Re: router

From: rello (relloman_at_beasty.com)
Date: 06/19/04


Date: Sat, 19 Jun 2004 01:42:52 GMT

On Fri, 18 Jun 2004 23:23:50 GMT, Leythos <void@nowhere.com> wrote:

>In article <TiLAc.363$vF2.135@newsfe3-win.server.ntli.net>, abuse@
>[127.0.0.1] says...
>> A properly configured firewall should *always* be better than a default
>> install.
>
>Well we agree on the above. I think that a "firewall" would be secure by
>default and require the user to open ports to allow ANY traffic in or
>out.
>
>> Forget the actual OS used (and, sorry, Leythos - as far as I'm concerned, a
>> working unit with an IP stack and sufficient code to fulfil its function is
>> a full OS. OS Capabilities vary..[1])
>
>Ah, that's our big difference, as a long time developer (since the 70's)
>and someone that has written code for embedded systems, I don't
>associate OS like functions with an OS install. If the system is only
>capable of running a single function it's not really running an OS as OS
>would be defined, it's an embedded system and only capable of one thing.
>Appliances, whey they do initialize, load a program out of NVRAM/EEPROM,
>Disk, etc... don't have the ability to do more than their firmware
>permits. A system running an OS is capable of doing more than one
>function.
>
>> However. I've yet to see a significant hole with a typical NAT router
>> (note - I'm still talking SoHo units; there have been a couple of no-names
>> that have external admin enabled by default (!), but I'd call 'em "decidedly
>> rare")
>
>I use to think that NAT devices were fairly secure, not seen one hacked
>in the default config yet, and none that were properly configured have
>been hacked. On the other hand, someone recently posted a link to a flaw
>in Linksys routers (two units only) that permitted an external user to
>compromise the router (even if properly configured) when left with the
>default subnet. This type of hack requires a user in the LAN to browse
>to a crafted url on a page that will contain the malicious script that
>will compromise the router.
>
>Now, just so we can be on the same page, I don't (never have) considered
>NAT to be a firewall feature, it's a feature that can be found in
>firewalls, but it should not be confused as being a firewall or firewall
>method - NAT has nothing to do with firewall technology (although
>marketing types are sure making it look like it does).
>
>There are many true SOHO devices on the market that are "Firewall"
>devices that are not NAT routers disguised as firewalls. Many of these
>devices provide default security as would a typical install of BSD and
>one of the firewall or NAT packages would, but many of them go a step
>further and can "sense" an attack and auto-block the source.
>
>As an example, I have auto-block rules on all the firewalls that will
>place a 20 minute block on any External IP that attempts to access the
>External IP(s) using ports 135 & 445. Just one rule that helps, in
>general there are about 25 rules per firewall that make and keep things
>secure. Most of these are easy enough for a semi-IT person to pick-up
>with a little explanation and informal training (15 minutes), and then
>they can maintain the system - I've yet to see a IT type that doesn't
>already know nix be able to maintain the box with just 15 minutes of
>informal training.
i am setting up a router that has no defult ruleset and am not quite
sure where to start......i have used other routers that come with
default rules that work straight out of the box...this one has no
rules set [dlink di-808hv]
should i block all in and allow all out??
where to from there?
thanks

relloman