Is my router obsolete? - Firewalls

This is a discussion on Is my router obsolete? - Firewalls ; I have a 5 year old Linksys BFSR11 router with the latest firmware. An IT guy at work says that I should replace it since the bad guys have found ways to circumvent it's defenses. I doubt it. Even if ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: Is my router obsolete?

  1. Is my router obsolete?

    I have a 5 year old Linksys BFSR11 router with the latest firmware.
    An IT guy at work says that I should replace it since the bad guys have
    found ways to circumvent it's defenses. I doubt it.
    Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?

    Any opinions?

    R.



  2. Re: Is my router obsolete?

    On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
    > I have a 5 year old Linksys BFSR11 router with the latest firmware.
    > An IT guy at work says that I should replace it since the bad guys have
    > found ways to circumvent it's defenses. I doubt it.
    > Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?


    Being behind a device such as that, I take it that hosts on your lan are
    privately addressed, which is the very best defense from internet
    threats. Long as you don't have any sort of port forwarding mechanism
    enabled, you should be fine.


  3. Re: Is my router obsolete?

    Dom wrote:

    > On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
    >> I have a 5 year old Linksys BFSR11 router with the latest firmware.
    >> An IT guy at work says that I should replace it since the bad guys have
    >> found ways to circumvent it's defenses. I doubt it.
    >> Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?

    >
    > Being behind a device such as that, I take it that hosts on your lan are
    > privately addressed, which is the very best defense from internet
    > threats.


    Nonsense.

    > Long as you don't have any sort of port forwarding mechanism
    > enabled, you should be fine.


    Nonsense as well. Just visiting a website loading an image with URL
    ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
    router will most likely fully expose port 445/TCP to the host
    someserver.org.

  4. Re: Is my router obsolete?

    On Fri, 16 Feb 2007 18:50:44 -0600, John Smith wrote:
    >
    > I have a 5 year old Linksys BFSR11 router with the latest firmware.
    > An IT guy at work says that I should replace it since the bad guys have
    > found ways to circumvent it's defenses. I doubt it.
    > Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
    >
    > Any opinions?


    Even the latest devices have exploits and can be compromised if you visit
    the right page on the net and do stupid things.

    You should be running a quality AV solution and be using something like
    FireFox or Opera and using a text based email reader.

    Firewalls running on your PC are mostly worthless, the windows firewall
    being the most worthless of any.

    Change your subnet from the default to 192.168.200.1/24, change the
    password, etc...


    --
    Leythos
    spam999free@rrohio.com (remove 999 for proper email address)

  5. Re: Is my router obsolete?

    Dom wrote:
    > On Fri, 2007-02-16 at 18:50 -0600, John Smith wrote:
    >> I have a 5 year old Linksys BFSR11 router with the latest firmware.
    >> An IT guy at work says that I should replace it since the bad guys
    >> have found ways to circumvent it's defenses. I doubt it.
    >> Even if I use a software firewall like ZA-Free or Comodo, am I
    >> vulnerable?

    >
    > Being behind a device such as that, I take it that hosts on your lan
    > are privately addressed, which is the very best defense from internet
    > threats. Long as you don't have any sort of port forwarding mechanism
    > enabled, you should be fine.


    That is, though not plain wrong, at least questionable. NAT (the
    mechanism to enable connections between private and public networks) has
    the purpose to *enable* connections between networks. A Firewall OTOH is
    supposed to *block* everything that isn't specifically authorized. Thus
    a NAT-only device will usually fail-open, whereas a firewall is supposed
    to fail-close, which is why you do want your router to have at least
    some firewalling functionality.

    Of course this point is sort of moot, because virtually all devices
    (even low-cost routers) do implement firewall functionality, but I
    wanted to make clear that you can't rely on just using private addresses
    to guarantee the security of your LAN.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  6. Re: Is my router obsolete?

    > Dom wrote:
    > > Being behind a device such as that, I take it that hosts on your lan are
    > > privately addressed, which is the very best defense from internet
    > > threats.
    > > Long as you don't have any sort of port forwarding mechanism
    > > enabled, you should be fine.


    Sebastian Gottschalk wrote:
    > Nonsense as well. Just visiting a website loading an image with URL
    > ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
    > router will most likely fully expose port 445/TCP to the host
    > someserver.org.


    So, I suppose you'd like to go ahead and demostrate private destination
    routing over the internet...

    So, these consumer-class routers are now doing application inspection?
    Thought that was relegated to the high-end IOSes. Certainly is
    questionable that these low-end devices would display anything more than
    reflexive socket-based functionality.


  7. Re: Is my router obsolete?

    Ansgar -59cobalt- Wiechers wrote:
    > That is, though not plain wrong, at least questionable. NAT (the
    > mechanism to enable connections between private and public networks) has
    > the purpose to *enable* connections between networks. A Firewall OTOH is
    > supposed to *block* everything that isn't specifically authorized. Thus
    > a NAT-only device will usually fail-open, whereas a firewall is supposed
    > to fail-close, which is why you do want your router to have at least
    > some firewalling functionality.
    >
    > Of course this point is sort of moot, because virtually all devices
    > (even low-cost routers) do implement firewall functionality, but I
    > wanted to make clear that you can't rely on just using private addresses
    > to guarantee the security of your LAN.


    Yes, a nat will usually default to accept, but that still leaves the
    obstacle of private destination routing over the internet. A more
    localized threat can exploit default-accept functionality, but a number
    of factors govern whether that would be at all possible.


  8. Re: Is my router obsolete?

    > Dom wrote:
    > > Long as you don't have any sort of port forwarding mechanism
    > > enabled, you should be fine.


    On Sat, 2007-02-17 at 10:50 +0100, Sebastian Gottschalk wrote:
    > Nonsense as well. Just visiting a website loading an image with URL
    > ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
    > router will most likely fully expose port 445/TCP to the host
    > someserver.org.


    Certainly sounds like "a sort of port forwarding mechanism". Please
    reference my above statement.


  9. Re: Is my router obsolete?

    Dom wrote:

    >> Dom wrote:
    >>> Being behind a device such as that, I take it that hosts on your lan are
    >>> privately addressed, which is the very best defense from internet
    >>> threats.
    >>> Long as you don't have any sort of port forwarding mechanism
    >>> enabled, you should be fine.

    >
    > Sebastian Gottschalk wrote:
    >> Nonsense as well. Just visiting a website loading an image with URL
    >> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
    >> router will most likely fully expose port 445/TCP to the host
    >> someserver.org.

    >
    > So, I suppose you'd like to go ahead and demostrate private destination
    > routing over the internet...


    Bull****. This is about the router implementing mechanisms to create NAT
    states based upon high level protocols. In the above example, it assumes
    that the PORT command belongs to the FTP control session and creates a NAT
    rule to forward port 445/TCP to the host.

    There is no need to use private adresses, since the router does the NAT.

    > So, these consumer-class routers are now doing application inspection?


    Yes, sadly.

    > Thought that was relegated to the high-end IOSes.


    No. Better said: The high-end models rather do it right by implementing a
    full state machine / transparent proxy, whereas most consumer routers use
    typically bad heuristics.

    > Certainly is
    > questionable that these low-end devices would display anything more than
    > reflexive socket-based functionality.


    Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
    mapping with complete forwarding if only 1 client is connected via DHCP.

  10. Re: Is my router obsolete?

    Dom wrote:

    >> Dom wrote:
    >>> Long as you don't have any sort of port forwarding mechanism
    >>> enabled, you should be fine.

    >
    > On Sat, 2007-02-17 at 10:50 +0100, Sebastian Gottschalk wrote:
    >> Nonsense as well. Just visiting a website loading an image with URL
    >> ftp://someserver.org/someimage.gif%0...,168,0,1,1,189 and your
    >> router will most likely fully expose port 445/TCP to the host
    >> someserver.org.

    >
    > Certainly sounds like "a sort of port forwarding mechanism". Please
    > reference my above statement.


    Usually this is not some option you can access.

    Anyway, we can go further and do this without resorting to protocol
    helpers, f.e. with Adobe Flash:

    Connection c = new Connection('someserver.org',80,445,true);
    c.sendBinaryData(new XML(''));

    Now just wait if some time afterwards a server starts listening on port
    445, and you're hosed again.

  11. Re: Is my router obsolete?


    "John Smith" wrote in message
    news:45d6515c$0$28108$4c368faf@roadrunner.com...
    >I have a 5 year old Linksys BFSR11 router with the latest firmware.
    > An IT guy at work says that I should replace it since the bad guys have
    > found ways to circumvent it's defenses. I doubt it.
    > Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
    >
    > Any opinions?
    >
    > R.


    I WAS using the default password and have changed it.
    Thanks for all the replies.

    R.



  12. Re: Is my router obsolete?

    Sebastian Gottschalk wrote in
    news:53q9s8F1tnobvU1@mid.dfncis.de:

    >
    > Bull****. This is about the router implementing mechanisms to create
    > NAT states based upon high level protocols. In the above example, it
    > assumes that the PORT command belongs to the FTP control session and
    > creates a NAT rule to forward port 445/TCP to the host.
    >
    > Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
    > mapping with complete forwarding if only 1 client is connected via
    > DHCP.
    >


    So, do you think Herr Gottschalk has emotional problems, or what?

    A.

  13. Re: Is my router obsolete?

    Anchovie wrote:

    > Sebastian Gottschalk wrote in
    > news:53q9s8F1tnobvU1@mid.dfncis.de:
    >
    >>
    >> Bull****. This is about the router implementing mechanisms to create
    >> NAT states based upon high level protocols. In the above example, it
    >> assumes that the PORT command belongs to the FTP control session and
    >> creates a NAT rule to forward port 445/TCP to the host.
    >>
    >> Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT
    >> mapping with complete forwarding if only 1 client is connected via
    >> DHCP.
    >>

    >
    > So, do you think Herr Gottschalk has emotional problems, or what?


    You think I was complaining from personal experience against me or what?
    The first one doesn't apply to me (I have no such ****ed up FTP NAT helper)
    and the second one was actually a quite good thing, since technically
    correct and fully reasonable (since NAT is supposed to achieve
    connectivity).

    I'm just fed up about all those stupid guys appearing here and claiming
    that a router would be any security device or measure.

  14. Re: Is my router obsolete?

    On Feb 16, 7:50 pm, "John Smith" wrote:
    > I have a 5 year old Linksys BFSR11 router with the latest firmware.
    > An IT guy at work says that I should replace it since the bad guys have
    > found ways to circumvent it's defenses. I doubt it.
    > Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
    >
    > Any opinions?
    >
    > R.


    I have a BEFSR41 that I still use with no FW software and never have
    any problems.


+ Reply to Thread