Are Consumer Firewall/NAT Boxes Really Secure?

blate asks: "Consumer-grade Firewall/NAT devices, such as those from Linksys, Netgear, D-Link, etc., have become very popular as more and more users get broadband connections. I've been using a Linksys router at home for several years and have never had any security problems. But how secure are these devices, really? The firewall guru's I know argue that a NAT really doesn't give you much beyond security-by-obscurity. What are your experiences with this (have you ever been comprimized through such a device)? Would I be better off with a Linux/ipchains firewall?"

Re:Good, but not "plug and forget."

[Mr. Darl McBride]

If your question is serious, I'll tell you this: If you buy the Cisco and are willing to pay for a support contract, then you'll never ever have to worry about downtime. This will be true no matter what the day, no matter what the hour, no matter how old the hardware.

Linksys will ask you to ship it back and offer a replacement in 3-4 weeks.

heh

[revmoo]

I personally have found a couple of exploits in my linksys router. I talked to linksys about it, after about an hour with tech support they finally said "We don't have a fix for it, I've never heard about it, but I'll forward this to our developers.

Which was the last I heard about it.

Basically, the gist of the problem was that outsiders on the internet were able to access SMB shares through the router on the internal network even though the ports were not forwarded. Even null routing those ports didn't work.

So, no, consumer NAT devices aren't really secure, but they are still an extra layer between you and "The world", which is nice if you run windows(I didn't need to worry about Blaster, or it's variants thanks to the linksys).

Netopia R910

[Detritus]

One possibility is to spend some more money and get the low-end model in a series of routers manufactured by a real router company. After having problems with Netgear and SMC, I bought a Netopia R910. It runs the same software as their more expensive routers. The firewall features, while not as fancy as what you can do with a dedicated PC, are adequate for my needs.

m0n0wall + embedded board = best of both worlds!

[Anonymous Coward]

Interesting, I just finished setting up this [m0n0.ch] on one of these [soekris.com].

I was pretty damn impressed with m0n0wall, it's freebsd-based and fits on an 8MB CF card, and has a nice web interface. Of course it's free software so you can hack it and improve it all you like (you need another FreeBSD box to do it on).

Check out this combo, it's the best of "play and play" and "high quality free software" in one Institutional Green sheet metal case!!

Re:Cheap and easy to use!

[fm6]

I agree with you on every point, but one of your points needs further elaboration.

It might seem strange that a cheap router could provide such high level of security. It's effective for the same reason that it's cheap: the technology is very simple. Machines on the local network can open connections to remote machines, but no remote machine can access a local machine. In fact, remote machines can't even address local machines -- the network IP addresses are meaningless outside the local network. This is fundamentally more effective than all the complicated, expensive "firewall" solutions.

Of course, this doesn't meet everybody's needs. Some people have to have remote access to the local machine, or support P2P. But my experience with routers that isolate you from the internet at large makes me more than willing to give up a few network features.

I'm actually talking more from my experience with company networks than with these cheap routers. But the principle is the same. When you access the internet through a firewall proxy, you can only do things the proxy lets you do. And in a security conscious company, that is usually not much. While on a private network, there's nothing to stop you from opening any kind of connection you want.

Not really

[Halvard]

I know several people that have had problems using these. Not counting the problems with locking up by going for an URL on some (Linksys?), most people not bothering to change the default password and service providers or users or consultants turning on (or not turning off) the web management interface on the WAN side, these devices are designed to be used by people that have no business setting up and configuring firewalls.

I've seen them directly compromised where someone broke in, changed the password AND disabled the public interface. Additionally, people and frequently small businesses stick servers behind them, whether just forwarding a port or using the DMZ option. Great, leave an patched or unpatched Windows box accessible on every port sitting there fat dumb and happy for attack. And leave it on your LAN where it can be used to stage an attack on everything else on your LAN and everyone else in the world.

Of course I've also come across Cisco routers improperly configured to DMZ an Exchange server where every port except TCP 23 was forwarded and of course, it got owned.

My point is that these devices provide a very false sense of being immune to attack and an "army of know-it-all experts" ranging from jr. high schoolers to 60 something retirees that really have little or no knowledge. Somebody sets up four of these things and they are an expert. It's like reading the first paragraph of "War and Peace" and declaring yourself an expert on Russian literature.

Sometimes they are better than nothing, but they are worse than nothing when left in their default configuration or setup in a totally insecure way,leaving the "expert" confident that they are protected.

Its the same thing!

[josepha48]

Supposedly Linksys, uses Linux in their devices. There was a discussion about this on the linux kernel mailing list or slashdot a little while ago.

Anyway the principal is the same in both cases. Both Linux and these devices offer you a firewall and both offer you NAT and a few other features. The NAT devices offer you ease of configuration and ease of use, while Linux, BSD, or any other UNIX type OS that has built in firewalling offers you a little more control over the firewalling. AFAIK you cant deal with frag packets in these NAT devices and specify various tcp flags or things. All they do is allow or deny various types of traffic. Also you cant set them up to do DNS / mail like you could a Linux / BSD system.

In the end it is a matter of preference IMHO and affordability. If you can afford one and don't want to deal with all the updates that you'd be applying to a Linux box or BSD system then that would be the way to go.

Good reasons to buy an Apple Airport

[goombah99]

As has been noted these routers are not plug and forget. YOu do need to apply patches . you need to know your new drivers will work with what ever version of OS and other software you are using. And frankly you need a freindly GUI interface so you know you aren't doing something stupid when you infrequently have to remember how to maintain your system.

hence apple airports are well worth the $50 premium you pay for them. The Apple software update will come with patches as needed for your security. You dont need to go looking, your apple will automatically get them the the moment they become available. You just have to run them. And you can be sure the apple updates will work well and not screw up your otherwise stable system. And the maintinence of the system is a freindly gui.

Understand the risks?

[lostchicken]

I see posts telling me that I should understand my network and my device and that there are holes in security, but my question is if you've got one of these routers with remote management off, no ports forwarded, block WAN request, etc, what can anyone do?

I hear people saying, well they run Linux, and Linux is hackable. With no ports open, how is it hackable? (DoS attacks don't count and neither do trojans running inside)

One of the most important settings

[Anonymous Coward]

After scanning through the comments it struck me that one of the most important settings for security seems to be left out. On my Linksys there is a setting to make the router not pingable. This setting is one of the first and best defenses against hackers. Most will move on if they can't ping an address. I have run several security scans [dslreports.com] from Broadband Reports [dslreports.com] and have always come up clean. While not fool proof, nothing is, it's an important setting if you want to hide yourself from the rest of the net.

Re:Cisco's products die.

[pyrrhonist]

Do you have any links?

No, unfortunately, I don't have any links. This has been part of my problems as well.

However, from my experience, I can tell you this:

• On the whole, Linksys' wired routers seem to interoperate well with other products. At least they work with my Netgear and Sony ethernet cards.
• Linksys' wireless routers operate fine with my built in Dell TrueMobile 1180 (which is a Broadcom chipset), with or without WEP.
• Linksys' wireless cards seem to operate fine with their own router products with or without WEP.
• The Linksys WPS11 Wireless Print Server does not support IPP. Using IPP will crash the product. The box claims it does support IPP.
• The Linksys WET11 Wireless Ethernet Bridge does not handle fragmented packets when WET is turned on. Sending fragmented packets will eventually crash the WET11. The side of the box claims WEP compatibility.
• The Linksys BEFCMU10 cable modem works flawlessly.

That's what I've experienced so far with my system. I'm sorry I can't give you a link.