risks of using a router without a firewall

Dear List;

I have installed a D-Link broadband DI-601 router for Internet access.

I scanned the router using nmap, nessus, and superscan. They could not
identify any open ports. In addition, according to D-Link, all D-Link
routers block all incoming ports.

In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
teardrop, IP spoofing, etc. attacks.

Any comments/suggestions are appreciated.

Thanks,

 

From: "Doug Fox" <>

| Dear List;
|
| I have installed a D-Link broadband DI-601 router for Internet access.
|
| I scanned the router using nmap, nessus, and superscan. They could not
| identify any open ports. In addition, according to D-Link, all D-Link
| routers block all incoming ports.
|
| In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
| teardrop, IP spoofing, etc. attacks.
|
| Any comments/suggestions are appreciated.
|
| Thanks,
|

As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139 and 445 on *any*
SOHO Router.

Remember, a NAT Router is NOT a full FireWall implementation.

 

But it should suffice, for a lot of people. The router itself is only
susceptible to particular attacks and - generally being based on a form of
embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
checking that you have the latest release level loaded, though. The last
dLink I set up had a manual for the new firmware revision, but the old
version loaded. Useful. Not.

When it comes to DoS attacks (distributed or otherwise), you are pretty much
at the mercy of your ISP - they will have to get involved, should your local
link near saturation. They undoubtedly would anyway, as a DoS attack will
also take out other people running from the same box in the street.

In addition to Dave's suggestions, think carefully before opening up a uPnP
port. Most modern routers have the option, but it's not something to take
too lightly.

You should also test these ports specifically, as opposed to a full scan -
many routers can determine that a port scan is in progress, and will block
traffic. The results you had may (I stress "may") be misleading - although,
TBH, I doubt that they are. These things are intended to be secure
out-of-the-box.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

 

Make sure you change the default password.

 

From: "Hairy One Kenobi" <[email protected][127.0.0.1]>

|>> Dear List;
|>>
|>> I have installed a D-Link broadband DI-601 router for Internet access.
|>>
|>> I scanned the router using nmap, nessus, and superscan. They could not
|>> identify any open ports. In addition, according to D-Link, all D-Link
|>> routers block all incoming ports.
|>>
|>> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
|>> teardrop, IP spoofing, etc. attacks.
|>>
|>> Any comments/suggestions are appreciated.
|>>
|>> Thanks,
|>>|
| But it should suffice, for a lot of people. The router itself is only
| susceptible to particular attacks and - generally being based on a form of
| embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
| checking that you have the latest release level loaded, though. The last
| dLink I set up had a manual for the new firmware revision, but the old
| version loaded. Useful. Not.
|
| When it comes to DoS attacks (distributed or otherwise), you are pretty much
| at the mercy of your ISP - they will have to get involved, should your local
| link near saturation. They undoubtedly would anyway, as a DoS attack will
| also take out other people running from the same box in the street.
|
| In addition to Dave's suggestions, think carefully before opening up a uPnP
| port. Most modern routers have the option, but it's not something to take
| too lightly.
|
| You should also test these ports specifically, as opposed to a full scan -
| many routers can determine that a port scan is in progress, and will block
| traffic. The results you had may (I stress "may") be misleading - although,
| TBH, I doubt that they are. These things are intended to be secure
| out-of-the-box.
|
| HTH
|
| Hairy One Kenobi
|
| Disclaimer: the opinions expressed in this opinion do not necessarily
| reflect the opinions of the highly-opinionated person expressing the opinion
| in the first place. So there!
|

I have uPnP enabled. It only communicates on the LAN side, not the WAN side as tested with
Ethereal.

 

Excellent point. <slaps self for not pointing this out>

H1K

 

From: "Hairy One Kenobi" <[email protected][127.0.0.1]>

|
| Excellent point. <slaps self for not pointing this out>
|
| H1K
|

One can also state that you should also...

Disable remote upgrade and management.
Then you can't even get a login screen from the WAN side nor be able to update the FirmWare
from the WAN side.

Different Routers will have varying options and may describe the above using alternate text.