Are Consumer Firewall/NAT Boxes Really Secure? 166
blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"
Re:Good, but not "plug and forget." (Score:3, Interesting)
Linksys will ask you to ship it back and offer a replacement in 3-4 weeks.
heh (Score:5, Interesting)
Which was the last I heard about it.
Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.
So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).
Netopia R910 (Score:3, Interesting)
m0n0wall + embedded board = best of both worlds! (Score:2, Interesting)
Interesting, I just finished setting up this [m0n0.ch] on one of these [soekris.com].
I was pretty damn impressed with m0n0wall, it's freebsd-based and fits on an 8MB CF card, and has a nice web interface. Of course it's free software so you can hack it and improve it all you like (you need another FreeBSD box to do it on).
Check out this combo, it's the best of "play and play" and "high quality free software" in one Institutional Green sheet metal case!!
Re:Cheap and easy to use! (Score:3, Interesting)
It might seem strange that a cheap router could provide such high level of security. It's effective for the same reason that it's cheap: the technology is very simple. Machines on the local network can open connections to remote machines, but no remote machine can access a local machine. In fact, remote machines can't even address local machines -- the network IP addresses are meaningless outside the local network. This is fundamentally more effective than all the complicated, expensive "firewall" solutions.
Of course, this doesn't meet everybody's needs. Some people have to have remote access to the local machine, or support P2P. But my experience with routers that isolate you from the internet at large makes me more than willing to give up a few network features.
I'm actually talking more from my experience with company networks than with these cheap routers. But the principle is the same. When you access the internet through a firewall proxy, you can only do things the proxy lets you do. And in a security conscious company, that is usually not much. While on a private network, there's nothing to stop you from opening any kind of connection you want.
Not really (Score:4, Interesting)
I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.
I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.
Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.
My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.
Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.
Its the same thing! (Score:3, Interesting)
Anyway the principal is the same in both cases. Both Linux and these devices offer you a firewall and both offer you NAT and a few other features. The NAT devices offer you ease of configuration and ease of use, while Linux, BSD, or any other UNIX type OS that has built in firewalling offers you a little more control over the firewalling. AFAIK you cant deal with frag packets in these NAT devices and specify various tcp flags or things. All they do is allow or deny various types of traffic. Also you cant set them up to do DNS / mail like you could a Linux / BSD system.
In the end it is a matter of preference IMHO and affordability. If you can afford one and don't want to deal with all the updates that you'd be applying to a Linux box or BSD system then that would be the way to go.
Good reasons to buy an Apple Airport (Score:4, Interesting)
hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.
Understand the risks? (Score:3, Interesting)
I hear people saying, well they run Linux, and Linux is hackable. With no ports open, how is it hackable? (DoS attacks don't count and neither do trojans running inside)
One of the most important settings (Score:1, Interesting)
Re:Cisco's products die. (Score:2, Interesting)
No, unfortunately, I don't have any links. This has been part of my problems as well.
However, from my experience, I can tell you this: