risks of using a router without a firewall

Discussion in 'Computer Security' started by Doug Fox, Sep 14, 2005.

  1. Doug Fox

    Doug Fox Guest

    Dear List;

    I have installed a D-Link broadband DI-601 router for Internet access.

    I scanned the router using nmap, nessus, and superscan. They could not
    identify any open ports. In addition, according to D-Link, all D-Link
    routers block all incoming ports.

    In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    teardrop, IP spoofing, etc. attacks.

    Any comments/suggestions are appreciated.

    Thanks,
    Doug Fox, Sep 14, 2005
    #1
    1. Advertising

  2. From: "Doug Fox" <>

    | Dear List;
    |
    | I have installed a D-Link broadband DI-601 router for Internet access.
    |
    | I scanned the router using nmap, nessus, and superscan. They could not
    | identify any open ports. In addition, according to D-Link, all D-Link
    | routers block all incoming ports.
    |
    | In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    | teardrop, IP spoofing, etc. attacks.
    |
    | Any comments/suggestions are appreciated.
    |
    | Thanks,
    |

    As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139 and 445 on *any*
    SOHO Router.

    Remember, a NAT Router is NOT a full FireWall implementation.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Sep 14, 2005
    #2
    1. Advertising

  3. "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:KYLVe.1154$si2.65@trnddc06...
    > From: "Doug Fox" <>
    >
    > | Dear List;
    > |
    > | I have installed a D-Link broadband DI-601 router for Internet access.
    > |
    > | I scanned the router using nmap, nessus, and superscan. They could not
    > | identify any open ports. In addition, according to D-Link, all D-Link
    > | routers block all incoming ports.
    > |
    > | In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > | teardrop, IP spoofing, etc. attacks.
    > |
    > | Any comments/suggestions are appreciated.
    > |
    > | Thanks,
    > |
    >
    > As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139

    and 445 on *any*
    > SOHO Router.
    >
    > Remember, a NAT Router is NOT a full FireWall implementation.


    But it should suffice, for a lot of people. The router itself is only
    susceptible to particular attacks and - generally being based on a form of
    embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
    checking that you have the latest release level loaded, though. The last
    dLink I set up had a manual for the new firmware revision, but the old
    version loaded. Useful. Not.

    When it comes to DoS attacks (distributed or otherwise), you are pretty much
    at the mercy of your ISP - they will have to get involved, should your local
    link near saturation. They undoubtedly would anyway, as a DoS attack will
    also take out other people running from the same box in the street.

    In addition to Dave's suggestions, think carefully before opening up a uPnP
    port. Most modern routers have the option, but it's not something to take
    too lightly.

    You should also test these ports specifically, as opposed to a full scan -
    many routers can determine that a port scan is in progress, and will block
    traffic. The results you had may (I stress "may") be misleading - although,
    TBH, I doubt that they are. These things are intended to be secure
    out-of-the-box.

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Sep 14, 2005
    #3
  4. Doug Fox

    Shadus Guest

    On 2005-09-14, Doug Fox <> blabbed:
    > <snip>


    Make sure you change the default password.
    Shadus, Sep 14, 2005
    #4
  5. From: "Hairy One Kenobi" <abuse@[127.0.0.1]>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    | news:KYLVe.1154$si2.65@trnddc06...
    >> From: "Doug Fox" <>
    >>

    |>> Dear List;
    |>>
    |>> I have installed a D-Link broadband DI-601 router for Internet access.
    |>>
    |>> I scanned the router using nmap, nessus, and superscan. They could not
    |>> identify any open ports. In addition, according to D-Link, all D-Link
    |>> routers block all incoming ports.
    |>>
    |>> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    |>> teardrop, IP spoofing, etc. attacks.
    |>>
    |>> Any comments/suggestions are appreciated.
    |>>
    |>> Thanks,
    |>>
    >> As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139

    | and 445 on *any*
    >> SOHO Router.
    >>
    >> Remember, a NAT Router is NOT a full FireWall implementation.

    |
    | But it should suffice, for a lot of people. The router itself is only
    | susceptible to particular attacks and - generally being based on a form of
    | embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
    | checking that you have the latest release level loaded, though. The last
    | dLink I set up had a manual for the new firmware revision, but the old
    | version loaded. Useful. Not.
    |
    | When it comes to DoS attacks (distributed or otherwise), you are pretty much
    | at the mercy of your ISP - they will have to get involved, should your local
    | link near saturation. They undoubtedly would anyway, as a DoS attack will
    | also take out other people running from the same box in the street.
    |
    | In addition to Dave's suggestions, think carefully before opening up a uPnP
    | port. Most modern routers have the option, but it's not something to take
    | too lightly.
    |
    | You should also test these ports specifically, as opposed to a full scan -
    | many routers can determine that a port scan is in progress, and will block
    | traffic. The results you had may (I stress "may") be misleading - although,
    | TBH, I doubt that they are. These things are intended to be secure
    | out-of-the-box.
    |
    | HTH
    |
    | Hairy One Kenobi
    |
    | Disclaimer: the opinions expressed in this opinion do not necessarily
    | reflect the opinions of the highly-opinionated person expressing the opinion
    | in the first place. So there!
    |

    I have uPnP enabled. It only communicates on the LAN side, not the WAN side as tested with
    Ethereal.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Sep 14, 2005
    #5
  6. "Shadus" <> wrote in message
    news:...
    > On 2005-09-14, Doug Fox <> blabbed:
    > > <snip>

    >
    > Make sure you change the default password.


    Excellent point. <slaps self for not pointing this out>

    H1K
    Hairy One Kenobi, Sep 15, 2005
    #6
  7. From: "Hairy One Kenobi" <abuse@[127.0.0.1]>

    | "Shadus" <> wrote in message
    | news:...
    >> On 2005-09-14, Doug Fox <> blabbed:
    >>> <snip>

    >>
    >> Make sure you change the default password.

    |
    | Excellent point. <slaps self for not pointing this out>
    |
    | H1K
    |

    One can also state that you should also...

    Disable remote upgrade and management.
    Then you can't even get a login screen from the WAN side nor be able to update the FirmWare
    from the WAN side.

    Different Routers will have varying options and may describe the above using alternate text.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Sep 15, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Um91Z2huZWNr?=

    What are risks of WLAN connections at internet cafes?

    =?Utf-8?B?Um91Z2huZWNr?=, Aug 10, 2005, in forum: Wireless Networking
    Replies:
    19
    Views:
    959
  2. Replies:
    2
    Views:
    5,002
    Martin Kayes
    Dec 15, 2005
  3. bi-ker
    Replies:
    8
    Views:
    412
    Kline Sphere
    Sep 22, 2003
  4. Babak Majidi
    Replies:
    3
    Views:
    591
    Babak Majidi
    Feb 6, 2006
  5. pcbutts1

    Re: Disabling pagefile: risks?

    pcbutts1, Jul 22, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    478
    pcbutts1
    Jul 22, 2005
Loading...

Share This Page