Hello, I am curious, I do understand software firewalls, thier limitations/problems etc, but I have not taken time to look at hardware/routers etc. Yes I know the basics, but are these not prone to such problems as DHCP/ARP poisoning. I know there are others on this forum who know more on this subject. Please advise. (of course I will start playing with this now). My own setup as allways been my PC as gateway, a router behind this for test PC`s, but I know most place the router as main gateway, and wondering what control they actually have on this, and if they know if this as been possibly compromised?
After I got my router, thats all I am using and common sense combined with a anti virus and occasional scans for spywares which I never get except for some tracking cookies in my Opera cache.
Hi Stem, Don't know about that specific problem you mentioned above, but I think that it's been shown pretty conclusively that routers, even inexpensive home NAT routers, are more or less immune to penetration from the outside. Below is a link you may find interesting, it's long, but you can skip to the end if you just want to see the conclusions: http://www.dslreports.com/forum/remark,14671194
Stem, I can't address the ARP/DHCP poisoning question, but regarding hardware firewalls, I'm suprised you haven't tried Smoothwall. I converted on an old Gateway P5-133, which was too underpowered for even a stripped down 98 install, 133mhz, 32mb RAM. My total investment consists of 2 network cards and a crossover cable. Installed Smoothwall Express 2.0 on it. I rebooted it today after 86 continous days of usage, not that it needed it. I needed to remove the modem/sound card that was still in it, left over from a 98 test install for another project. It's been a very stable and reliable firewall. With a different network card for the LAN side, it would make an excellent router. With an ADSL PCI modem, it could replace the DSL modem as well. The logging is good. Has SNORT built in, which runs good even on this low power box. Comes with good documentation. I'm considering testing the 3.0 beta release. I'm using it with DSL, 864/160 speed and haven't lost any speed because of it. With all the testing you do, you've got to have an old, underpowered box there that would convert nicely. As much as you work with software firewalls, I'd bet you'd enjoy it, especially if you're accustomed to Linux. This Smoothwall package might be of particular interest to you. Rick
All i use for network protection is the firewall built into my router. I've always used routers that have decent firewalls in them. Intrusion detection, packet filter, url filter and firewall logging are must-haves for me. After having done this for many years i'm confident in the methods/rules that i use and as far as i know my system has never been comprimised.
Hi Kerodo, Just to clarify, I am looking at the possibility of problems within the router itself (such as DHCP/ARP poisoning), not penetration through the router to the internal LAN.
Hi Rick, I have in the past set up and used linux based gateways, but have always come back to windows based, really due to the software I use on gateway. Does (for example) Smoothwall filter ARP? What control is given for this?
Yeah it has the works, intrusion detection, packet filtering, url filtering and firewall logging and preset security policies for those who don't wish to spend time manually configuring things. Its a Billion BIPAC-741GE V2, its nothing flash or new but it does its job well.
ive always wondered if the firewalls in hardware modem/routers are all more or less equal? how do i know if my bt homehub firewall is as good as say a zyxel modem router? if you think this is OT you can split it to its own topic lodore
A "pc as a gateway"..would this be a Windows box running ICS? If so, wouldn't you be more worried about Windows being exposed on the WAN link, and more vulnerable, than some hardware router? As with most things related to computers...keeping your router updated is generally a good thing. Updated firmware fixes issues they may have found, which can be vunerability related. I'd never run my own PCs, or clients PCs, without being behind NAT. If you're really interested in some linux based routers...building your own...check out these two...they have UTM features (unified threat management) Endian http://www.endian.com/en/community/ A great package, my favorite *nix distro firewall. Antivirus/antispam/antimalware "transparent proxy" scanning of traffic right on the appliance itself. Also Snort IDS. Another favorite of mine...IPCop...which itself is pretty much just like the rest of common linux distros...but what makes it good like Endian is an add-on called Copfilter..which adds the transparent scanning features. http://ipcop.org/ http://copfilter.org/
Its a windows box. But this nats/forwards packets across the nics (ICS is disabled). The only direct connection is for the honeypots. Its more out of interest than anything else. I will look more into a setup with a linux box, but I would need to find an honypot for this (I like to bug my ISP with this)
Hi Stern If the router parameters are set correctly the probability for ARP/DHCP problems are near 0. The best way IMHO is to : 1- change the default password of the router to prevent unauthorised access... It's easy to find these default password over Internet: http://www.routerpasswords.com/ http://www.phenoelit-us.org/dpl/dpl.html etc. 2- established a link between the MAC addresses of the workstations and their fix IP address (not dynamics)... Ex. with a Linksys router:
It looks like I am still not making this setup clear. My ISP (cable) provides my IP, this IP is nested into a LAN, such as example 80.*.*.*/24, these are again nested with other LAN`s such as 10.*.*.* (for TV). Each LAN as its own gateway IP, but all gateways are bound to the same MAC. So,... basically, if I place the router to WAN, this is actually connected to a LAN. Now what I am looking at, is the possibility of the router coming under attack (DHCP/ARP) from the external LAN, NOT the internal LAN.
Hi Stern As far as I know the IP addresses used in a LAN are reserved for internal use and not routable over Internet in these ranges: 10.0.0.0 - 10.255.255.255 169.254.0.0 - 169.254.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 And as far as I know it's not possible to use routable Internet IP addresses range for a LOCAL network... (80.*.*.*/24) If an attacker from outside this LAN want to makes troubles inside this LAN the only way it's to send spoofed IP packets with an IP address in one of this local range ... 1- Since a packet received from Internet must have a routable IP addr. over Internet, an incoming packet with a non-routable IP addr. over Internet should be blocked before this packet reach the local network... This is a job for the Firewall/Router... 2- If there is a correspondance table between the fixed local IP and their MAC address this add an other level of protection ... Now how an outside attacker can fool this? The ARP translate MAC addresses into IP addresses: the correspondances between these two level of Addresses are set into the correspondance table of the router... The DHCP is used to give a local IP address in the LAN , but with a fix address for each workstation there is no way to fool the DHCP... right? Even the attacker know the local IP address + the MAC address of one of your workstation there is no way to makes trouble here: any of these IP addresses (in this range) may comes from Internet... The ARP or DHCP spoofing are possible only if there is dynamic IP addresses in the LAN (like in large corporations or institutions). In these LAN there is no permanent relation between MAC and IP address. If the LAN is not protected for incoming IP packets with non-routables IP addr. over Internet, in this case the are vulnerables to such attacks from outside. The IP address provided by the ISP is a public IP address. This is an IP addr. routable over Internet (Unicast IP addr. or former class A, B, C). The IP addresses inside the LAN used ranges reserved for local use only. Last remark: you say "from an external LAN". If this LAN is "external" it's like any other machine over Internet: the communications to your LAN is done over Internet with an Internet IP address in the Unicast range... There's no IP addr. mixed of any kind between Ip in Unicast range and IP ranges reserved for local use.
Nesting of any IP range can be made. To give further info:- I have setup a router direct to internet (auto config) Performing a trace on this shows the nested 10.*.*.* (this "Private" IP is actually what issues my IP on boot) My Gateway shows another "LAN" (due to change of MAC) This is the ARP broadcasts over this LAN-
Just to show that any IP range can be used for LAN. Using the router (with IP as above) I changed the internal LAN IP range. This then issues an IP within this range:- These of course can be nested with various gateways/ IP`s. This is quite simple, as it is what NAT is for.
