Routers – Beyond NAT

Routers – Beyond NAT

As the use of routers increases, the feature sets of SOHO routers have also been improving.

In addition to doing basic NAT, routers are now offering options like firewalls, Stateful Packet Inspection (SPI), active content filtering and open source/third party firmwares.

What additional configuration options does your router provide?

Are you taking advantage of this added functionality?

How do you use these options to improve your overall system/network security?

Regards,

CrazyM

 

My ISP just sent me a new router/modem combo.

It is the Westell Versalink Gateway model A90-327W15-06

I ran firewall checks with it at Sheilds-UP and PC Flank with no software firewall and windows firewall disabled and it is total stealth except for the forced open port 2420 that is forced open by the ISP for support.

While it was detected as open it didnt respond to any ping tests or accept any packets so I guess that is a good thing.

I am still trying to decide if I want to run a software firewall with this router or not.

 

-z3r0-

I would definitely use a software firewall along with the router.
The router firewall only takes care of incoming traffic and does nothing for outbound programs
seeking internet access.

Dan

 

I often thought about that. I gave up using software firewalls when I switched to an SMC. The problem is always how much additional software you can bear that is sitting in the background.
Running an AV, an AT, perhaps something specialised on spyware, together with an e-mail-program coupled with an anti-spam-solution and something like PGP, in addition some messenger and a software for synchronising your Palm Tungsten is quite a lot. ProcessGuard, of course and then something like Outpost or Kerio or whatever would slow down my system significantly.

 

I've heard this before, and often wondered, why would I need to protect myself from malicious material originating from my own computer? As I have a NAT firewall, aren't I protected from things getting in, and therefore will never (technically) have anything to "send out"?

 

The router would protect you from some worms and hackers from finding their way in, but not things like trojans/backdoors, spyware, or worms that enter via your web browser and email. Since these are the things that your AV are more likely to miss, it's definitely recommended you get a good software firewall. A software firewall will also let you restrict HOW and where a program can communicate over the internet.

 

So you could really go about this two ways. PROACTIVELY provide protection by running a firewall, or REACTIVELY provide protection by running an anti-spyware/trojan program?

Personally, I find firewalls intrusive. I take the reactive approach, and have no had any issues with receiving malicious material (as of yet; knock on wood).

 

The other reason to run a software firewall is that the LAN may have other 'trusted' laptops that have been used in 'untrusted' locations. If they have a worm, it may start traveling your LAN. The desktops in this case could be affected. Other similar possiblities exist - so if you have a LAN it would be prudent to have some sort of software firewall on each PC.

Laptops are usually mobile so a firewall is a basic addition (Win XP is better than none) for travel rather than packing a router.

 

Seriously, you don't run a firewall? That is just begging for a worm of some kind to latch on to an open port and email random files to all the people in your address book. (I got mailed some of those files, I know). The real threat isn't hackers anymore, worms are always looking for a new host and they don't need to sleep. If you don't run a firewall with application control you will never even realize when you have a problem. Rethink the strategy, at the very least use Windows XP's minimal NAT firewall.

 

No. There are a number of ways to defeat a firewall, the simplest being the trojan, named after the trojan horse that got inside the walls of Troy. The best firewall in the world can't prevent you or one of your apps from just opening the front gate and letting one in. Port 80 is open right now as you read this, it has to be. The preferred (old) method is to load some software on your computer when you click on what you think is a link, or mouseover a graphic. You can prevent this by restricting the installation of software, running with less than admin privileges, disabling java, etc.

The reason for Stateful Packet Inspection is that you can be sent unrequested packets to a port that is open or service that is listening. SPI blocks packets when the traffic is not initiated by your computer. NAT doesn't know where the traffic comes from. Even packet filtering can be defeated by using partial packets or "fragments" to conceal the headers and fool the filters. Without application control a trojan, worm, virus etc. can just commandeer one of your programs and start using it to send email or communicating any way it chooses with the Internet. With application controls you are protected from the failure of the firewall. I guarantee you the first time you use a firewall wtih application controls you will find some of your programs are doing things you didn't know about.

 

I don't use Outlook or Outlook Express. As a matter of fact, I don't use any local client email software; I use webmail. I do, however, use NOD32 which apparently has some form of worm protection.

 

Well, that is smart, but you can still get infected just from having some vulnerability in your operating system if you don't use a firewall. Increasingly more worms are being created that require no user intervention to spread, and they don't only send email, they can destroy data. NOD32 can detect a worm once you have it, and it will protect you from getting one in an email, provided it has been identified, but that is not a substitute for a firewall.

 

Well using Linksys as an example, most feedback seems positive on the open source/third party firmwares for some of their newer models. These firmwares include improved functionality, including firewalling.

Firewalls are improving in some routers and something that has been available in varying degrees in others for some time.

It is common to see comments on the lack of outbound control on routers. This is not always the case as routers with firewalls can be used to restrict what outbound connections will be permitted and improve overall security.

Regards,

CrazyM

 

They are available for the WRTxxx series, not sure what other models.
Most of the comments usually refer to improved wireless functionality and I have not seen many on how users are taking advantage of the improved firewalling.

Regards,

CrazyM

 

Netgear WGR614g has two firewall included, NAT + SPI.

 

Wow is this ever old news LOL

I posted my Actiontec Router's firewall and other blockages over a year ago here.
One thing I noticed is the Linksys and a few others had good third party logging software such as wallwatcher ect.
Like you say no routher is perfect. Anybody can look up the most common used or recommended routers. Then go to the router manufactures site and get all the info they ever need. That info shows which ports are still open
on various router firewall settings.
AS with my actiontec router, you can control who uses an instant messenger
and only alow certian network IPs ect but the firewall level settings are easy, which is something i like. They start out at basic and run up to high.
I found anything over basic and you can not access some hotmail , yahoo sites or pay sites. On high you can still do basic surfing but it is very limited.
At present, i combine that with L&S software firewall and a few other secrets on my desktop. my laptop uses other software with the same router.


Bruce

 

Sorry If I am not up to date.

 

There has been some recent and good discussion on SPI (Stateful Packet Inspection) in relation to software firewalls.

SPI is also touted a lot in the marketing of routers. As the other discussions have shown, not all SPI is created equal.

How does the SPI in you router stack up?

Regards,

CrazyM

 

Hi CrazyM

Regarding your first post; I have a very nice Router that does do firewalling with all sorts of spicy features for packet-filtering. It is a pity I don’t use my Router for protection though, I have my machine set up on DMZ and always been this way from day #1, I solely rely on my software security. I don’t like to be ignorant to what were and is happening; I want to be analyzing 24/7. This is how I get my kicks (I have no real-life)….

Filtering done by a router can reserve system resource, less work system has to-do (very good thing especially if ones are on slow computers or improperly maintained systems).

 

Samples of Stateful Packet Inspection and Logging in a router with firewall.

The following is an example of SPI in action. The session involved connecting to a web site and downloading a small file via passive FTP.

ACL 105 is applied to the inside interface of the router controlling traffic from LAN systems and permits connections to HTTP (80) and FTP (21). The session details shows the firewall dynamically permitting the FTP-data connection on ACL 105.

ACL 111 is applied to the outside interface of the router controlling traffic from the Internet. The session details shows the firewall dynamically permitting the return packets on ACL 111.

Established sessions details:

Session 817DA10C (10.10.10.5:1400)=>(66.161.11.32:55912) ftp-data SIS_OPEN
Created 00:00:31, Last heard 00:00:00
Bytes sent (initiator:responder) [0:1937408]
In SID 10.10.10.5[1400:1400]=>66.161.11.32[55912:55912] on ACL 105 (807 matches)
In SID 66.161.11.32[55912:55912]=>154.20.xxx.xx[1400:1400] on ACL 111 (1337matches)

Session 817D9BFC (10.10.10.5:1399)=>(66.161.11.32:21) ftp SIS_OPEN
Created 00:00:31, Last heard 00:00:00
Bytes sent (initiator:responder) [134:303]
In SID 66.161.11.32[21:21]=>154.20.xxx.xx[1399:1399] on ACL 111 (10 matches)

Session 817D96EC (10.10.10.5:1396)=>(66.161.11.20:80) http SIS_OPEN
Created 00:00:35, Last heard 00:00:34
Bytes sent (initiator:responder) [2929:27806]
In SID 66.161.11.20[80:80]=>154.20.xxx.xx[1396:1396] on ACL 111 (23 matches)

Session 817D902C (10.10.10.5:1397)=>(66.161.11.20:80) http SIS_OPEN
Created 00:00:34, Last heard 00:00:33
Bytes sent (initiator:responder) [1813:15464]
In SID 66.161.11.20[80:80]=>154.20.xxx.xx[1397:1397] on ACL 111 (37 matches)

Logging in routers, like SPI, is not always created equal. Good logging capabilities is something that should be taken into account when looking for a router. The following are the log entries for the above session.

Log entries:

11706: Feb 12 2005 00:10:22.731 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start udp session: initiator (10.10.10.5:1395) -- responder (209.53.4.130:53)

11707: Feb 12 2005 00:10:22.871 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start http session: initiator (10.10.10.5:1396) -- responder (66.161.11.20:80)

11708: Feb 12 2005 00:10:23.187 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start http session: initiator (10.10.10.5:1397) -- responder (66.161.11.20:80)

11709: Feb 12 2005 00:10:26.079 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start udp session: initiator (10.10.10.5:1398 ) -- responder (209.53.4.130:53)

11710: Feb 12 2005 00:10:26.195 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start ftp session: initiator (10.10.10.5:1399) -- responder (66.161.11.32:21)

11711: Feb 12 2005 00:10:26.623 PST: %FW-6-SESS_AUDIT_TRAIL_START:
Start ftp-data session: initiator (10.10.10.5:1400) -- responder (66.161.11.32:55912)

11712: Feb 12 2005 00:10:27.863 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop udp session: initiator (10.10.10.5:1395) sent 33 bytes -- responder (209.53.4.130:53) sent 128 bytes

11713: Feb 12 2005 00:10:31.195 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop udp session: initiator (10.10.10.5:1398 ) sent 33 bytes -- responder (209.53.4.130:53) sent 107 bytes

11714: Feb 12 2005 00:11:27.171 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop http session: initiator (10.10.10.5:1396) sent 2929 bytes -- responder (66.161.11.20:80) sent 27806 bytes

11715: Feb 12 2005 00:11:27.171 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop http session: initiator (10.10.10.5:1397) sent 1813 bytes -- responder (66.161.11.20:80) sent 15464 bytes

11716: Feb 12 2005 00:11:30.071 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop ftp-data session: initiator (10.10.10.5:1400) sent 0 bytes -- responder (66.161.11.32:55912) sent 1937408 bytes

11717: Feb 12 2005 00:11:35.515 PST: %FW-6-SESS_AUDIT_TRAIL:
Stop ftp session: initiator (10.10.10.5:1399) sent 134 bytes -- responder (66.161.11.32:21) sent 303 bytes

Regards,

CrazyM