I have a 5 year old Linksys BFSR11 router with the latest firmware. An IT guy at work says that I should replace it since the bad guys have found ways to circumvent it's defenses. I doubt it. Even if I use a software firewall like ZA-Free or Comodo, am I vulnerable?
Any opinions?
R.
Being behind a device such as that, I take it that hosts on your lan are privately addressed, which is the very best defense from internet threats. Long as you don't have any sort of port forwarding mechanism enabled, you should be fine.
Nonsense.
Nonsense as well. Just visiting a website loading an image with URL ftp://someserver.org/someimage.gif%0a%0dPORT%20192,168,0,1,1,189 and your router will most likely fully expose port 445/TCP to the host someserver.org.
Even the latest devices have exploits and can be compromised if you visit the right page on the net and do stupid things.
You should be running a quality AV solution and be using something like FireFox or Opera and using a text based email reader.
Firewalls running on your PC are mostly worthless, the windows firewall being the most worthless of any.
Change your subnet from the default to 192.168.200.1/24, change the password, etc...
That is, though not plain wrong, at least questionable. NAT (the mechanism to enable connections between private and public networks) has the purpose to *enable* connections between networks. A Firewall OTOH is supposed to *block* everything that isn't specifically authorized. Thus a NAT-only device will usually fail-open, whereas a firewall is supposed to fail-close, which is why you do want your router to have at least some firewalling functionality.
Of course this point is sort of moot, because virtually all devices (even low-cost routers) do implement firewall functionality, but I wanted to make clear that you can't rely on just using private addresses to guarantee the security of your LAN.
cu
59cobalt
So, I suppose you'd like to go ahead and demostrate private destination routing over the internet...
So, these consumer-class routers are now doing application inspection? Thought that was relegated to the high-end IOSes. Certainly is questionable that these low-end devices would display anything more than reflexive socket-based functionality.
Yes, a nat will usually default to accept, but that still leaves the obstacle of private destination routing over the internet. A more localized threat can exploit default-accept functionality, but a number of factors govern whether that would be at all possible.
Certainly sounds like "a sort of port forwarding mechanism". Please reference my above statement.
Bullshit. This is about the router implementing mechanisms to create NAT states based upon high level protocols. In the above example, it assumes that the PORT command belongs to the FTP control session and creates a NAT rule to forward port 445/TCP to the host.
There is no need to use private adresses, since the router does the NAT.
Yes, sadly.
No. Better said: The high-end models rather do it right by implementing a full state machine / transparent proxy, whereas most consumer routers use typically bad heuristics.
Wrong again. Hey, I even got a router that defaults to a full 1:1 NAT mapping with complete forwarding if only 1 client is connected via DHCP.
Usually this is not some option you can access.
Anyway, we can go further and do this without resorting to protocol helpers, f.e. with Adobe Flash:
Connection c = new Connection('someserver.org',80,445,true); c.sendBinaryData(new XML(''));
Now just wait if some time afterwards a server starts listening on port
445, and you're hosed again.
I WAS using the default password and have changed it. Thanks for all the replies.
R.
Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
So, do you think Herr Gottschalk has emotional problems, or what?
A.
You think I was complaining from personal experience against me or what? The first one doesn't apply to me (I have no such f***ed up FTP NAT helper) and the second one was actually a quite good thing, since technically correct and fully reasonable (since NAT is supposed to achieve connectivity).
I'm just fed up about all those stupid guys appearing here and claiming that a router would be any security device or measure.
I have a BEFSR41 that I still use with no FW software and never have any problems.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.