried to get it to work with SecuRemote VPN, and no luck. The box said in big, bold letters 'Supports VPN!'. So I dropped them an email and found they had shipped them without a VPN enabled firmware and I upgraded so it would work as advertised. The new firmware worked with my VPN client, but only one session at a time. Then it started hanging and not passing traffic every couple of hours. I'd have to reboot the thing several times a day. After reading on forums, I found the VPN firmware was buggy as all get out.

So I take it back and grab an SMC. This worked flawlessly, then started requiring a daily reboot after a couple of weeks usage. There were no firmware revisions to swap out, so I took it back to the store.

Since then, I hooked up my old P2 400 with IPCop and found it to be rock solid. It's been up for about 4 months without a reboot and, not once, have I had to trouble-shoot any problems with it.

If you get paranoid, Snort is there and simple to use via the web interface. I would definitely suggest this distro to anyone who's a Linux noob. You can download the ISO, burn it, pop it in, answer it's questions and have a very stable router running in about 30 minutes.

Yes, for security's sake OpenBSD would be a better choice, but this Linux distro will make setup much less painful. If you are concerned about security enough to point out the flaws of Linux and preach BSD, you don't need to be running this distribution anyway, as you are likely versed enough to set up your own BSD solution. In my case, I'm lazy and the ability to just grab security updates via a web interface fits my needs a bit better.

Pride comes before the fall...

[quinkin]

"So practically speaking, we don't have to worry about ultra-sophisticated attacks. The vast majority of script kiddies lack the needed intelligence."

I remember feeling like this. Safe and secure behind my impenetrable shield of carefully tweaked and tuned software and hardware firewalls/NAT routers which was continually monitored and kept up to date. Sure in the knowledge that the only incidents I would have to deal with would be caused by office staff installing the "latest aquarium screensaver" and easily contained with judicious blocking of outbound ports (ie. SMTP).

Then one day you are trying out the latest tcpdump frontend and sniff a few packets of the wire at random...

You zoom in on a few ICMP replies you captured, check out the frontends rendering of the packet header, and data, and... hey! WTF?

Fscking command line fragments embedded in unused parts of the packets! Ping is disallowed mind, these are port unavailable, throttle back etc. style ICMP packets from seemingly valid hosts.

Cut a long story short, we eventually found a trojan on one of the windows machines that would request a series of web pages in order to open the firewall to the return ICMP packets. Whacky.

I assume any and all machines may be compromised at any time now. I keep my own disguised process reporting binaries on all important machines. I basically live paranoid, but that doesn't mean I'm wrong. :)

Scuse the waxing lyrical, and meandering from 2nd to 1st person with casual aplomb. It's late here...

Q.

Reasonably secure -- but watch out for UPNP

[russotto]

The NAT boxes will stop your garden-variety worm searching for vulnerable services on a default-configured Windows box, provided you don't open those ports.

But a lot of them support "UPNP", which allows programs on the to automatically open up ports they need. This is a great convenience, but you're now giving the keys to your network to any random Windows program. Now any trojans don't need to actively call out -- they can just open up your firewall FOR you and wait for connections. This strikes me as definitely not a good idea.