risks of using a router without a firewall

Discussion in 'Computer Security' started by Doug Fox, Sep 14, 2005.

  1. Doug Fox

    Doug Fox Guest

    Dear List;

    I have installed a D-Link broadband DI-601 router for Internet access.

    I scanned the router using nmap, nessus, and superscan. They could not
    identify any open ports. In addition, according to D-Link, all D-Link
    routers block all incoming ports.

    In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    teardrop, IP spoofing, etc. attacks.

    Any comments/suggestions are appreciated.

    Thanks,
     
    Doug Fox, Sep 14, 2005
    #1
    1. Advertisements

  2. From: "Doug Fox" <>

    | Dear List;
    |
    | I have installed a D-Link broadband DI-601 router for Internet access.
    |
    | I scanned the router using nmap, nessus, and superscan. They could not
    | identify any open ports. In addition, according to D-Link, all D-Link
    | routers block all incoming ports.
    |
    | In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    | teardrop, IP spoofing, etc. attacks.
    |
    | Any comments/suggestions are appreciated.
    |
    | Thanks,
    |

    As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139 and 445 on *any*
    SOHO Router.

    Remember, a NAT Router is NOT a full FireWall implementation.
     
    David H. Lipman, Sep 14, 2005
    #2
    1. Advertisements

  3. But it should suffice, for a lot of people. The router itself is only
    susceptible to particular attacks and - generally being based on a form of
    embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
    checking that you have the latest release level loaded, though. The last
    dLink I set up had a manual for the new firmware revision, but the old
    version loaded. Useful. Not.

    When it comes to DoS attacks (distributed or otherwise), you are pretty much
    at the mercy of your ISP - they will have to get involved, should your local
    link near saturation. They undoubtedly would anyway, as a DoS attack will
    also take out other people running from the same box in the street.

    In addition to Dave's suggestions, think carefully before opening up a uPnP
    port. Most modern routers have the option, but it's not something to take
    too lightly.

    You should also test these ports specifically, as opposed to a full scan -
    many routers can determine that a port scan is in progress, and will block
    traffic. The results you had may (I stress "may") be misleading - although,
    TBH, I doubt that they are. These things are intended to be secure
    out-of-the-box.

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Sep 14, 2005
    #3
  4. Doug Fox

    Shadus Guest

    Make sure you change the default password.
     
    Shadus, Sep 14, 2005
    #4
  5. From: "Hairy One Kenobi" <[email protected][127.0.0.1]>

    |>> Dear List;
    |>>
    |>> I have installed a D-Link broadband DI-601 router for Internet access.
    |>>
    |>> I scanned the router using nmap, nessus, and superscan. They could not
    |>> identify any open ports. In addition, according to D-Link, all D-Link
    |>> routers block all incoming ports.
    |>>
    |>> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    |>> teardrop, IP spoofing, etc. attacks.
    |>>
    |>> Any comments/suggestions are appreciated.
    |>>
    |>> Thanks,
    |>>|
    | But it should suffice, for a lot of people. The router itself is only
    | susceptible to particular attacks and - generally being based on a form of
    | embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
    | checking that you have the latest release level loaded, though. The last
    | dLink I set up had a manual for the new firmware revision, but the old
    | version loaded. Useful. Not.
    |
    | When it comes to DoS attacks (distributed or otherwise), you are pretty much
    | at the mercy of your ISP - they will have to get involved, should your local
    | link near saturation. They undoubtedly would anyway, as a DoS attack will
    | also take out other people running from the same box in the street.
    |
    | In addition to Dave's suggestions, think carefully before opening up a uPnP
    | port. Most modern routers have the option, but it's not something to take
    | too lightly.
    |
    | You should also test these ports specifically, as opposed to a full scan -
    | many routers can determine that a port scan is in progress, and will block
    | traffic. The results you had may (I stress "may") be misleading - although,
    | TBH, I doubt that they are. These things are intended to be secure
    | out-of-the-box.
    |
    | HTH
    |
    | Hairy One Kenobi
    |
    | Disclaimer: the opinions expressed in this opinion do not necessarily
    | reflect the opinions of the highly-opinionated person expressing the opinion
    | in the first place. So there!
    |

    I have uPnP enabled. It only communicates on the LAN side, not the WAN side as tested with
    Ethereal.
     
    David H. Lipman, Sep 14, 2005
    #5
  6. Excellent point. <slaps self for not pointing this out>

    H1K
     
    Hairy One Kenobi, Sep 15, 2005
    #6
  7. From: "Hairy One Kenobi" <[email protected][127.0.0.1]>

    |
    | Excellent point. <slaps self for not pointing this out>
    |
    | H1K
    |

    One can also state that you should also...

    Disable remote upgrade and management.
    Then you can't even get a login screen from the WAN side nor be able to update the FirmWare
    from the WAN side.

    Different Routers will have varying options and may describe the above using alternate text.
     
    David H. Lipman, Sep 15, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.