Are Consumer Firewall/NAT Boxes Really Secure? 166
blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"
Good, but not "plug and forget." (Score:5, Insightful)
It's true that Most of these units are flash upgradable, but consumer-level network gear's support lifecycle tends to be pretty damned short. It's quite likely that the company producing the hardware isn't going to be bothered to repair a product, even if it's proven to be as permeable as a sponge.
My personal take would be that these units are great, so long as you learn a little about how they work. Shoot for something that's based on Linux or another OS with public information, learn what kernel it's using, and then treat the unit just like a PC running that same release. If an exploit is announced for that version of Linux, get it off the wire until you can patch it, just like you'd do with the real PC.
morph (Score:5, Insightful)
Two things to remember (Score:5, Insightful)
2) Don't build a maginot line that a hacker can plow through and then discover that Paris has no more defenses. Good security is always a series of obstacles, as many obstacles that you can put in the way. Not one of them will be perfect, but enough obstacles that are sufficiently difficult will keep a hacker out. So use that Linksys router. And run a router on each box. And make sure that your subnet isn't routable or addressable from the outside. And make sure your external facing machines are firewalled from your internal network. And make sure that your patches are up to date. And scan your internal network often to make sure than no funny ports are open. And read the advisories. And run a virus scanner. And don't use Outlook for a mail client. And don't forget to use that nmap against your external network interface frequently; if that means getting an Earthlink account just for scanning your network from the outside then do it.
Do you have the time? (Score:3, Insightful)
It all boils down to this, what you rather spend more of? Time or money? I use freebsd with natd/ipfw it's great for me, but I did it for the learning experience.
If not secure, then more reliable (Score:3, Insightful)
Both FreeBSD and Linux have proven to be much more reliable against sometimes quirky network conditions. My current machine will have a new IP address and have updated my dyndns.org entries within 30 seconds of plugging in my DSL modem.
If you're going to get a firewall/router
appliance, get one that has something like Linux or BSD at its core.
NAT, meet Britney (Score:3, Insightful)
Think about this. If you did use ipchains, what would your first and most important rule be? My answer to that question is "deny all" (for a home network anyway). A side effect of NAT's inability to automatically map incoming connections is essentially a "deny all" rule. Because you probably need more than one IP address, you'll probably use NAT anyway. Therefore, you get this "deny all" rule for free. It, of course, doesn't hurt to use a linux-based firewall in addition to the NAT machine.
To sum it up, I wouldn't worry too much about it. It's not like anyone really wants your porn anyway
Linux/Ipchains isn't very good either (Score:4, Insightful)
As for consumer NAT boxes? Well they're a lot harder to attack if they are done even half-baked. Coz NAT creates a fair number of barriers against inbound connections - an inbound packet needs to match an entry in the tables to go in to the right address/port pair behind. Unless there's a major screw up in the table matching bit, where is a packet going to go if there's no matching entry?
Maybe if they cut a few corners with DNS packets then the attacker could try sending spoofed DNS packets to trick people to go to a custom webmail site. Thing is, an attacker needing to have a site means leaving a bigger trail and the site can usually be shut down.
The usual holes in NAT are usually in handling NAT unfriendly protocols like FTP, H.323, IRC-DCC and so on. In fact if the box doesn't handle these its probably safer, so what if you lose a few features - Joe Schmoe doesn't even know about FTP, and really Joe Schmoe not being able to DCC files from someone (and stupidly run them) is a feature.
The other potential vulns are DoS - crashing the box - exploiting a box could be harder if it uses microprocessors which the attacker can't be bothered to get access to and figure out (most are script kiddies).
In all I think they are a good thing - such cheap firewalls significantly raise the barriers of entry to the masses.
Re:morph (Score:2, Insightful)
Or if you have to pay for electricity, or if space is limited.
The big question is whether the consumer router lets you do what you want/need with your network. The Linux/OpenBSD solution gives you the ability to do a lot of things that would otherwise require commercial grade equipment.
Re:Good, but not "plug and forget." (Score:5, Insightful)
> isn't going to be bothered to repair a product
Now that's a platitude if ever I've seen one. What precise personal experience do you base this statement on? Linksys, Netgear and SMC certainly have a decent track record of supporting their products, sometimes well into the next few generations. Besides, most of these consumer devices are based on OEM hardware whose manufacturer usually writes the base firmware that the vendors then customize. The upshot is that even if your Linksys or SMC doesn't produce new firmware, the OEM manufacturer often does. My SMC 7004 Barricade is running firmware that provides considerably more functionality than SMC ever planned for the little box.
NAT's stop outside connections in... (Score:4, Insightful)
So, turn on or add a firewall if you really are concerned. Not that that's a 100% solution either...
Re:NAT Issues (Score:3, Insightful)
I remember the noise about this, but I haven't seen any ISP's take notice or do anything about it. They won't. Because as long as the customer sets it up correctly, it doesn't affect the service at ALL, the ISP has done NOTHING to give the customer more value, so they shouldn't be able to charge for it.
Words of Warning (Score:3, Insightful)
It works great, never had a problem with it at all, but...
I have a linux server running on that network and traffic on port 22 is forwarded to the linux box. Add an old version of sshd and viola! Rooted.
Because I was behind that firewall though I didn't pay as much attention to the box as I should have and it took me a week to realize something was wrong.
Moral: The firewall can't protect you from yourself. You still have to be carefull behind it.
Re:Good, but not "plug and forget." (Score:3, Insightful)
Jesus man, you are talking about a $60 piece of hardware. If your Internet connectivity is important to you, as in business grade connectivity important, just buy two and put one on the shelf. If your primary goes down go back to the parts closet and grab your spare, swap it out and you are back up and running in about 10 minutes. Assuming you wrote down the WEP generation key and other settings when you installed the first one you are bingo ready before Pizza Hut can deliver a well deserved pizza, your reward for keeping the network connected to the Net.
If you were offline for a month , or worse yet limping along connecting a single machine directly to the cablemodem / DSL (exposed to the net with no firewall,) waiting on a replacement on a $60 part