Re: All-in-one xdsl/cable modem/router/vpn units

In alt.computer.security, Msg ID: <GD9va.82767$>
"Fondula di Carceri" <>, wrote:

>> I've used various Linux distros in the past for firewall/routers on adsl
>> and cable connections (smoothwall, RH, Slackware etc) and these boxes seem
>> to be vulnerable due to old services or BIND exploits or whathaveyou. The
>> idea seems to be, keep on top of updates and patches etc and try to stop
>> giving the bad guys a way in through known exploits.
>Well, that's an admin's life
>
>> My question is...these days there's a lot of those all-in-one
>> modem/router/firewall/vpn combo boxes (D-Link 500, Netgear etc ) and if
>> you just want a basic firewall and NAT with maybe a VPN tunnel they seem
>> like a good alternative to running an actual box up front (lower power
>> consumption, no HD, floppy etc, quiet, all solid state, no fans, config
>> via browser , it's the size of a paperback book etc etc). Now, how

Neato info..
Doesn't sound like a Unix thingy at all to me,

>Correct, they are in a lot ways better: custom hardware, more-or-less shock
>resistant, easy GUI-interface, they are small, ...
>but,
>
>> vulnerable would these things be? I haven't really looked heavily but
>> apart from an old exploit affecting an old Alcatel xDSL modem years ago I
>> haven't seen or heard much of these things being hacked at all. Is this
>> the case? Are you more secure with these things or are they dropping like
>> flies too ?
>
>a lot of hardware firewall/router/proxy combo's are subject to the same
>problems as their software equivalents: bad coding; thus, yes, you can
>expect the same problems as with a linux box (hardware routers run on
>software too, and often a unix-derivate) - but, you won't have patches
>withing half an hour or something after an exploit came to public light:
>commercial firms are much slower.

I'm thinking, It's a rare piece of computer "hardware"
that doesn't run on software..
Either that, or it's really a "toaster", and uses mechanical thingy's
like switches to "configure it.. What do you think?

>If you want convenience, go for a hardware thing and trust your vendors
>support; If you want security, go for the homebrewn unix and continue to
>spend time on it tough choice?

Not really...
Think I'll look at not trusting any body for anything.
I have a ways to go yet.. But I'm workin on it.

We are talking SECURITY here, aren't we?

Ray

mchiper

On Mon, 15 Sep 2003 10:22:28 -0400, mchiper <> wrote:

>SNIP<
>>
>>> My question is...these days there's a lot of those all-in-one
>>> modem/router/firewall/vpn combo boxes (D-Link 500, Netgear etc ) and if
>>> you just want a basic firewall and NAT with maybe a VPN tunnel they seem
>>> like a good alternative to running an actual box up front (lower power
>>> consumption, no HD, floppy etc, quiet, all solid state, no fans, config
>>> via browser , it's the size of a paperback book etc etc). Now, how
>
>Neato info..
>Doesn't sound like a Unix thingy at all to me,
>
>>Correct, they are in a lot ways better: custom hardware, more-or-less shock
>>resistant, easy GUI-interface, they are small, ...
>>but,
>>
>SNIP<
>>a lot of hardware firewall/router/proxy combo's are subject to the same
>>problems as their software equivalents: bad coding; thus, yes, you can
>>expect the same problems as with a linux box (hardware routers run on
>>software too, and often a unix-derivate) - but, you won't have patches
>>withing half an hour or something after an exploit came to public light:
>>commercial firms are much slower.
>
>I'm thinking, It's a rare piece of computer "hardware"
>that doesn't run on software..
>Either that, or it's really a "toaster", and uses mechanical thingy's
>like switches to "configure it.. What do you think?

They use software loaded as firmware (you have to run the firmware
update from downloaded files). Make sure Remote Management is
disabled, and this could only be done from inside your LAN.
Presumably the firmware update contains a digital signature
proprietary to the router manufacturer, to prevent an exploit using
forged firmware.
>
>>If you want convenience, go for a hardware thing and trust your vendors
>>support; If you want security, go for the homebrewn unix and continue to
>>spend time on it tough choice?
>
>Not really...
>Think I'll look at not trusting any body for anything.
>I have a ways to go yet.. But I'm workin on it.
>
>We are talking SECURITY here, aren't we?

All software contains bugs, whether its M$, Unix, proprietary
firmware... Router firmware is as secure as Unix code. Is it as
well-written? The router manufacturer would seem to have motivation
to ensure this (detractors of various NAT routers notwithstanding).
YMMV.



Chuck

Spam sucks - PLEASE get rid of the spam before emailing me!
Trusted Computing? Right! http://www.againsttcpa.com/
WHAT IS THE CBDTPA? http://www.stoppoliceware.org/

Chuck

In alt.computer.security, Msg ID: <>
Chuck <>, wrote:

>On Mon, 15 Sep 2003 10:22:28 -0400, mchiper <> wrote:
>
>>SNIP<
>>>
>>>> My question is...these days there's a lot of those all-in-one
>>>> modem/router/firewall/vpn combo boxes (D-Link 500, Netgear etc ) and if
>>>> you just want a basic firewall and NAT with maybe a VPN tunnel they seem
>>>> like a good alternative to running an actual box up front (lower power
>>>> consumption, no HD, floppy etc, quiet, all solid state, no fans, config
>>>> via browser , it's the size of a paperback book etc etc). Now, how
>>
>>Neato info..
>>Doesn't sound like a Unix thingy at all to me,
>>
>>>Correct, they are in a lot ways better: custom hardware, more-or-less shock
>>>resistant, easy GUI-interface, they are small, ...
>>>but,
>>>
>>SNIP<
>>>a lot of hardware firewall/router/proxy combo's are subject to the same
>>>problems as their software equivalents: bad coding; thus, yes, you can
>>>expect the same problems as with a linux box (hardware routers run on
>>>software too, and often a unix-derivate) - but, you won't have patches
>>>withing half an hour or something after an exploit came to public light:
>>>commercial firms are much slower.
>>
>>I'm thinking, It's a rare piece of computer "hardware"
>>that doesn't run on software..
>>Either that, or it's really a "toaster", and uses mechanical thingy's
>>like switches to "configure it.. What do you think?
>
>They use software loaded as firmware (you have to run the firmware
>update from downloaded files). Make sure Remote Management is
>disabled, and this could only be done from inside your LAN.
>Presumably the firmware update contains a digital signature
>proprietary to the router manufacturer, to prevent an exploit using
>forged firmware.
>>
>>>If you want convenience, go for a hardware thing and trust your vendors
>>>support; If you want security, go for the homebrewn unix and continue to
>>>spend time on it tough choice?
>>
>>Not really...
>>Think I'll look at not trusting any body for anything.
>>I have a ways to go yet.. But I'm workin on it.
>>
>>We are talking SECURITY here, aren't we?
>
>All software contains bugs, whether its M$, Unix, proprietary
>firmware... Router firmware is as secure as Unix code. Is it as
>well-written? The router manufacturer would seem to have motivation
>to ensure this (detractors of various NAT routers notwithstanding).
>YMMV.

Neato..
So you trust them with the family jewels.
And I have to open the box to see what microprocessor it's using?

Not as tough as copying EProms that were "copy protected".
And replacing with EEProms, I think.

Did you say that all they take is a browser to configure?

I was really hunting for a Modem Command Reference.
And the Network equivalent of Qmodem Pro.

PING seems to lack functionality.

Ray

mchiper

On Mon, 15 Sep 2003 18:07:20 -0400, mchiper <> wrote:

>
> In alt.computer.security, Msg ID: <>
> Chuck <>, wrote:
>
>>On Mon, 15 Sep 2003 10:22:28 -0400, mchiper <> wrote:
>>
>>>SNIP<

>Neato..
>So you trust them with the family jewels.
>And I have to open the box to see what microprocessor it's using?
>
>Not as tough as copying EProms that were "copy protected".
>And replacing with EEProms, I think.
>
>Did you say that all they take is a browser to configure?
>
>I was really hunting for a Modem Command Reference.
>And the Network equivalent of Qmodem Pro.
>
>PING seems to lack functionality.
>
>Ray

What are you, people? On dope?
(With apologies to Ray Walston, "Fast Times At Ridgemont High")


Spam sucks - PLEASE get rid of the spam before emailing me!

Chuck

On Mon, 15 Sep 2003 18:07:20 -0400, mchiper <> wrote:

>
> In alt.computer.security, Msg ID: <>
> Chuck <>, wrote:
>
>>On Mon, 15 Sep 2003 10:22:28 -0400, mchiper <> wrote:
>>
>>>SNIP<

>
>Neato..
>So you trust them with the family jewels.
>And I have to open the box to see what microprocessor it's using?
>
>Not as tough as copying EProms that were "copy protected".
>And replacing with EEProms, I think.
>
>Did you say that all they take is a browser to configure?
All above concerns require physical access to my computer room, which
is not my concern. As I said, disable Remote Management.
>
>SNIP<
>Ray


Chuck

Spam sucks - PLEASE get rid of the spam before emailing me!
Trusted Computing? Right! http://www.againsttcpa.com/
WHAT IS THE CBDTPA? http://www.stoppoliceware.org/

Chuck

In alt.computer.security, Msg ID: <>
Chuck <>, wrote:

>On Mon, 15 Sep 2003 18:07:20 -0400, mchiper <> wrote:
>
>>
>> In alt.computer.security, Msg ID: <>
>> Chuck <>, wrote:
>>
>>>On Mon, 15 Sep 2003 10:22:28 -0400, mchiper <> wrote:
>>>
>>>>SNIP<
>
>>
>>Neato..
>>So you trust them with the family jewels.
>>And I have to open the box to see what microprocessor it's using?
>>
>>Not as tough as copying EProms that were "copy protected".
>>And replacing with EEProms, I think.
>>
>>Did you say that all they take is a browser to configure?
>All above concerns require physical access to my computer room, which
>is not my concern.

You mis understood..
>What are you, people? On dope?
>(With apologies to Ray Walston, "Fast Times At Ridgemont High")

It's MY OWN system I am concerned with.. NOT YOURS..
Things I can do to PROTEcT me, NOT **** with YOU..
So I have NOTHING to apologize for..
Are YOU a dope, or merely ON dope?

>As I said, disable Remote Management.

Not a big help, if that's what you think it is..
But I'll work on it, if and when..
Thanks..

Ray

mchiper