On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
> I have a 5 year old Linksys BFSR11 router with the latest firmware.
> An IT guy at work says that I should replace it since the bad guys have
> found ways to circumvent it's defenses. I doubt it.
> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?

Being behind a device such as that, I take it that hosts on your lan are
privately addressed, which is the very best defense from internet
threats. Long as you don't have any sort of port forwarding mechanism
enabled, you should be fine.

Dom wrote:

> On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
>> I have a 5 year old Linksys BFSR11 router with the latest firmware.
>> An IT guy at work says that I should replace it since the bad guys have
>> found ways to circumvent it's defenses. I doubt it.
>> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
>
> Being behind a device such as that, I take it that hosts on your lan are
> privately addressed, which is the very best defense from internet
> threats.

Nonsense.

> Long as you don't have any sort of port forwarding mechanism
> enabled, you should be fine.

Nonsense as well. Just visiting a website loading an image with URL
ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
router will most likely fully expose port 445/TCP to the host
someserver.org.

On Fri, 16 Feb 2007 18:50:44 -0600, John Smith wrote:
>
> I have a 5 year old Linksys BFSR11 router with the latest firmware.
> An IT guy at work says that I should replace it since the bad guys have
> found ways to circumvent it's defenses. I doubt it.
> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
>
> Any opinions?

Even the latest devices have exploits and can be compromised if you visit
the right page on the net and do stupid things.

You should be running a quality AV solution and be using something like
FireFox or Opera and using a text based email reader.

Firewalls running on your PC are mostly worthless, the windows firewall
being the most worthless of any.

Change your subnet from the default to 192.168.200.1/24, change the
password, etc...


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Dom wrote:
> On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
>> I have a 5 year old Linksys BFSR11 router with the latest firmware.
>> An IT guy at work says that I should replace it since the bad guys
>> have found ways to circumvent it's defenses. I doubt it.
>> Even if I use a software firewall like ZA-Free or Comodo, am I
>> vulnerable?
>
> Being behind a device such as that, I take it that hosts on your lan
> are privately addressed, which is the very best defense from internet
> threats. Long as you don't have any sort of port forwarding mechanism
> enabled, you should be fine.

That is, though not plain wrong, at least questionable. NAT (the
mechanism to enable connections between private and public networks) has
the purpose to *enable* connections between networks. A Firewall OTOH is
supposed to *block* everything that isn't specifically authorized. Thus
a NAT-only device will usually fail-open, whereas a firewall is supposed
to fail-close, which is why you do want your router to have at least
some firewalling functionality.

Of course this point is sort of moot, because virtually all devices
(even low-cost routers) do implement firewall functionality, but I
wanted to make clear that you can't rely on just using private addresses
to guarantee the security of your LAN.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

> Dom wrote:
> > Being behind a device such as that, I take it that hosts on your lan are
> > privately addressed, which is the very best defense from internet
> > threats.
> > Long as you don't have any sort of port forwarding mechanism
> > enabled, you should be fine.

Sebastian Gottschalk wrote:
> Nonsense as well. Just visiting a website loading an image with URL
> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
> router will most likely fully expose port 445/TCP to the host
> someserver.org.

So, I suppose you'd like to go ahead and demostrate private destination
routing over the internet...

So, these consumer-class routers are now doing application inspection?
Thought that was relegated to the high-end IOSes. Certainly is
questionable that these low-end devices would display anything more than
reflexive socket-based functionality.

Ansgar -59cobalt- Wiechers wrote:
> That is, though not plain wrong, at least questionable. NAT (the
> mechanism to enable connections between private and public networks) has
> the purpose to *enable* connections between networks. A Firewall OTOH is
> supposed to *block* everything that isn't specifically authorized. Thus
> a NAT-only device will usually fail-open, whereas a firewall is supposed
> to fail-close, which is why you do want your router to have at least
> some firewalling functionality.
>
> Of course this point is sort of moot, because virtually all devices
> (even low-cost routers) do implement firewall functionality, but I
> wanted to make clear that you can't rely on just using private addresses
> to guarantee the security of your LAN.

Yes, a nat will usually default to accept, but that still leaves the
obstacle of private destination routing over the internet. A more
localized threat can exploit default-accept functionality, but a number
of factors govern whether that would be at all possible.

> Dom wrote:
> > Long as you don't have any sort of port forwarding mechanism
> > enabled, you should be fine.

On Sat, 2007-02-17 at 10:50 +0100, Sebastian Gottschalk wrote:
> Nonsense as well. Just visiting a website loading an image with URL
> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
> router will most likely fully expose port 445/TCP to the host
> someserver.org.

Certainly sounds like "a sort of port forwarding mechanism". Please
reference my above statement.

Dom wrote:

>> Dom wrote:
>>> Being behind a device such as that, I take it that hosts on your lan are
>>> privately addressed, which is the very best defense from internet
>>> threats.
>>> Long as you don't have any sort of port forwarding mechanism
>>> enabled, you should be fine.
>
> Sebastian Gottschalk wrote:
>> Nonsense as well. Just visiting a website loading an image with URL
>> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
>> router will most likely fully expose port 445/TCP to the host
>> someserver.org.
>
> So, I suppose you'd like to go ahead and demostrate private destination
> routing over the internet...

Bull****. This is about the router implementing mechanisms to create NAT
states based upon high level protocols. In the above example, it assumes
that the PORT command belongs to the FTP control session and creates a NAT
rule to forward port 445/TCP to the host.

There is no need to use private adresses, since the router does the NAT.

> So, these consumer-class routers are now doing application inspection?

Yes, sadly.

> Thought that was relegated to the high-end IOSes.

No. Better said: The high-end models rather do it right by implementing a
full state machine / transparent proxy, whereas most consumer routers use
typically bad heuristics.

> Certainly is
> questionable that these low-end devices would display anything more than
> reflexive socket-based functionality.

Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
mapping with complete forwarding if only 1 client is connected via DHCP.

Dom wrote:

>> Dom wrote:
>>> Long as you don't have any sort of port forwarding mechanism
>>> enabled, you should be fine.
>
> On Sat, 2007-02-17 at 10:50 +0100, Sebastian Gottschalk wrote:
>> Nonsense as well. Just visiting a website loading an image with URL
>> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
>> router will most likely fully expose port 445/TCP to the host
>> someserver.org.
>
> Certainly sounds like "a sort of port forwarding mechanism". Please
> reference my above statement.

Usually this is not some option you can access.

Anyway, we can go further and do this without resorting to protocol
helpers, f.e. with Adobe Flash:

Connection c = new Connection('someserver.org',80,445,true);
c.sendBinaryData(new XML(''));

Now just wait if some time afterwards a server starts listening on port
445, and you're hosed again.

"John Smith" wrote in message
news:45d6515c$0$28108$4c368faf@roadrunner.com...
>I have a 5 year old Linksys BFSR11 router with the latest firmware.
> An IT guy at work says that I should replace it since the bad guys have
> found ways to circumvent it's defenses. I doubt it.
> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
>
> Any opinions?
>
> R.

I WAS using the default password and have changed it.
Thanks for all the replies.

R.

Sebastian Gottschalk wrote in
news:53q9s8F1tnobvU1@mid.dfncis.de:

>
> Bull****. This is about the router implementing mechanisms to create
> NAT states based upon high level protocols. In the above example, it
> assumes that the PORT command belongs to the FTP control session and
> creates a NAT rule to forward port 445/TCP to the host.
>
> Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
> mapping with complete forwarding if only 1 client is connected via
> DHCP.
>

So, do you think Herr Gottschalk has emotional problems, or what?

A.

Anchovie wrote:

> Sebastian Gottschalk wrote in
> news:53q9s8F1tnobvU1@mid.dfncis.de:
>
>>
>> Bull****. This is about the router implementing mechanisms to create
>> NAT states based upon high level protocols. In the above example, it
>> assumes that the PORT command belongs to the FTP control session and
>> creates a NAT rule to forward port 445/TCP to the host.
>>
>> Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
>> mapping with complete forwarding if only 1 client is connected via
>> DHCP.
>>
>
> So, do you think Herr Gottschalk has emotional problems, or what?

You think I was complaining from personal experience against me or what?
The first one doesn't apply to me (I have no such ****ed up FTP NAT helper)
and the second one was actually a quite good thing, since technically
correct and fully reasonable (since NAT is supposed to achieve
connectivity).

I'm just fed up about all those stupid guys appearing here and claiming
that a router would be any security device or measure.

On Feb 16, 7:50 pm, "John Smith" wrote:
> I have a 5 year old Linksys BFSR11 router with the latest firmware.
> An IT guy at work says that I should replace it since the bad guys have
> found ways to circumvent it's defenses. I doubt it.
> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
>
> Any opinions?
>
> R.

I have a BEFSR41 that I still use with no FW software and never have
any problems.