Routers – Beyond NAT

Discussion in 'other firewalls' started by CrazyM, Jan 19, 2005.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Routers – Beyond NAT

    As the use of routers increases, the feature sets of SOHO routers have also been improving.

    In addition to doing basic NAT, routers are now offering options like firewalls, Stateful Packet Inspection (SPI), active content filtering and open source/third party firmwares.

    What additional configuration options does your router provide?

    Are you taking advantage of this added functionality?

    How do you use these options to improve your overall system/network security?

    Regards,

    CrazyM
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    I'm still bumping along with my four? year old Linksys. I'm using it with software firewall.

    Do you have any links with some of the new stuff out there? And are you using one of the newer models?
     
  3. -z3r0-

    -z3r0- Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    74
    Location:
    Pittsburgh PA
    My ISP just sent me a new router/modem combo.

    It is the Westell Versalink Gateway model A90-327W15-06

    I ran firewall checks with it at Sheilds-UP and PC Flank with no software firewall and windows firewall disabled and it is total stealth except for the forced open port 2420 that is forced open by the ISP for support.

    While it was detected as open it didnt respond to any ping tests or accept any packets so I guess that is a good thing.

    I am still trying to decide if I want to run a software firewall with this router or not.
     
  4. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    -z3r0-

    I would definitely use a software firewall along with the router.
    The router firewall only takes care of incoming traffic and does nothing for outbound programs
    seeking internet access.

    Dan
     
  5. SMaus

    SMaus Registered Member

    Joined:
    Dec 31, 2003
    Posts:
    34
    Location:
    Hamburg, Germany
    I often thought about that. I gave up using software firewalls when I switched to an SMC. The problem is always how much additional software you can bear that is sitting in the background.
    Running an AV, an AT, perhaps something specialised on spyware, together with an e-mail-program coupled with an anti-spam-solution and something like PGP, in addition some messenger and a software for synchronising your Palm Tungsten is quite a lot. ProcessGuard, of course and then something like Outpost or Kerio or whatever would slow down my system significantly.
     
  6. sflorack

    sflorack Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    45
    I've heard this before, and often wondered, why would I need to protect myself from malicious material originating from my own computer? As I have a NAT firewall, aren't I protected from things getting in, and therefore will never (technically) have anything to "send out"?
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The router would protect you from some worms and hackers from finding their way in, but not things like trojans/backdoors, spyware, or worms that enter via your web browser and email. Since these are the things that your AV are more likely to miss, it's definitely recommended you get a good software firewall. A software firewall will also let you restrict HOW and where a program can communicate over the internet.
     
  8. sflorack

    sflorack Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    45
    So you could really go about this two ways. PROACTIVELY provide protection by running a firewall, or REACTIVELY provide protection by running an anti-spyware/trojan program?

    Personally, I find firewalls intrusive. I take the reactive approach, and have no had any issues with receiving malicious material (as of yet; knock on wood).
     
  9. Mem

    Mem Guest

    The other reason to run a software firewall is that the LAN may have other 'trusted' laptops that have been used in 'untrusted' locations. If they have a worm, it may start traveling your LAN. The desktops in this case could be affected. Other similar possiblities exist - so if you have a LAN it would be prudent to have some sort of software firewall on each PC.

    Laptops are usually mobile so a firewall is a basic addition (Win XP is better than none) for travel rather than packing a router.
     
  10. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    Seriously, you don't run a firewall? That is just begging for a worm of some kind to latch on to an open port and email random files to all the people in your address book. (I got mailed some of those files, I know). The real threat isn't hackers anymore, worms are always looking for a new host and they don't need to sleep. If you don't run a firewall with application control you will never even realize when you have a problem. Rethink the strategy, at the very least use Windows XP's minimal NAT firewall.
     
  11. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39


    No. There are a number of ways to defeat a firewall, the simplest being the trojan, named after the trojan horse that got inside the walls of Troy. The best firewall in the world can't prevent you or one of your apps from just opening the front gate and letting one in. Port 80 is open right now as you read this, it has to be. The preferred (old) method is to load some software on your computer when you click on what you think is a link, or mouseover a graphic. You can prevent this by restricting the installation of software, running with less than admin privileges, disabling java, etc.

    The reason for Stateful Packet Inspection is that you can be sent unrequested packets to a port that is open or service that is listening. SPI blocks packets when the traffic is not initiated by your computer. NAT doesn't know where the traffic comes from. Even packet filtering can be defeated by using partial packets or "fragments" to conceal the headers and fool the filters. Without application control a trojan, worm, virus etc. can just commandeer one of your programs and start using it to send email or communicating any way it chooses with the Internet. With application controls you are protected from the failure of the firewall. I guarantee you the first time you use a firewall wtih application controls you will find some of your programs are doing things you didn't know about.
     
  12. sflorack

    sflorack Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    45
    I don't use Outlook or Outlook Express. As a matter of fact, I don't use any local client email software; I use webmail. I do, however, use NOD32 which apparently has some form of worm protection.
     
  13. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    Well, that is smart, but you can still get infected just from having some vulnerability in your operating system if you don't use a firewall. Increasingly more worms are being created that require no user intervention to spread, and they don't only send email, they can destroy data. NOD32 can detect a worm once you have it, and it will protect you from getting one in an email, provided it has been identified, but that is not a substitute for a firewall.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well using Linksys as an example, most feedback seems positive on the open source/third party firmwares for some of their newer models. These firmwares include improved functionality, including firewalling.

    Firewalls are improving in some routers and something that has been available in varying degrees in others for some time.

    It is common to see comments on the lack of outbound control on routers. This is not always the case as routers with firewalls can be used to restrict what outbound connections will be permitted and improve overall security.

    Regards,

    CrazyM
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    I'll do some research on the open source firmware. Thanks.
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    They are available for the WRTxxx series, not sure what other models.
    Most of the comments usually refer to improved wireless functionality and I have not seen many on how users are taking advantage of the improved firewalling.

    Regards,

    CrazyM
     
  17. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Netgear WGR614g has two firewall included, NAT + SPI.
     
  18. controler

    controler Guest

    Wow is this ever old news LOL

    I posted my Actiontec Router's firewall and other blockages over a year ago here.
    One thing I noticed is the Linksys and a few others had good third party logging software such as wallwatcher ect.
    Like you say no routher is perfect. Anybody can look up the most common used or recommended routers. Then go to the router manufactures site and get all the info they ever need. That info shows which ports are still open
    on various router firewall settings.
    AS with my actiontec router, you can control who uses an instant messenger
    and only alow certian network IPs ect but the firewall level settings are easy, which is something i like. They start out at basic and run up to high.
    I found anything over basic and you can not access some hotmail , yahoo sites or pay sites. On high you can still do basic surfing but it is very limited.
    At present, i combine that with L&S software firewall and a few other secrets on my desktop. my laptop uses other software with the same router.


    Bruce
     
  19. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Sorry If I am not up to date. :oops:
     
  20. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    There has been some recent and good discussion on SPI (Stateful Packet Inspection) in relation to software firewalls.

    SPI is also touted a lot in the marketing of routers. As the other discussions have shown, not all SPI is created equal.

    How does the SPI in you router stack up?

    Regards,

    CrazyM
     
  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi CrazyM

    Regarding your first post; I have a very nice Router that does do firewalling with all sorts of spicy features for packet-filtering. It is a pity I don’t use my Router for protection though, I have my machine set up on DMZ and always been this way from day #1, I solely rely on my software security. I don’t like to be ignorant to what were and is happening; I want to be analyzing 24/7. This is how I get my kicks (I have no real-life)…. :p

    Filtering done by a router can reserve system resource, less work system has to-do (very good thing especially if ones are on slow computers or improperly maintained systems).
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Samples of Stateful Packet Inspection and Logging in a router with firewall.

    The following is an example of SPI in action. The session involved connecting to a web site and downloading a small file via passive FTP.

    ACL 105 is applied to the inside interface of the router controlling traffic from LAN systems and permits connections to HTTP (80) and FTP (21). The session details shows the firewall dynamically permitting the FTP-data connection on ACL 105.

    ACL 111 is applied to the outside interface of the router controlling traffic from the Internet. The session details shows the firewall dynamically permitting the return packets on ACL 111.

    Established sessions details:

    Session 817DA10C (10.10.10.5:1400)=>(66.161.11.32:55912) ftp-data SIS_OPEN
    Created 00:00:31, Last heard 00:00:00
    Bytes sent (initiator:responder) [0:1937408]
    In SID 10.10.10.5[1400:1400]=>66.161.11.32[55912:55912] on ACL 105 (807 matches)
    In SID 66.161.11.32[55912:55912]=>154.20.xxx.xx[1400:1400] on ACL 111 (1337matches)

    Session 817D9BFC (10.10.10.5:1399)=>(66.161.11.32:21) ftp SIS_OPEN
    Created 00:00:31, Last heard 00:00:00
    Bytes sent (initiator:responder) [134:303]
    In SID 66.161.11.32[21:21]=>154.20.xxx.xx[1399:1399] on ACL 111 (10 matches)

    Session 817D96EC (10.10.10.5:1396)=>(66.161.11.20:80) http SIS_OPEN
    Created 00:00:35, Last heard 00:00:34
    Bytes sent (initiator:responder) [2929:27806]
    In SID 66.161.11.20[80:80]=>154.20.xxx.xx[1396:1396] on ACL 111 (23 matches)

    Session 817D902C (10.10.10.5:1397)=>(66.161.11.20:80) http SIS_OPEN
    Created 00:00:34, Last heard 00:00:33
    Bytes sent (initiator:responder) [1813:15464]
    In SID 66.161.11.20[80:80]=>154.20.xxx.xx[1397:1397] on ACL 111 (37 matches)

    Logging in routers, like SPI, is not always created equal. Good logging capabilities is something that should be taken into account when looking for a router. The following are the log entries for the above session.

    Log entries:

    11706: Feb 12 2005 00:10:22.731 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start udp session: initiator (10.10.10.5:1395) -- responder (209.53.4.130:53)

    11707: Feb 12 2005 00:10:22.871 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start http session: initiator (10.10.10.5:1396) -- responder (66.161.11.20:80)

    11708: Feb 12 2005 00:10:23.187 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start http session: initiator (10.10.10.5:1397) -- responder (66.161.11.20:80)

    11709: Feb 12 2005 00:10:26.079 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start udp session: initiator (10.10.10.5:1398 ) -- responder (209.53.4.130:53)

    11710: Feb 12 2005 00:10:26.195 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start ftp session: initiator (10.10.10.5:1399) -- responder (66.161.11.32:21)

    11711: Feb 12 2005 00:10:26.623 PST: %FW-6-SESS_AUDIT_TRAIL_START:
    Start ftp-data session: initiator (10.10.10.5:1400) -- responder (66.161.11.32:55912)

    11712: Feb 12 2005 00:10:27.863 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop udp session: initiator (10.10.10.5:1395) sent 33 bytes -- responder (209.53.4.130:53) sent 128 bytes

    11713: Feb 12 2005 00:10:31.195 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop udp session: initiator (10.10.10.5:1398 ) sent 33 bytes -- responder (209.53.4.130:53) sent 107 bytes

    11714: Feb 12 2005 00:11:27.171 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop http session: initiator (10.10.10.5:1396) sent 2929 bytes -- responder (66.161.11.20:80) sent 27806 bytes

    11715: Feb 12 2005 00:11:27.171 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop http session: initiator (10.10.10.5:1397) sent 1813 bytes -- responder (66.161.11.20:80) sent 15464 bytes

    11716: Feb 12 2005 00:11:30.071 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop ftp-data session: initiator (10.10.10.5:1400) sent 0 bytes -- responder (66.161.11.32:55912) sent 1937408 bytes

    11717: Feb 12 2005 00:11:35.515 PST: %FW-6-SESS_AUDIT_TRAIL:
    Stop ftp session: initiator (10.10.10.5:1399) sent 134 bytes -- responder (66.161.11.32:21) sent 303 bytes

    Regards,

    CrazyM
     
    Last edited: Feb 12, 2005
Thread Status:
Not open for further replies.