Re: A good router

From: Duane Arnold (notme_at_notme.com)
Date: 05/29/04


Date: Sat, 29 May 2004 11:54:08 GMT

BW~Merlin <s4076794@student.uq.edu.au> wrote in news:c99mq6$3i3$1
@bunyip.cc.uq.edu.au:

> Hi. I am looking for a router for my home network. I currently use
> Sygate on my host machine and everything else is connected to it
through
> a hub and daisy chain. Can anyone recommend a good brand and maybe
> model. I'm looking for something with at least 5 ports that is easy to
> set up and maintain (I want be home so it has to be able to be set and
> forgot until I can get back and have a look at it again). It would
also
> be good if it were gigabit enabled.

I have been using a Linksys BEFW11S4 wireless/wired 4 port switch router
model since 2001 with no problems. There are other BFW models that are
all wired 4 and 8 port models too.

Most routers on the market have an Uplink port where you can connect a
hub or switch and daisy chain hubs or switches together where the router
is the gateway device for the LAN and WAN and controls 255 computers
connected in that manner. The router's have a built in switch and from a
home environment stand point, I don't know about some gigabit situation
that's needed in that environment. You can also just plug the hub or
switch into one of the router LAN ports as well to extend the network.
 
> I don't know much about routers and
> know a little about home security (like windows is bad and when my new
> pc comes Linux's goes on it)

You know nothing about security making that statement as a Windows NT
based O/S such as Win NT 4.0, 2K, XP, or 2K3 can be secured if one knows
what he or she is doing to secure the O/S. I have no problems with
security of any Windows NT based O/S machine on my network. However,
there is some learning one must face in the area and the link is a push.

http://www.uksecurityonline.com/index5.php

so if someone could also explain port
> forwarding and other router related queries to me in plain English it
> would be much appreciated.

http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp

Also, a router manufacturer's Website Knowledge Base will explain things
to you on how(s) on any of its router models.

In addition, Google (your friend) has plenty of router configuration
articles on the how to(s) on many manufacture brands and models. All you
have to do is search it out.

I suggest that you get a UPS and plug the router into it as the router
doesn't like bad power from spikes from household appliances on the line,
sudden lost of power or blackouts and brownouts. If it happens too often,
the router will go defective if not protected. The router likes constant
and clean power.

A recent email from WatchGuard that I got the other day about NAT
devices.

Duane :)

<snip>

Busting the NAT Myth
By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
Lead Editor, WatchGuard Technologies, Inc.

Have you ever settled down to dinner, only to be interrupted by
unsolicited telemarketing phone calls? It makes you glad that at work,
your business has a main number other than your desk phone. If necessary,
you can tell the company receptionist, "Unless my boss or my spouse
calls, don't forward any calls to me." Then if telemarketers call the
main number, looking for you, the receptionist terminates their call
without bothering you. In fact, if you wanted, you could keep your desk
phone number completely private so that no one knew it except fellow
employees and close family members.

However, if you achieved that ideal, would you then say, "My private
phone number makes me safe in all regards. Now we can fire the company's
security guards and leave the doors unlocked"? Foolish, right? Yet for
some reason, many people follow that very logic when concluding that a
NAT device is a firewall. This article debunks the myth that a NAT device
is "good enough" security, and explains why you're better off using a
real firewall to protect your network.

NAT Attacks
Network Address Translation, or NAT, works roughly like the receptionist
in our opening illustration. It hides your private, or unregistered,
network addresses from the public. When packets leave your network,
heading for the wild Internet, a NAT device replaces all private IP
source addresses with one public address (usually its own). Since the NAT
box advertises its own address to the world as the source address, all
replies from the wild Internet return to the NAT device, analogous to the
way phone calls to everyone at your company might first come to a main
phone number. And just as the receptionist answering the main number can
redirect incoming phone calls to the desired individual, NAT checks an
internal table to redirect replies to the appropriate computer inside the
network. If an attacker initiates a connection to your network through
some oddball port, like 31337, the NAT box would check its table and
think, "Gee, no one inside this network requested information on port
31337. Now I don't know who to send this packet to." Typically, it then
drops the packet. So, in this sense, NAT-only devices do provide a
modicum of security. (The rest of this article assumes you understand
basic NAT, so if the concept is new to you, before continuing you might
want to read "Using Network Address Translation" and "How and When to Use
1:1 NAT.")

Since NAT is designed to do the best it can to allow traffic in, any
security benefits it provides are mere side-effects. Hackers have
developed attacks specifically for NAT devices, such as the following.

Exploiting open ports. For port-based NAT, once a NAT device opens a port
by putting it in the NAT table, all traffic destined to that port is
allowed through to the local computer identified in the table. NAT
substitutes unusual ports for well-known ports, but usually derives its
substitute port numbers from a standard range. Hackers can persistently
keep guessing at which ports NAT has opened until they get through. Since
they use automated programs to do this, the hacker doesn't have to be
overly persistent or lucky -- he just tries a lot of addresses until
something breaks.
Taking the DMZ server. Some NAT devices can be configured so that packets
not matching anything in the NAT table are sent to a specified computer,
rather than discarded. This gives the administrator a chance to ensure
that good traffic is not lost, and to allow a program to work that won't
work through NAT. But it's horrible from a security perspective. It means
the NAT device sends everything through. Once a hacker gets control of
the one computer where everything goes, he can easily access any other
computer on the same network.
Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
with sufficient technical knowledge, using hacking tools freely available
on the Internet, can put another user's IP address in the "From" (source)
field of packets. Since NAT relies on analyzing addresses, false
addresses compromise NAT devices easily.
Default remote access. Many NAT devices leave a port open to the public
Internet, to allow remote administration. The port is protected by a
password. Hackers circulate lists of open ports and the default passwords
set by the manufacturer of each NAT device. If you haven't changed the
default password protecting your NAT device, knowledgeable attackers can
log themselves in and reconfigure your device. Then they have
administrative privileges, and you don't.
NAT devices were not designed to be true security devices, so they have a
weak security stance. For example, a hacker can send an "anybody there?"
message, called a ping, to millions of addresses. Firewalls recognize
ping and hide themselves. NAT devices respond, letting the hacker know
he's found a live connection. NAT devices don't do any egress filtering,
either. So clearly, a NAT device is not a full security solution.

Firewall Advantages
Don't get us wrong. We like NAT. We think NAT is both cool and necessary.
Our point is that a real firewall offers additional, significant security
improvements on top of NAT. Here are a few.

Authenticating connections. A NAT device checks only the source IP
address, destination IP address, and related port numbers to decide if
traffic is valid. A real firewall goes further. In addition to IP address
and port information, the firewall also checks, for example, the sequence
number of the packet for duplicates or out-of-bound values (hackers try
to recycle an existing packet header with different data inside). Other
firewall verification steps include user authentication, packet content
inspection (e.g., does this HTTP packet really contain HTTP
information?), and checking the IPs against black-listed sites.

Controlling outbound traffic. Any defense offered by a NAT device deals
only with inbound connections. Firewalls offer egress filtering -- the
ability to close outgoing connections. Many Trojans are programmed to
infect a machine, then "phone home" to their creator, using an obscure
outbound port; egress filtering can stop this. Similarly, when worms
infect a machine and seek to spread, egress filtering can prevent your
network from becoming the worm's next launching pad.

Securely handling special cases. True firewalls are aware of, and
support, numerous applications that require special handling. Some NAT
and low-cost "firewall-like" routers basically have to be shut off to
allow, say, NetMeeting or audio/video streaming to function. Real
firewalls handle them securely and without special user requirements. The
firewall first identifies the packets as coming from a special
application. It then rewrites and re-routes the packets compatibly with
both the application and NAT.

Robust processing power. Inexpensive NAT devices typically don't include
the powerful processors required for "deep packet inspection." Even
"firewall-like" routers will typically degrade significantly in
performance if called upon to inspect each packet. Only devices designed
to be a true firewall contain the muscle needed to combine security and
performance.

The list of firewall advantages goes on, including detailed logging that
recognizes and records attacks; centralized management; and, in more
expensive firewalls, advanced networking features (such as VLAN support
and Quality of Service), the ability to set different policies for
multiple networks, time-based policies, and more.

Conclusion
We hope you now understand the difference between a good-as-far-as-it-
goes NAT box and the multi-faceted, layered security a firewall can
offer. Though NAT can provide the equivalent of an "unlisted number" for
clients on your network, that falls short of complete security. If you're
serious about protecting your remote users and your network, deploy real
firewalls -- preferably firewalls certified by a neutral third party,
such as ICSA labs. The recent Sasser worm spread wildly even though it
was helpless against firewalls -- which demonstrates afresh that your
network security is only as good as your remote user security. ##

<snip>



Relevant Pages

  • Re: NAT Secure?
    ... >>> NAT secure from internet attack? ... It may 'compliment' a firewall (packet filter, ... Port redirection/port mapping, ...
    (comp.security.firewalls)
  • Re: NAT Security
    ... NAT or basic firewall as it is also called in Windows 2003 provides about the same ... sense to use a hardware firewall for the extra protection and features. ... You mention netbios port 139. ...
    (microsoft.public.win2000.security)
  • Re: Wuala - settings for firewall?
    ... firewall) and my hardware firewall. ... "In the settings tab you can see what port wuala is using. ... NAT traversal. ...
    (comp.sys.mac.apps)
  • Re: Static NAT in ISA server
    ... "Firewall lingo" has become more "slang" that any official ... NAT - In practice it is usually really "NAT Overload" or NAT with Port ... NAT Overload - This one maps an internal user with the ...
    (microsoft.public.isa)
  • Re: router vs. gateway
    ... > I don't see a firewall as a NAT device although it may support NAT ... Never seen one that wasn't a NAT Device. ... A router can be made a NAT Device by enabling NAT and setting ...
    (microsoft.public.win2000.networking)