Is a NAT router secure? 2

[Stelios]

Hi,

I was wondering if simple broadband routers, having NAT and hacker pattern detection(eg. 3COM 857), are secure enough?

What attacks should I expect from hackers, by having only the functions mentioned above, on my DSL router?

Should I install a dedicated firewall device (eg. PIX etc.) for a better protection?

And my last question...
How a hacker can bypass a NAT router?(not looking for any code but only theory).

Thanks
Stelios

============================
Stelios Agapiou

 

[Hondy]

NAT routers are generally secure but it does depend on a few things... if there are vulnerable services on it like SNMP on older firmware revision etc. if you have web access to it make sure the world doesn't have access to the logon screen.

I don't think your internal machines are at risk directly from the internet, but shuld the router be compromised then it's a different story. Adding a firewall will stop unwanted connections but you maybe able to configure your router to do this anyway.

I have a Netgear DG824 router, this has a built in firewall, nat router, and modem which I've had no problems with, it's not the best by a long way but it does what it says on the tin.

Unless you have lots of sensitive info that would make someone target you directly I wouldn't worry about it. Hackers looking for a proxy or relay will target a softer target with no protection or knowledge.

 

[vop]

I think Hondy hit dead center here.

Getting to a given street address [External IP ->WAN], does not help narrow down what specific apartment to then select [Internal IP]. NAT is a mapped directory cross-reference table of open connections.

Hackers only want to deal with soft targets. Test your system for open ports like they would. An open port will dutifully allow passage thru its NAT table entry:

http://www.dslreports.com/faq/5503

(Note: The Ken Kalish link is no longer valid.)

In the event of open vulnerable ports or other unpatched holes, there is another protective layer available on some routers known as SPI. 'Stateful Packet Inspection' (SPI) only allows packets to pass through the firewall if they are traffic associated with a valid session initiated from within the network.

A recent test on my non-SPI router showed the following top 10 scan patterns (over 14 days). All such traffic only made it to my WAN Address and died there because of a lack of NAT (open ports) mapping:


Alert Description Events % Last Alert
Netbios Scan 769 63.449 9/8/04 10:54:28 AM
SQL Slammer Worm 71 5.858 9/7/04 11:37:55 PM
Beagle backdoor scan 47 3.878 9/8/04 10:51:29 AM
Code Red, Nimda 41 3.383 9/1/04 3:13:11 PM
SQL Server Scan 32 2.640 9/6/04 1:19:06 AM

RPC Scan 29 2.393 9/4/04 1:08:48 PM
Dameware scan 21 1.733 9/4/04 1:08:48 PM
FTP Scan 16 1.320 9/3/04 12:35:04 AM
SSH Scan 14 1.155 9/5/04 3:42:17 PM
Remote Administrator 14 1.155 9/7/04 8:47:19 PM








Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[netmanrick]

Check out

http://WWW.GRC.COM

he has some useful info.
ZoneAlarm has a FREE download firewall. Can't be too careful
these days.


Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[lgarner]

I'd consider a NAT router extremely secure, as long as the router itself is secure. Honda touched on this; make sure that public access to the admin interface is limited.

Also, do not use the "DMZ" feature unless you a) need it and b) really know what you're doing. On my Linksys router, the computer in the DMZ is completely open and unprotected. That's what the DMZ is for, in these cases.

Finally, the real difference between a "real" firewall, like the Pix, and a NAT router is that the firewall allows you to block outbound traffic as effectively as inbound. This is good for limiting spyware's ability to send information out.

Personal firewalls also can limit outbound traffic, and I'd definitely recommend one. As netmanrick said, ZoneAlarm is good.

 

[Stelios]

Thank you all, the tips you gave me are very valuable.

The reason I mentioned the 3COM router is because this is what we use for our customers.
At home, I use the D-Link DI-704P upgraded to the latest firmware. The only drawback is the SNMP which is v1 and I don't think this can be changed. It seems to have a lot of functions e.g SNMP, Port Forwarding, Filters (MAC, Inbound, Outbound, Domain), routing, DMZ remote management and Ping blocker.

Is it a proper action to Block WAN ping?

I have tried almost all the port scanning sites and the D-Link router seems to be stealthy. I will do the same when I get the chance to get on my hand a 3COM router.

vop,
how did you get those scan patterns over a period of days?

netmanrick,
I have heard about Zonealarm but never use it. A second defence line wouldn't be of a trouble.
Is sygate firewall similar to Zonealarm?

Thanks again

============================
Stelios Agapiou

 

[vop]

Any PING is looking for feedback (is there a PC at a given IP). Most PINGs are not likely malicious by intent, but for the sake of any exceptions it is wise to block all PINGs. Besides, they cannot distinguish a router from a PC. Accordingly, pinging a router serves no practical useful flowthrough result that I can think of.

The scan patterns were obtained from a 14 day trial of a tool known a 'Linklogger'. Link Logger is only presently available for Linksys, Netgear, and ZyXEL routers and firewalls.

It was deemed to be a very cost effective ($50 max per router) and a very eye-opening experience(

http://www.linklogger.com).

It confirmed and showed that all externally generated traffic had their final endpoint at the WAN address (no PC was ever directly scanned). I was able to quickly change my focus to any suspicious outgoing traffic patterns (need for a SW firewall and/or efficiency testing).

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]