Re: risks of using a router without a firewall
From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: Wed, 14 Sep 2005 11:01:51 GMT
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> From: "Doug Fox" <firstname.lastname@example.org>
> | Dear List;
> | I have installed a D-Link broadband DI-601 router for Internet access.
> | I scanned the router using nmap, nessus, and superscan. They could not
> | identify any open ports. In addition, according to D-Link, all D-Link
> | routers block all incoming ports.
> | In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> | teardrop, IP spoofing, etc. attacks.
> | Any comments/suggestions are appreciated.
> | Thanks,
> As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139
and 445 on *any*
> SOHO Router.
> Remember, a NAT Router is NOT a full FireWall implementation.
But it should suffice, for a lot of people. The router itself is only
susceptible to particular attacks and - generally being based on a form of
embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
checking that you have the latest release level loaded, though. The last
dLink I set up had a manual for the new firmware revision, but the old
version loaded. Useful. Not.
When it comes to DoS attacks (distributed or otherwise), you are pretty much
at the mercy of your ISP - they will have to get involved, should your local
link near saturation. They undoubtedly would anyway, as a DoS attack will
also take out other people running from the same box in the street.
In addition to Dave's suggestions, think carefully before opening up a uPnP
port. Most modern routers have the option, but it's not something to take
You should also test these ports specifically, as opposed to a full scan -
many routers can determine that a port scan is in progress, and will block
traffic. The results you had may (I stress "may") be misleading - although,
TBH, I doubt that they are. These things are intended to be secure
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!