Anidated networks

[joe.pelayo]

Hello everybody.

I have a question regarding network security. Just today I configured a wired network in my room (there is another network, wireless, in the apartment) and would like to know exactly how secure my machines are. Here is the setup:

Wireless router "A" receives the Internet signal from ADSL.
Wired router "B" is connected to one of "A"'s Ethernet ports.
My machines are connected through Ethernet cables to "B".

My questions are:

Since routers have firewalls built-in, are my machines protected by some sort of double wall?
I bought router "B" a while back and lets just say its firmware is somewhat old, is this a problem security-wise?

Thanks,
Joe.

[Evil_Bert]

Quote:

Originally Posted by joe.pelayo

Since routers have firewalls built-in, are my machines protected by some sort of double wall?

Some routers have a firewall in addition to NAT (note 1), Whether yours do, I can't say, although recent models mostly do. Even so, the quality of firewall varies from model to model - some are highly configurable allowing you to be very strict in definitions of permissible traffic, while others have only basic settings that don't offer much choice. Some router's have only NAT, and not a firewall. NAT's job is to try and match inbound traffic to the connection originator - usually, the NAT table is fairly loose in managing associations compared to a stateful firewall with its own state tables.

If I understand your network topology correctly, then what's behind Router B will be protected from a cracked wireless connection, so that is of benefit if the machines connected to B offer local services (web server, SSH, etc.) for other local clients. There may also be other benefits of two firewalls in series, assuming the rules are set up to be quite restrictive, in that a successful intrusion attempt through Router A might not succeed through Router B.

But keep in mind, if an intrusion attempt exploits an existing connection (to an internet server) from a machine behind Router B, then your routers will probably allow that traffic through. For a higher level of protection, you would need a network intrusion prevention system (IPS) or a unified threat management (UTM) device. That may be overkill in your situation, though.

Quote:

I bought router "B" a while back and lets just say its firmware is somewhat old, is this a problem security-wise?

It means that any recent vulnerabilities have not been patched. Actually, there's no guarantee any vulnerabilities have been patched if it's a typical consumer-grade model. (The manufacturer may use a proprietary OS focussed on fast performance rather than security and may have emphasised cool new features rather than fixing bugs). Old router features may be too simplisitic for "front line" use. For example, one security feature is source port randomisation of DNS lookups. Older routers may not offer this feature, meaning while your local computer may happily use random source ports for each DNS query, your router may re-write each query back to a static port, thus re-introducing a service vulnerability (note 2).

The best way to improve security of a given router/firewall is to keep your network topology simple so that the rules can be equally simple, and defined tightly, since one of the largest sources of vulnerability is improper configuration.

Some general tips, albeit somewhat subjective:

• Don't use exotic protocols and dispense with UPnP and support for games
• Disallow inbound fragmented packets
• Disable management from the internet (i.e. external to your network)
• Turn off any access methods you don't absolutely need
• Unless absolutely necessary, don't forward ports or allow NAT-T traversal
• Set strong access passwords
• Use an HTTPS connection to access your router's configuration page
• If you have them, enable all the DoS/DDoS features
• Apply a default block rule on all firewalls, and whitelist allowed traffic

If any of the above breaks essential services, then re-enable only the minimum features to get those services working ... or re-evaluate whether the service is really essential.


Notes:
(1) There are different types of NAT, but for a home router, we're almost always talking about Source NAT (Network Address Translation) with PAT (Port Address Translation).
(2) If you're not using an internal recursive DNS server, then this vulnerability is probably quite limited anyway.


Some further reading:
http://computer.howstuffworks.com/nat.htm/printable
http://www.grc.com/su-firewalls.htm
http://en.wikipedia.org/wiki/Network_layer_firewall
http://en.wikipedia.org/wiki/Stateful_firewall

[Hlingler]

Quote:

Since routers have firewalls built-in, are my machines protected by some sort of double wall?

My DSL Router has a built-in firewall, but it was disabled by default, and is still disabled (I find firewall setup sooooo much easier on gateway machine).

V

[joe.pelayo]

Thanks for the responses guys.

At the moment there is only one machine connected to the router (the one with Atheros wireless card which suffers from F12 kernel's screw up of ath9k driver) but eventually I plan to occasionally bring online my netbook for file synchronization and for SSH access.

Is this too dangerous?

On the router's side, I ran the Shields Up! test in the past in both routers (there was a time when router "B" was directly connected to Internet) and got the following results:

Router "B" has all its ports (those which Shields Up! tests anyway) "stealth".
Router "A" has a subset of its ports "closed" (and so 'fails' Shields Up! test).

In the current setup Shields Up! apparently reports the same as if I were just testing router "A" (I assume because it is the one which gives access to Internet). However, if I understood correctly, even if someone attacks one of "A"'s closed ports (say X port), and succeeds, it wouldn't affect "B"'s X port, right?

Thanks,
Joe.

[Evil_Bert]

Quote:

Originally Posted by joe.pelayo

Is this too dangerous?

I wouldn't think so. But use a strong password on your SSH server anyway.

Quote:

Router "B" has all its ports (those which Shields Up! tests anyway) "stealth".

Good.

Quote:

Router "A" has a subset of its ports "closed" (and so 'fails' Shields Up! test).

Not so good. This means anyone randomly probing* your internet address will detect you are there and can then start looking in earnest for vulnerabilities. On the other hand, if you were offering a server to the internet, you'd have an open (forwarded) port, which would be a further step worse. I suppose it's a matter of perspective as to what you consider "acceptable".

Quote:

In the current setup Shields Up! apparently reports the same as if I were just testing router "A" (I assume because it is the one which gives access to Internet).

Correct. Shields Up! can only test the public IP address you gave it, which will be for Router A. To test Router B without changing your network topology, you would have to open and forward all tested ports through to Router B. I suggest you don't do that, though.

Quote:

However, if I understood correctly, even if someone attacks one of "A"'s closed ports (say X port), and succeeds, it wouldn't affect "B"'s X port, right?

Probably. It depends on how the attack is conducted. If it's a sophisticated attack, leveraging from a connection originating from a machine behind Router B, then traffic might pass all the way through both routers. But if it's a random probe of port X (which is closed) then Router A should still stop it.


* My "front line" router/firewall logs all probes occurring at the "front door". I get an average of about one probe per minute, usually aimed at common ports such as 23 (Telnet), 22 (SSH) or 6000 (X server), plus a few ping and traceroute attempts.

@Evil-Bert,

Quote:

Unless absolutely necessary, don't forward ports or allow NAT-T traversal

Would you mind elaborating why?

I Thought it was a good practice to forward "problem" ports you are not going to use or ports that you may not be able to make stealthy to a empty ip which would make the ports show as stealthy "unanswered".

Thanks in advance,

Ky

[jenaniston]

Quote:

Originally Posted by joe.pelayo

Since routers have firewalls built-in, are my machines protected by some sort of double wall?
I bought router "B" a while back and lets just say its firmware is somewhat old, is this a problem security-wise?

It'd be interesting for you to see the results of the iptables . . . try this command . . .

Code:

# iptables -L -v --linenumbers

(you may have to expand your terminal view window out so that the line output stays on the same line with the verbose -v switch)

Without thinking about it I posted this in another thread while discussing other issues. That was a bad idea, So I thought I would post here what I wrote about this subject in the other thread . Sorry for any confusion.

You say your router "A" was not stealthy. The way that I have "fixed" this problem in the past was to forward the unstealthy port to a empty ip address. What I mean by this is; if you routers ip is 192.168.1.1 and you set your DHCP server to hand out addresses beginning at 192.168.1.150 then you could safely forward some ports to a empty ip like 192.168.1.125 This would make the forwarded ports show as stealthy since there would be no answer from the empty ip. Of course don't use this method on ports that you plan to access from the wan side since there would be no connecting through the ports that where forwarded in this manner.

You might want to take a look at the www.dd-wrt.com website and see if your routers are supported by there firmware.

Hope this helps,

Ky