dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3961
share rss forum feed


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to norwegian

Re: Router security

Inside, because its least expected and harder to control. Throw 500 free USB sticks into a lobby, guaranteed one person will stick into a laptop or work pc in teh building.......... or at home.....
Expand your moderator at work

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to StuartMW

Re: Router security

said by StuartMW:

WEP is crackable in seconds. Most people know that.
Crackable in seconds ==> Wide-open

I don't think I disputed that, and in fact stated WEP is known to be very weak. Regardless it has nothing to do with a WAP.

Thus using the original error (of WAP = WEP) by antdude See Profile above.

Ah, so you are assuming that when antdude See Profile stated 'WAP' that he actually meant 'WEP'? I don't see why you would assume that.

WEP/WPA/WPA2 are security protocols. WAP is a physical object that provides wireless network connectivity. Completely unrelated.

Get it?

WAP = Wireless Access Point, which is by definition wide open already. I still don't get why you think that is humorous, other than that you may have misread/misinterpreted a previous post.
Expand your moderator at work

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to norwegian

Re: Router security

said by norwegian:

Which is the easiest to attack a router, the inside or the outside?

This thread seems to have strayed from the original question (above) and before this thread gets locked:

The answer depends on what is meant by 'attack a router'. Generally a consumer router/firewall is designed to protect a private network inside one's home. In a commercial space, the concept is the same (protect internal network) but is typically done with dedicated-purpose firewalls separate from routers.

In a consumer space, an "internal" attack on a router may be easier, if only because router administration is often completely blocked/filtered from external interfaces. In commercial space, this is also true for many internal networks. If router administration is enabled on the external interface, then there is little difference between an internal or exernal attack on the router itself.

With respect to ease of gaining access to a network, if you already have access to the internal network then there is no attack involved. Once there, you have direct access to the hosts on that network which you would not have from an external attack. Most attacks focus on gaining access to the internal network, which typically involves compromising the firewall (or router/firewall) (but not always). botnet trojans can provide network access independent of access to any consumer router/firewall largely due to the unrestricted outbound access that is typical in those installations. When dealing with network access as a whole, this is only as strong as the weakest device regardless of whether it is a host or a router/firewall (in consumer space).


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
Internal is always the weakest link. A download, or a bad link will lead to disaster.

Modern routers are far harder to breach, if set up reasonably well.
--
Better to have it and not need it, then need it and not have it.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
said by Juggernaut:

Modern routers are far harder to breach, if set up reasonably well.

I have my router configured so it is only accessible, from the LAN side, by serial (direct connection). HTTPS and SSH. The last two require a certain certificate in addition to the usual password. Is it possible for it to be hacked? Sure but unlikely.
--
Don't feed trolls--it only makes them grow!

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 recommendation

reply to Juggernaut
said by Juggernaut:

Internal is always the weakest link. A download, or a bad link will lead to disaster.

That is the difference between attacking/breaching a network and attackig/breaching a router (firewall).

Gain access to a host via malicious download (active or passive) and you have easy access to the network. This would not gain access to the router necessarily. A firewall (consumer router/firewall) would only be less secure on its internal side over its external side due to the fact that its management may be blocked entirely from the external side. If additional care is taken such as that used by corporations and individuals as noted by StuartMW See Profile then even gaining just internal network access may have no advantage in exploiting the router/firewall over an external attack.

If the question is over gaining access to the network then yes, as I noted the network is only as strong as its weakest device. The router/firewall is rarely the weakest point and is as a result not the common point of attack. It is more often easier to gain access to a network by using an exploit on another host, bypassing the router/firewall entirely.

This is one reason (among several) that commercial firewall implementations typically restrict traffic in both directions. In the event access to a given internal host is obtained, this in turn may not be used easily as a bypass around inbound firewall restrictions. These protections are no guarantee, but are just one control among many.

To the original question: A given firewall (consumer router/firewall) is less secure internally only due to the fact that it may have unrestricted management access on its internal network. There is nothing in particular beyond that to make the internal interface(s) any less "secure" than the external interface(s).

The internal network itself, however, is typically easier to attack than the router/firewall in most consumer installations. Penetrating the router and penetrating the network are two different cases.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
said by Shady Bimmer:

The internal network itself, however, is typically easier to attack than the router/firewall in most consumer installations. Penetrating the router and penetrating the network are two different cases.

True. Which is why I only have specific folders shared between machines on my LAN and those folders are only used when transferring files. Thus if a particular machine is compromised the attacker can't (easily) get to files on other machines. NetBIOS (over TCP/IP) is also disabled (it is easily exploited).
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Shady Bimmer
Thanks for persevering. I asked the question based on the expanded network that has come about. As everything is hooked up to the router I am or was under the belief the router is the point of concern, but as you pointed out it is the network itself which is the concern, hence the internal switch of the router/4 port + wireless network that is the weak link.

So the router is fine as I seem to have it locked down enough I believe.

There seems to be a few areas of concern for any network that is relevant now.

1. ARP
2. File sharing
3. Exploits
4. Infection

There maybe more, but these would have to be the initial concerns? Would you class UDP as a point too?

Interesting discussion, thanks all.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Anav

Anav See Profile
Inside, because its least expected and harder to control. Throw 500 free USB sticks into a lobby, guaranteed one person will stick into a laptop or work pc in teh building.......... or at home.....

You mean something like this?
»www.smh.com.au/technology/securi···1gv.html
»searchsecurity.techtarget.com.au···-AusCERT
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to norwegian
said by norwegian:

1. ARP

Not sure you can do much about ARP poisoning on a home network.

2. File sharing

I'd turn off Home Groups (or whatever Microsoft calls them) for sure. Enable simple password protected file sharing with limted folders if you wish to transfer between machines.

3. Exploits

Disable NetBIOS. You don't really need it.

4. Infection

Use an A/V you like and keep it up-to-date.

Then there's the obvious (hopefully) stuff. Don't click on links without knowing where they go. Don't download from warez etc.
--
Don't feed trolls--it only makes them grow!

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to norwegian
said by norwegian:

Not sure where this will take me - call it curiosity.
Which is the easiest to attack a router, the inside or the outside?

The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.

An attack on a router/firewall would typically have little benefit other than to then use this access to gain access to the internal (protected) network. Finding a path around the router protection, at least in the consumer router/firewall case, is typically easier than finding an exploit to the router itself.

It might be worthwhile to remember a few years ago where many institutions were infected with a fast-propagating worm that leveraged a windows vulnerability. The perimeter security (dual-layer firewalls in conjunction with router ACLs) was useless and was never attacked itself in any of those cases.

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.


norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW
1. On NetBios:

In the early days all my cabled LAN's were manually configured for the network and DHCP, DNS services were turned off.
Now to the present and wireless:
Doesn't DHCP use NetBIOS? I know once I have enough of a play with the wireless I could look at all connections being mapped to specific addresses to stop DHCP etc which would allow turning off services such as NetBIOS, WINS, LMHOSTS etc
But routers do not allow configuration like in this Microsoft Article on NetBIOS

2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut
said by Juggernaut:

All of the connected HW should be visible in your router interface. Wireless, and wired.

I've found the location in the router for that and once everything is set up I will try to apply this comment of yours.

MAC's are easily spoofed.

I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to norwegian
said by norwegian:

You mean something like this?
...

Well if you share USB sticks I'd disable AutoRun for sure. Also set your A/V to scan removable drives.

As Anav See Profile said this is a common trick. I think the Stuxnet virus made it's way to Iranian PC's via a USB stick.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to norwegian
said by norwegian:

Doesn't DHCP use NetBIOS?

No. Having it enabled allows you to "browse" your network but is that necessary? It is easy enough to create network shortcuts to shared folders and disable NetBIOS.

2. Home networks is a Microsoft term, what of Apple (Ipods, Ipads, MacBooks), WD Live stream and all other types of hardware relying on network connections via the router/switch etc?

I don't know but I'd only enable what you really need.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Shady Bimmer
said by Shady Bimmer:

The (long) thread posted immediately after this initial post is a worthwhile read. On that, and the rest of the thread, is the question one of gaining access to the router/firewall itself, or one of gaining access to the network? Bypassing consumer router/firewalls to gain access to a network is often easier than gaining access to the router/firewall itself.

It may end up being more about this.

The initial question though was about this:
The router a Bob2 has started beeping, dual beeps every now and then. I assumed it was a hardware issue. Tech support have given me a new one and as soon as it plugged in and was configured it started beeping too. If there is a sudden one off bug of the Bob2 and is a genuine hardware/firmware issue, I'm gathering it will get picked up soon enough as I will be reopening the tech support ticket.

If it is relative to something on my network causing this, it is my problem not the ISP's?

While this is all happening I thought it best to consult with the good people here about what can and cannot be a part of the new (less than a month old phenomenon.) So there maybe the 2 points to be concerned with, not just router security. Thirst for knowledge does not come from 1 direction only, so bare with me, I'm not sure where the topic is heading - I will however try to keep my own questions on topic too.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to norwegian
said by norwegian:


2. Hide SSID and only show it to allow the connection to happen before hiding it, use WPA2 as well.

Hiding the SSID has zero benefit.

2. Set specific MAC addresses.

MAC filtering has little if any benefit.

The best steps you can take to secure a router are:

1) Set a strong WPA2 password.

2) Turn off any remote administering of the router unless you really need it.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to norwegian
said by norwegian:

I'm gathering at some point if internally infected, an external computer that is communicating back and forth can spoof the internal MAC address and the router will then allow more communication? Not quite DMZ status but it would surely be close?

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.
--
Better to have it and not need it, then need it and not have it.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

2 edits
reply to norwegian
Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).

»Re: Do you trust AT&T with your security?
--
Don't feed trolls--it only makes them grow!


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 recommendation

reply to Shady Bimmer
said by Shady Bimmer:

WPA = Wi-Fi Protected Access, the next-generation security protocol after WEP. WPA has been deemed weak against brute-force attacks.

Only partially true. WPA only has weaknesses when used in TKIP mode. If you enable CCMP/AES mode, those weaknesses do not exist.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to StuartMW
Yep, I have my own router, and my ISP's modem. The router is between them, and my network.
--
Better to have it and not need it, then need it and not have it.


norwegian
Premium
join:2005-02-15
Outback
reply to Shady Bimmer
said by Shady Bimmer:

The router/firewall is a layer of protection for the network, which itself is inherently insecure with many points of vulnerability.

Which I am learning more about from the discussion, even though it its the router that seems to be the centre of attention for me.

I didn't just want a "my bob2 is beeping it is infected" topic. These tend to be closed down rather quickly. So I tried a discussion in hopes I could view or review protocols to help understand more generally about setting up networks securely from starting with locking down a router and using it to it's full potential.

Sorry to all if I've mislead you a little.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to StuartMW
said by StuartMW:

Sounds like you have an integrated modem/router from your ISP. My LAN is behind another 3rd party router. I don't trust what an ISP provides. That has been discussed here before (too lazy to find a link right now).

»Re: Do you trust AT&T with your security?

It is a Bob2 supplied by the vendor.

I have another router here, but had troubles setting up the second router, or understanding what security needs to be in place with the addressing and configurations. We discussed piggy backing routers here once or twice and consensus was equally bad v's good for this method. I doubt turning it into a bridge would help my wireless clients with protection.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to norwegian
said by norwegian:

I didn't just want a "my bob2 is beeping it is infected" topic.

If it starts beeping rapidly I'd be inclined to, um, run
--
Don't feed trolls--it only makes them grow!


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to norwegian
One other thing to do, as it seems to have been missed. Use a SW FW as well, to stop stuff from going out. It's another layer for security.
--
Better to have it and not need it, then need it and not have it.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

And/or configure your own (custom) outgoing firewall rules in your router.
--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Juggernaut
said by Juggernaut:

Even if you spoof a MAC to a 'known' device, if the router is secured, you still need to have the login, and PW to gain access to WIFI, or the router.

If it is not secured, and have only a MAC filter, you're toast. You can spoof a MAC with a program. WIFI (and blue tooth) broadcasts them.

This is set up with a default SSID but the passphase is my own.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke