Sign in with
Sign up | Sign in
Your question

risks of using a router instead of a firewall

Last response: in Networking
Share
Anonymous
September 14, 2005 1:58:21 AM

Archived from groups: comp.security.firewalls (More info?)

Dear List;

I have installed a D-Link broadband DI-601 router for Internet access.

I scanned the router using nmap, nessus, and superscan. They could not
identify any open ports. In addition, according to D-Link, all D-Link
routers block all incoming ports.

In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
teardrop, IP spoofing, etc. attacks.

Any comments/suggestions are appreciated.

Thanks,

More about : risks router firewall

September 14, 2005 1:58:22 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 13 Sep 2005 21:58:21 -0400, Doug Fox wrote:

> Dear List;
>
> I have installed a D-Link broadband DI-601 router for Internet access.
>
> I scanned the router using nmap, nessus, and superscan. They could not
> identify any open ports. In addition, according to D-Link, all D-Link
> routers block all incoming ports.

Did you scan from inside or outside?

>
> In this scenario, is my network safe from DoS,
no
> DDoS,
no
> Buffer Overflow,
no
> teardrop,
I can't remember what teardrop is, so I don't know :) 
> IP spoofing,
Only if the connection attempt was initiated from the outside.

The blocking at the router protects your internal machine(s) from contact
initiated from the outside (a.k.a. the big bad internet) It's an
important element of security, but far from the only one.

To respond more directly to the title of the post, whether you need a
firewall in addition to the router depends on your needs. My firewall
blocks all connection attempts from the inside other than the few expected
ones (http, smtp, etc.) in addition to not letting anything in from the
outside. But I'm just paranoid.
September 14, 2005 5:47:17 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 13 Sep 2005 21:58:21 -0400, "Doug Fox" <dfox168@hotmail.com>
wrote:

>Dear List;
>
>I have installed a D-Link broadband DI-601 router for Internet access.
>
>I scanned the router using nmap, nessus, and superscan. They could not
>identify any open ports. In addition, according to D-Link, all D-Link
>routers block all incoming ports.
>
>In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
>teardrop, IP spoofing, etc. attacks.
>
>Any comments/suggestions are appreciated.
>
>Thanks,
>

I could not find DI-601 on the d-link site. Does it come with a
wireless connection? If it does, your network could be easily
compromised if you don't configure WPA. Since a lot of people have
difficulties doing this, it is one of the risks of having a router
instead of a firewall.
Related resources
Anonymous
September 14, 2005 7:02:58 AM

Archived from groups: comp.security.firewalls (More info?)

"Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
vA@rogers.com:

> Dear List;
>
> I have installed a D-Link broadband DI-601 router for Internet access.
>
> I scanned the router using nmap, nessus, and superscan. They could not
> identify any open ports. In addition, according to D-Link, all D-Link
> routers block all incoming ports.
>
> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> teardrop, IP spoofing, etc. attacks.
>
> Any comments/suggestions are appreciated.


http://www.homenethelp.com/web/explain/about-NAT.asp

The link above talks about basic secuirty using a NAT router for the
average home user.

Does the router have SPI?

Does the router have logging so you can see trffic to/from the router with
a log viwer?

http://www.sonic.net/wallwatcher/#Routers

As long as you don't do high risk things like port forwarding and pactice
safehex, you should be OK. The router is good first line of defense.

Duane :) 
Anonymous
September 14, 2005 9:26:53 AM

Archived from groups: comp.security.firewalls (More info?)

speeder <no.spam@invalid.com> wrote in
news:p hafi15fqq1sutmq82rfc0jolf36rm9c4u@4ax.com:

> On Tue, 13 Sep 2005 21:58:21 -0400, "Doug Fox" <dfox168@hotmail.com>
> wrote:
>
>>Dear List;
>>
>>I have installed a D-Link broadband DI-601 router for Internet access.
>>
>>I scanned the router using nmap, nessus, and superscan. They could not
>>identify any open ports. In addition, according to D-Link, all D-Link
>>routers block all incoming ports.
>>
>>In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
>>teardrop, IP spoofing, etc. attacks.
>>
>>Any comments/suggestions are appreciated.
>>
>>Thanks,
>>
>
> I could not find DI-601 on the d-link site. Does it come with a
> wireless connection? If it does, your network could be easily
> compromised if you don't configure WPA. Since a lot of people have
> difficulties doing this, it is one of the risks of having a router
> instead of a firewall.
>

Maybe, it's 604. :) 

Duane :) 
Anonymous
September 14, 2005 10:56:29 AM

Archived from groups: comp.security.firewalls (More info?)

The scan was done from outside (the Internet).

"Kenneth" <jjjkkklll@cox.net> wrote in message
news:p an.2005.09.14.02.39.00.296626@cox.net...
> On Tue, 13 Sep 2005 21:58:21 -0400, Doug Fox wrote:
>
>> Dear List;
>>
>> I have installed a D-Link broadband DI-601 router for Internet access.
>>
>> I scanned the router using nmap, nessus, and superscan. They could not
>> identify any open ports. In addition, according to D-Link, all D-Link
>> routers block all incoming ports.
>
> Did you scan from inside or outside?
>
>>
>> In this scenario, is my network safe from DoS,
> no
>> DDoS,
> no
>> Buffer Overflow,
> no
>> teardrop,
> I can't remember what teardrop is, so I don't know :) 
>> IP spoofing,
> Only if the connection attempt was initiated from the outside.
>
> The blocking at the router protects your internal machine(s) from contact
> initiated from the outside (a.k.a. the big bad internet) It's an
> important element of security, but far from the only one.
>
> To respond more directly to the title of the post, whether you need a
> firewall in addition to the router depends on your needs. My firewall
> blocks all connection attempts from the inside other than the few expected
> ones (http, smtp, etc.) in addition to not letting anything in from the
> outside. But I'm just paranoid.
>
Anonymous
September 14, 2005 11:38:51 AM

Archived from groups: comp.security.firewalls (More info?)

Doug Fox <dfox168@hotmail.com> wrote:
> I have installed a D-Link broadband DI-601 router for Internet access.
> I scanned the router using nmap, nessus, and superscan. They could not
> identify any open ports. In addition, according to D-Link, all D-Link
> routers block all incoming ports.
> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> teardrop, IP spoofing, etc. attacks.

Your network is safe then from any attacks, which attack servers/daemons
on your boxes behind that router, if the router does not have any extra
security holes, which open the possibility again to reach the boxes
behind the router (i.e. by attacking the stateful handling of protocols
like FTP).

This has nothing to do with other types of attacks.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 14, 2005 11:42:35 AM

Archived from groups: comp.security.firewalls (More info?)

Kenneth <jjjkkklll@cox.net> wrote:
> I can't remember what teardrop is, so I don't know :) 

It's a kind of DoS attack, see:

http://www.cert.org/advisories/CA-1997-28.html

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 14, 2005 2:15:55 PM

Archived from groups: comp.security.firewalls (More info?)

In article <StadnVonYJZUHrreRVn-vA@rogers.com>, dfox168@hotmail.com
says...
> Dear List;
>
> I have installed a D-Link broadband DI-601 router for Internet access.
>
> I scanned the router using nmap, nessus, and superscan. They could not
> identify any open ports. In addition, according to D-Link, all D-Link
> routers block all incoming ports.
>
> In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> teardrop, IP spoofing, etc. attacks.
>
> Any comments/suggestions are appreciated.

Your NAT box only protects you from "unsolicited" INBOUND connections.
What that means is if you're machine has some malware on it, a program
that allows the remote hacker to take control of your PC, that they can
take control by having the malware contact them, and they can then do
anything they want.

In the case of a firewall, if you were properly setup, the malware, even
using HTTP, would not be able to contact the hacker to get instructions
(this would be based on not just having a fully open outbound port 80,
but based on doing content filtering in the http session).

A NAT box is a very good minimal layer for home users and some small
offices, but it's not a firewall, it's just a result of how NAT works.

So, if you want to know if you are protected against all of those
things, read the vendors site concerning it.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 14, 2005 7:39:45 PM

Archived from groups: comp.security.firewalls (More info?)

Not sure if this is the case for this particular type of router that you are
using, but just in case, ensure that you have changed the password for the
configuration management for the router from the default one - usually
'admin' or somethink like that.
Some routers are known to be configurable from the outside by a remote
attacker by trying the default password. With that, the attacker can set up
the router however he wants and can attack further.

Sorry that I cannot provide better specifics, but I know that I have read
about this in the past and have given my router a new password accordingly.

Martin


"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d91c26ea8ae2d8198a039@news-server.columbus.rr.com...
> In article <StadnVonYJZUHrreRVn-vA@rogers.com>, dfox168@hotmail.com
> says...
> > Dear List;
> >
> > I have installed a D-Link broadband DI-601 router for Internet access.
> >
> > I scanned the router using nmap, nessus, and superscan. They could not
> > identify any open ports. In addition, according to D-Link, all D-Link
> > routers block all incoming ports.
> >
> > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> > teardrop, IP spoofing, etc. attacks.
> >
> > Any comments/suggestions are appreciated.
>
> Your NAT box only protects you from "unsolicited" INBOUND connections.
> What that means is if you're machine has some malware on it, a program
> that allows the remote hacker to take control of your PC, that they can
> take control by having the malware contact them, and they can then do
> anything they want.
>
> In the case of a firewall, if you were properly setup, the malware, even
> using HTTP, would not be able to contact the hacker to get instructions
> (this would be based on not just having a fully open outbound port 80,
> but based on doing content filtering in the http session).
>
> A NAT box is a very good minimal layer for home users and some small
> offices, but it's not a firewall, it's just a result of how NAT works.
>
> So, if you want to know if you are protected against all of those
> things, read the vendors site concerning it.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
September 14, 2005 9:55:08 PM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
notme@notme.com says...
> "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
> vA@rogers.com:
>
> > Dear List;
> >
> > I have installed a D-Link broadband DI-601 router for Internet access.
> >
> > I scanned the router using nmap, nessus, and superscan. They could not
> > identify any open ports. In addition, according to D-Link, all D-Link
> > routers block all incoming ports.
> >
> > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> > teardrop, IP spoofing, etc. attacks.
> >
> > Any comments/suggestions are appreciated.
>
>
> http://www.homenethelp.com/web/explain/about-NAT.asp
>
> The link above talks about basic secuirty using a NAT router for the
> average home user.
>
> Does the router have SPI?
>
> Does the router have logging so you can see trffic to/from the router with
> a log viwer?
>
> http://www.sonic.net/wallwatcher/#Routers
>
> As long as you don't do high risk things like port forwarding and pactice
> safehex, you should be OK. The router is good first line of defense.
>
> Duane :) 
>
How does one know if ones router has SP1? I have a Linksys BEFSR41
version 2 and it is a couple of years old by now.

Also, wallwatcher looks very interesting. Since I run both the
router and Sygate, will the wallwatcher logs show me things that
are blocked by the router and that, therefore, Sygate never knows
about?

And...do you know how much of a drain wallwatcher puts on the
system?

TIA

Louise
Anonymous
September 14, 2005 11:16:59 PM

Archived from groups: comp.security.firewalls (More info?)

louise <nospam@nospam.com> wrote in
news:MPG.1d92307a9490d8ce9896f4@news-server.nyc.rr.com:

> In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
> notme@notme.com says...
>> "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
>> vA@rogers.com:
>>
>> > Dear List;
>> >
>> > I have installed a D-Link broadband DI-601 router for Internet
>> > access.
>> >
>> > I scanned the router using nmap, nessus, and superscan. They could
>> > not identify any open ports. In addition, according to D-Link, all
>> > D-Link routers block all incoming ports.
>> >
>> > In this scenario, is my network safe from DoS, DDoS, Buffer
>> > Overflow, teardrop, IP spoofing, etc. attacks.
>> >
>> > Any comments/suggestions are appreciated.
>>
>>
>> http://www.homenethelp.com/web/explain/about-NAT.asp
>>
>> The link above talks about basic secuirty using a NAT router for the
>> average home user.
>>
>> Does the router have SPI?
>>
>> Does the router have logging so you can see trffic to/from the router
>> with a log viwer?
>>
>> http://www.sonic.net/wallwatcher/#Routers
>>
>> As long as you don't do high risk things like port forwarding and
>> pactice safehex, you should be OK. The router is good first line of
>> defense.
>>
>> Duane :) 
>>
> How does one know if ones router has SP1? I have a Linksys BEFSR41
> version 2 and it is a couple of years old by now.

One goes to the product's Website and looks at the document specs for the
router at www.linksys.com. My encounter with the Linksys router products,
on the Admin screens there is a setting to enable or disable SPI at least
on my BEFW11S4 v1 router I use to have. Thy removed SPI from the 11S4
routers. Also, in the product documentation and advertisement of the
features, most manufactures for such routers clearly indicate that the
router has SPI. If you went to the Linksys site and looked at the product
data sheet for WRT54G, you'll see the mentioning of SPI.

>
> Also, wallwatcher looks very interesting. Since I run both the
> router and Sygate, will the wallwatcher logs show me things that
> are blocked by the router and that, therefore, Sygate never knows
> about?

That's correct the router is blocking unsolicited inbound traffic that
will never reach the computer so Sygate will never know about it. In
addition to that, Wallwatcher will also show all outbound traffic from
LAN IP(s) behind the router to remote Internet IP(s) since malware can
circumvent and defeat any personal FW solution you'll be able to see that
possible outbound traffic.

>
> And...do you know how much of a drain wallwatcher puts on the
> system?

It doesn't put any drain on the computer and happily sits in the job trey
and collects the syslog data that's being broadcasted to it from the
router. You should review the traffic to/from the router.

Duane :) 
September 15, 2005 5:28:37 AM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns96D1914A8BE3notmenotmecom@216.148.227.77>,
notme@notme.com says...
> louise <nospam@nospam.com> wrote in
> news:MPG.1d92307a9490d8ce9896f4@news-server.nyc.rr.com:
>
> > In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
> > notme@notme.com says...
> >> "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
> >> vA@rogers.com:
> >>
> >> > Dear List;
> >> >
> >> > I have installed a D-Link broadband DI-601 router for Internet
> >> > access.
> >> >
> >> > I scanned the router using nmap, nessus, and superscan. They could
> >> > not identify any open ports. In addition, according to D-Link, all
> >> > D-Link routers block all incoming ports.
> >> >
> >> > In this scenario, is my network safe from DoS, DDoS, Buffer
> >> > Overflow, teardrop, IP spoofing, etc. attacks.
> >> >
> >> > Any comments/suggestions are appreciated.
> >>
> >>
> >> http://www.homenethelp.com/web/explain/about-NAT.asp
> >>
> >> The link above talks about basic secuirty using a NAT router for the
> >> average home user.
> >>
> >> Does the router have SPI?
> >>
> >> Does the router have logging so you can see trffic to/from the router
> >> with a log viwer?
> >>
> >> http://www.sonic.net/wallwatcher/#Routers
> >>
> >> As long as you don't do high risk things like port forwarding and
> >> pactice safehex, you should be OK. The router is good first line of
> >> defense.
> >>
> >> Duane :) 
> >>
> > How does one know if ones router has SP1? I have a Linksys BEFSR41
> > version 2 and it is a couple of years old by now.
>
> One goes to the product's Website and looks at the document specs for the
> router at www.linksys.com. My encounter with the Linksys router products,
> on the Admin screens there is a setting to enable or disable SPI at least
> on my BEFW11S4 v1 router I use to have. Thy removed SPI from the 11S4
> routers. Also, in the product documentation and advertisement of the
> features, most manufactures for such routers clearly indicate that the

Thanks for your response.

I checked the Linksys page and they have specs only on the newest
version, which is version 4 (mine is version 2). They mention
absolutely nothing about SP1.

I then went into my router and went through all the settings. I
saw nothing to enable or disable SP1.

BTW, I realize I don't know what SP1 is :-)

Louise
Anonymous
September 15, 2005 6:32:40 AM

Archived from groups: comp.security.firewalls (More info?)

"louise" <nospam@nospam.com> wrote in message
news:MPG.1d929abda965cf379896f5@news-server.nyc.rr.com...
>
> BTW, I realize I don't know what SP1 is :-)
>
> Louise

Try researching SPI...thats spi in lower case...short for stateful protocol
inspection.
!