NAT Router Test?

Discussion in 'other software & services' started by Huwge, Oct 12, 2006.

Thread Status:
Not open for further replies.
  1. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Is there any way to check that I've configured everything properly?. I ve just installed my first Router (Linksys). No other machines attached....just the one PC.
    I pass ShieldsUP and Sygate Scans (I have Kerio FW instaled also)

    Thanks in advance
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    A NAT is not a full firewall, so there's nothing to misconfigure in terms of firewalling, unless you specifically set it to open (forward) ports or disable the NAT.

    The NAT hides a full network behind one IP, keeping track of which computer made what connection so that when one computer requests Google, it knows where to send the returning data. If there's an unsolicited incoming packet, the NAT simply does not know where to send it, so it ignores it instead. That's not the same as a packet filter, but it is effective. Many routers now have SPI built in, but still shouldn't confuse this with a full firewall that specifies what kind of connections can and cannot be made. Instead the NAT simply allows everything as long as it knows where to send it. The SPI may, however, drop a limited number of high-risk packets that fall outside the bounds of normal communications for the particular protocol/port it's travelling on. For example: the NAT may allow netbios traffic (high risk, especially across the internet), but the SPI (which is separate) will drop packets that clearly aren't normal netbios traffic. The only exception that I can think of is that different router manufacturers may block some kinds of ports(such as netbios ports) to provide some actual firewalling. This is more likely to be on the "Firewall Routers", but not all "Firewall Routers" will have these features, some just have SPI and other security features.
     
    Last edited: Oct 12, 2006
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    What if there is only one computer on my (so-called) network. Does the router still NOT know where to send an unsolicited packet? (I certainly hope so!)
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Not really a test, but a checklist.

    1. Router BIOS up to date.
    Check what the different versions fix and if it is security related or fixes a problem you are experiencing, flash the BIOS. Make a backup of BIOS if possible.
    2. Computer is not in DMZ (unless you really want it exposed).
    3. Set strong password on router configuration.
    4. Disable WAN remote management.
    5. Disable VPN if you don't need it.
    6. Disable uPnP if you don't need it. (you will need to reboot router after disabling)
    7. Only forward ports you absolutely need to get the job done.
    8. Set other firewall features as needed. Each router has different features so it depends on what they offer and what you want.

    I wonder if there are router cracking utilities to test for leaks/vulnerabilities in the popular routers?
    They would be like an inbound leaktest.
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That's correct. The router sees at least 252 possibilities (192.168.xxx.2-192.168.xxx.254), whether there's a live connection at those addresses or not. The actual number may actually be less if the router is made to handle fewer connections, but regardless it sees only many possibilities. Like I say, the exception being if you forward ports (tell it to send all traffic on a particular port to a particular address), set static routing (turn the NAT off, you might do this if you have more than one NAT), or set a DMZ (basically forward all ports, which you might do if you do online gaming or something else that would require any/lots of ports forwarded). In each case you have to specifically configure it to pass the traffic to a particular computer, instead of just letting the NAT route the traffic to whatever system requested it.
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Delvico:

    Hey, sorry to burst in but I have a router secuity question.
    Linksys just answered my questions about the syntax rules on users id and the passwords for my router.

    There is no maximum number of characters ( I have trouble with the logic of this but no matter)

    There is a minimun for each of 5 positions, A/N no special characters:

    So what do you guys recommend for both fields as to bit strength.

    I was thinking something like:

    User Id 16 positions, bit=95, id=3E368665C3FE964E

    Psw 32 positions, bit= 190, psw=2ztg2yJftKKB74pgHsr5p8cT1GFzoA78

    What do you recommend?

    Your celtic friend
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I have a problem believing that as well. There is always a limit.
    That limit may be more than anyone would normally want to use, but a limit none the less.
    The limit may be 63 characters.
    You may want to ask a different tech at Linksys, because the one you asked probably didn't know the answer. Ask them in a way that they have to give you a direct answer with a number whether it is 63, 128, 256, etc.

    I think 32 characters for the password would be more than acceptable.
    If wireless is turned on, then I wouldn't use less than 32.
    I would use the max 63 characters on wireless. If you don't have to type it or remember it (you are using RoboForm), it doesn't matter how long or random the password is.

    As for the user id, that's a good question.
    I guess it depends on the type of account that is being protected.
    I've always assumed that the User ID or username was not handled with the same level of security as the password.
    A simple enough, memorable user name could be used because it would not matter unless the password was compromised.
    I searched but couldn't find anything directly relevant, so I really don't know if there is a specific instance when a random username would benefit security.
    My guess right now is that you do not need to randomize the user id.

    Rather than my usual suggestion to make a new thread should no one answer your question here, I made one:
    What type of accounts would benefit security wise from having a random user name?

    This question applies not only for router config, but anything that has user name/password authentication where the user name is not visibly exposed.
     
Loading...
Thread Status:
Not open for further replies.