risks of using a router instead of a firewall

Archived from groups: comp.security.firewalls (More info?)

Dear List;

I have installed a D-Link broadband DI-601 router for Internet access.

I scanned the router using nmap, nessus, and superscan. They could not
identify any open ports. In addition, according to D-Link, all D-Link
routers block all incoming ports.

In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
teardrop, IP spoofing, etc. attacks.

Any comments/suggestions are appreciated.

Thanks,
13 answers Last reply
More about risks router firewall
  1. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 13 Sep 2005 21:58:21 -0400, Doug Fox wrote:

    > Dear List;
    >
    > I have installed a D-Link broadband DI-601 router for Internet access.
    >
    > I scanned the router using nmap, nessus, and superscan. They could not
    > identify any open ports. In addition, according to D-Link, all D-Link
    > routers block all incoming ports.

    Did you scan from inside or outside?

    >
    > In this scenario, is my network safe from DoS,
    no
    > DDoS,
    no
    > Buffer Overflow,
    no
    > teardrop,
    I can't remember what teardrop is, so I don't know :)
    > IP spoofing,
    Only if the connection attempt was initiated from the outside.

    The blocking at the router protects your internal machine(s) from contact
    initiated from the outside (a.k.a. the big bad internet) It's an
    important element of security, but far from the only one.

    To respond more directly to the title of the post, whether you need a
    firewall in addition to the router depends on your needs. My firewall
    blocks all connection attempts from the inside other than the few expected
    ones (http, smtp, etc.) in addition to not letting anything in from the
    outside. But I'm just paranoid.
  2. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 13 Sep 2005 21:58:21 -0400, "Doug Fox" <dfox168@hotmail.com>
    wrote:

    >Dear List;
    >
    >I have installed a D-Link broadband DI-601 router for Internet access.
    >
    >I scanned the router using nmap, nessus, and superscan. They could not
    >identify any open ports. In addition, according to D-Link, all D-Link
    >routers block all incoming ports.
    >
    >In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    >teardrop, IP spoofing, etc. attacks.
    >
    >Any comments/suggestions are appreciated.
    >
    >Thanks,
    >

    I could not find DI-601 on the d-link site. Does it come with a
    wireless connection? If it does, your network could be easily
    compromised if you don't configure WPA. Since a lot of people have
    difficulties doing this, it is one of the risks of having a router
    instead of a firewall.
  3. Archived from groups: comp.security.firewalls (More info?)

    "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
    vA@rogers.com:

    > Dear List;
    >
    > I have installed a D-Link broadband DI-601 router for Internet access.
    >
    > I scanned the router using nmap, nessus, and superscan. They could not
    > identify any open ports. In addition, according to D-Link, all D-Link
    > routers block all incoming ports.
    >
    > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > teardrop, IP spoofing, etc. attacks.
    >
    > Any comments/suggestions are appreciated.


    http://www.homenethelp.com/web/explain/about-NAT.asp

    The link above talks about basic secuirty using a NAT router for the
    average home user.

    Does the router have SPI?

    Does the router have logging so you can see trffic to/from the router with
    a log viwer?

    http://www.sonic.net/wallwatcher/#Routers

    As long as you don't do high risk things like port forwarding and pactice
    safehex, you should be OK. The router is good first line of defense.

    Duane :)
  4. Archived from groups: comp.security.firewalls (More info?)

    speeder <no.spam@invalid.com> wrote in
    news:phafi15fqq1sutmq82rfc0jolf36rm9c4u@4ax.com:

    > On Tue, 13 Sep 2005 21:58:21 -0400, "Doug Fox" <dfox168@hotmail.com>
    > wrote:
    >
    >>Dear List;
    >>
    >>I have installed a D-Link broadband DI-601 router for Internet access.
    >>
    >>I scanned the router using nmap, nessus, and superscan. They could not
    >>identify any open ports. In addition, according to D-Link, all D-Link
    >>routers block all incoming ports.
    >>
    >>In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    >>teardrop, IP spoofing, etc. attacks.
    >>
    >>Any comments/suggestions are appreciated.
    >>
    >>Thanks,
    >>
    >
    > I could not find DI-601 on the d-link site. Does it come with a
    > wireless connection? If it does, your network could be easily
    > compromised if you don't configure WPA. Since a lot of people have
    > difficulties doing this, it is one of the risks of having a router
    > instead of a firewall.
    >

    Maybe, it's 604. :)

    Duane :)
  5. Archived from groups: comp.security.firewalls (More info?)

    The scan was done from outside (the Internet).

    "Kenneth" <jjjkkklll@cox.net> wrote in message
    news:pan.2005.09.14.02.39.00.296626@cox.net...
    > On Tue, 13 Sep 2005 21:58:21 -0400, Doug Fox wrote:
    >
    >> Dear List;
    >>
    >> I have installed a D-Link broadband DI-601 router for Internet access.
    >>
    >> I scanned the router using nmap, nessus, and superscan. They could not
    >> identify any open ports. In addition, according to D-Link, all D-Link
    >> routers block all incoming ports.
    >
    > Did you scan from inside or outside?
    >
    >>
    >> In this scenario, is my network safe from DoS,
    > no
    >> DDoS,
    > no
    >> Buffer Overflow,
    > no
    >> teardrop,
    > I can't remember what teardrop is, so I don't know :)
    >> IP spoofing,
    > Only if the connection attempt was initiated from the outside.
    >
    > The blocking at the router protects your internal machine(s) from contact
    > initiated from the outside (a.k.a. the big bad internet) It's an
    > important element of security, but far from the only one.
    >
    > To respond more directly to the title of the post, whether you need a
    > firewall in addition to the router depends on your needs. My firewall
    > blocks all connection attempts from the inside other than the few expected
    > ones (http, smtp, etc.) in addition to not letting anything in from the
    > outside. But I'm just paranoid.
    >
  6. Archived from groups: comp.security.firewalls (More info?)

    Doug Fox <dfox168@hotmail.com> wrote:
    > I have installed a D-Link broadband DI-601 router for Internet access.
    > I scanned the router using nmap, nessus, and superscan. They could not
    > identify any open ports. In addition, according to D-Link, all D-Link
    > routers block all incoming ports.
    > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > teardrop, IP spoofing, etc. attacks.

    Your network is safe then from any attacks, which attack servers/daemons
    on your boxes behind that router, if the router does not have any extra
    security holes, which open the possibility again to reach the boxes
    behind the router (i.e. by attacking the stateful handling of protocols
    like FTP).

    This has nothing to do with other types of attacks.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  7. Archived from groups: comp.security.firewalls (More info?)

    Kenneth <jjjkkklll@cox.net> wrote:
    > I can't remember what teardrop is, so I don't know :)

    It's a kind of DoS attack, see:

    http://www.cert.org/advisories/CA-1997-28.html

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <StadnVonYJZUHrreRVn-vA@rogers.com>, dfox168@hotmail.com
    says...
    > Dear List;
    >
    > I have installed a D-Link broadband DI-601 router for Internet access.
    >
    > I scanned the router using nmap, nessus, and superscan. They could not
    > identify any open ports. In addition, according to D-Link, all D-Link
    > routers block all incoming ports.
    >
    > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > teardrop, IP spoofing, etc. attacks.
    >
    > Any comments/suggestions are appreciated.

    Your NAT box only protects you from "unsolicited" INBOUND connections.
    What that means is if you're machine has some malware on it, a program
    that allows the remote hacker to take control of your PC, that they can
    take control by having the malware contact them, and they can then do
    anything they want.

    In the case of a firewall, if you were properly setup, the malware, even
    using HTTP, would not be able to contact the hacker to get instructions
    (this would be based on not just having a fully open outbound port 80,
    but based on doing content filtering in the http session).

    A NAT box is a very good minimal layer for home users and some small
    offices, but it's not a firewall, it's just a result of how NAT works.

    So, if you want to know if you are protected against all of those
    things, read the vendors site concerning it.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  9. Archived from groups: comp.security.firewalls (More info?)

    Not sure if this is the case for this particular type of router that you are
    using, but just in case, ensure that you have changed the password for the
    configuration management for the router from the default one - usually
    'admin' or somethink like that.
    Some routers are known to be configurable from the outside by a remote
    attacker by trying the default password. With that, the attacker can set up
    the router however he wants and can attack further.

    Sorry that I cannot provide better specifics, but I know that I have read
    about this in the past and have given my router a new password accordingly.

    Martin


    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d91c26ea8ae2d8198a039@news-server.columbus.rr.com...
    > In article <StadnVonYJZUHrreRVn-vA@rogers.com>, dfox168@hotmail.com
    > says...
    > > Dear List;
    > >
    > > I have installed a D-Link broadband DI-601 router for Internet access.
    > >
    > > I scanned the router using nmap, nessus, and superscan. They could not
    > > identify any open ports. In addition, according to D-Link, all D-Link
    > > routers block all incoming ports.
    > >
    > > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > > teardrop, IP spoofing, etc. attacks.
    > >
    > > Any comments/suggestions are appreciated.
    >
    > Your NAT box only protects you from "unsolicited" INBOUND connections.
    > What that means is if you're machine has some malware on it, a program
    > that allows the remote hacker to take control of your PC, that they can
    > take control by having the malware contact them, and they can then do
    > anything they want.
    >
    > In the case of a firewall, if you were properly setup, the malware, even
    > using HTTP, would not be able to contact the hacker to get instructions
    > (this would be based on not just having a fully open outbound port 80,
    > but based on doing content filtering in the http session).
    >
    > A NAT box is a very good minimal layer for home users and some small
    > offices, but it's not a firewall, it's just a result of how NAT works.
    >
    > So, if you want to know if you are protected against all of those
    > things, read the vendors site concerning it.
    >
    > --
    >
    > spam999free@rrohio.com
    > remove 999 in order to email me
  10. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
    notme@notme.com says...
    > "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
    > vA@rogers.com:
    >
    > > Dear List;
    > >
    > > I have installed a D-Link broadband DI-601 router for Internet access.
    > >
    > > I scanned the router using nmap, nessus, and superscan. They could not
    > > identify any open ports. In addition, according to D-Link, all D-Link
    > > routers block all incoming ports.
    > >
    > > In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
    > > teardrop, IP spoofing, etc. attacks.
    > >
    > > Any comments/suggestions are appreciated.
    >
    >
    > http://www.homenethelp.com/web/explain/about-NAT.asp
    >
    > The link above talks about basic secuirty using a NAT router for the
    > average home user.
    >
    > Does the router have SPI?
    >
    > Does the router have logging so you can see trffic to/from the router with
    > a log viwer?
    >
    > http://www.sonic.net/wallwatcher/#Routers
    >
    > As long as you don't do high risk things like port forwarding and pactice
    > safehex, you should be OK. The router is good first line of defense.
    >
    > Duane :)
    >
    How does one know if ones router has SP1? I have a Linksys BEFSR41
    version 2 and it is a couple of years old by now.

    Also, wallwatcher looks very interesting. Since I run both the
    router and Sygate, will the wallwatcher logs show me things that
    are blocked by the router and that, therefore, Sygate never knows
    about?

    And...do you know how much of a drain wallwatcher puts on the
    system?

    TIA

    Louise
  11. Archived from groups: comp.security.firewalls (More info?)

    louise <nospam@nospam.com> wrote in
    news:MPG.1d92307a9490d8ce9896f4@news-server.nyc.rr.com:

    > In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
    > notme@notme.com says...
    >> "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
    >> vA@rogers.com:
    >>
    >> > Dear List;
    >> >
    >> > I have installed a D-Link broadband DI-601 router for Internet
    >> > access.
    >> >
    >> > I scanned the router using nmap, nessus, and superscan. They could
    >> > not identify any open ports. In addition, according to D-Link, all
    >> > D-Link routers block all incoming ports.
    >> >
    >> > In this scenario, is my network safe from DoS, DDoS, Buffer
    >> > Overflow, teardrop, IP spoofing, etc. attacks.
    >> >
    >> > Any comments/suggestions are appreciated.
    >>
    >>
    >> http://www.homenethelp.com/web/explain/about-NAT.asp
    >>
    >> The link above talks about basic secuirty using a NAT router for the
    >> average home user.
    >>
    >> Does the router have SPI?
    >>
    >> Does the router have logging so you can see trffic to/from the router
    >> with a log viwer?
    >>
    >> http://www.sonic.net/wallwatcher/#Routers
    >>
    >> As long as you don't do high risk things like port forwarding and
    >> pactice safehex, you should be OK. The router is good first line of
    >> defense.
    >>
    >> Duane :)
    >>
    > How does one know if ones router has SP1? I have a Linksys BEFSR41
    > version 2 and it is a couple of years old by now.

    One goes to the product's Website and looks at the document specs for the
    router at www.linksys.com. My encounter with the Linksys router products,
    on the Admin screens there is a setting to enable or disable SPI at least
    on my BEFW11S4 v1 router I use to have. Thy removed SPI from the 11S4
    routers. Also, in the product documentation and advertisement of the
    features, most manufactures for such routers clearly indicate that the
    router has SPI. If you went to the Linksys site and looked at the product
    data sheet for WRT54G, you'll see the mentioning of SPI.

    >
    > Also, wallwatcher looks very interesting. Since I run both the
    > router and Sygate, will the wallwatcher logs show me things that
    > are blocked by the router and that, therefore, Sygate never knows
    > about?

    That's correct the router is blocking unsolicited inbound traffic that
    will never reach the computer so Sygate will never know about it. In
    addition to that, Wallwatcher will also show all outbound traffic from
    LAN IP(s) behind the router to remote Internet IP(s) since malware can
    circumvent and defeat any personal FW solution you'll be able to see that
    possible outbound traffic.

    >
    > And...do you know how much of a drain wallwatcher puts on the
    > system?

    It doesn't put any drain on the computer and happily sits in the job trey
    and collects the syslog data that's being broadcasted to it from the
    router. You should review the traffic to/from the router.

    Duane :)
  12. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns96D1914A8BE3notmenotmecom@216.148.227.77>,
    notme@notme.com says...
    > louise <nospam@nospam.com> wrote in
    > news:MPG.1d92307a9490d8ce9896f4@news-server.nyc.rr.com:
    >
    > > In article <Xns96D0E04B9AD7Enotmenotmecom@204.127.204.17>,
    > > notme@notme.com says...
    > >> "Doug Fox" <dfox168@hotmail.com> wrote in news:StadnVonYJZUHrreRVn-
    > >> vA@rogers.com:
    > >>
    > >> > Dear List;
    > >> >
    > >> > I have installed a D-Link broadband DI-601 router for Internet
    > >> > access.
    > >> >
    > >> > I scanned the router using nmap, nessus, and superscan. They could
    > >> > not identify any open ports. In addition, according to D-Link, all
    > >> > D-Link routers block all incoming ports.
    > >> >
    > >> > In this scenario, is my network safe from DoS, DDoS, Buffer
    > >> > Overflow, teardrop, IP spoofing, etc. attacks.
    > >> >
    > >> > Any comments/suggestions are appreciated.
    > >>
    > >>
    > >> http://www.homenethelp.com/web/explain/about-NAT.asp
    > >>
    > >> The link above talks about basic secuirty using a NAT router for the
    > >> average home user.
    > >>
    > >> Does the router have SPI?
    > >>
    > >> Does the router have logging so you can see trffic to/from the router
    > >> with a log viwer?
    > >>
    > >> http://www.sonic.net/wallwatcher/#Routers
    > >>
    > >> As long as you don't do high risk things like port forwarding and
    > >> pactice safehex, you should be OK. The router is good first line of
    > >> defense.
    > >>
    > >> Duane :)
    > >>
    > > How does one know if ones router has SP1? I have a Linksys BEFSR41
    > > version 2 and it is a couple of years old by now.
    >
    > One goes to the product's Website and looks at the document specs for the
    > router at www.linksys.com. My encounter with the Linksys router products,
    > on the Admin screens there is a setting to enable or disable SPI at least
    > on my BEFW11S4 v1 router I use to have. Thy removed SPI from the 11S4
    > routers. Also, in the product documentation and advertisement of the
    > features, most manufactures for such routers clearly indicate that the

    Thanks for your response.

    I checked the Linksys page and they have specs only on the newest
    version, which is version 4 (mine is version 2). They mention
    absolutely nothing about SP1.

    I then went into my router and went through all the settings. I
    saw nothing to enable or disable SP1.

    BTW, I realize I don't know what SP1 is :-)

    Louise
  13. Archived from groups: comp.security.firewalls (More info?)

    "louise" <nospam@nospam.com> wrote in message
    news:MPG.1d929abda965cf379896f5@news-server.nyc.rr.com...
    >
    > BTW, I realize I don't know what SP1 is :-)
    >
    > Louise

    Try researching SPI...thats spi in lower case...short for stateful protocol
    inspection.
Ask a new question

Read More

Firewalls Routers D-Link Networking