Re: Guidelines for Securing your Router

Author	All Replies
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA kudos:1 Reviews: ·SureWest Internet	reply to SYNACK Re: Guidelines for Securing your Router quote: (On the same WAN subnet, it is possible to fabricate a packet with destIP=192.168.x.x, but containing your WAN MAC in the ethernet header. I am not sure what the router would do with it.) With default filters in place, the RT314 will allow destIP=192.168.x.x with WAN MAC in the Ethernet header. I've verified this using telnet from my 3Com ADSL modem. Without anti-spoof filter on RT314, I can telnet into the router (even with TEL_FTP_WEB_WAN filter in place)! For example, if the router LAN IP is 192.168.1.1 you can telnet into router from WAN side by running command "telnet 192.168.1.1" on the ADSL modem. (Edited) Forgot to add that this only works if 3Com modem's management interface is on the same subnet as router LAN. So in this case the router's WAN interface sees packets with LAN src & dest IPs, and router passes the packets through to LAN side. The performance of telnet is terrible, but it does work. This seems like a bug, because somehow the router sends telnet replys with LAN destIP back out the WAN interface (but very slowly). However, I cannot telnet into router from modem IF the router and modem are on different subnets. I just bought a hub to run some additional experiments from the WAN side of the router (using another computer and packet sniffer software). Don't have a lot of time these days, but I'll publish results when I finish. [text was edited by author 2001-03-18 12:17:17] [text was edited by author 2001-03-18 12:37:05]
	to forum · permalink · 2001-03-18 12:00:59 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	Two questions in one post......... bbarrera, You said that without a spoof filter in place you could get in but you neglected to say whether or not you could get in WITH the common spoof filter that many of us use in place. The filter I speak of is the one like this: Y IP Pr=0, SA=192.168.0.0 (with a subnet of 255.255.255.0) N D N So could you? Synack, In your post you spoke of some possible open UDP ports. By doing your ip udp st command I saw that I had the 8 ports you mentioned open as I assume most of us do (I didn't have 161 since I am running the Netgear firmware). Related to that part of your post I have 2 questions. 1. Where in menu 11.1 can we turn off RIP? I have turned it off on lan in menu 3.2 a long time ago but I can't find it for WAN on menu 11.1? 2. If we make a filter like the following: 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP(less than)67 N D N 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP(greater than)68 Y N N 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP(less than)1024 N D N 4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP(greater than)1025 N D F That would close all UDP except what is necessary for DNS from our ISP's. ComptrGuy tried something like this but it didn't work for me since he only allowed 67 & 68. From the command you showed us, I see that perhaps 1025 & 1025 are necessary as well. Maybe that is where he went wrong. Would the above filter be good then? I am trying it out now but I have only come to this web site so far so I dont know how it will do. -- ~AL~
	to forum · permalink · 2001-03-18 13:05:11 ·
SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA Host: Networking Virtual Private Ne.. Netgear ZyXEL	said by alotero: 1. Where in menu 11.1 can we turn off RIP? I have turned it off on lan in menu 3.2 a long time ago but I can't find it for WAN on menu 11.1? ... That would close all UDP except what is necessary for DNS from our ISP's. ComptrGuy tried something like this but it didn't work for me since he only allowed 67 & 68. From the command you showed us, I see that perhaps 1025 & 1025 are necessary as well. Maybe that is where he went wrong. Would the above filter be good then? I am trying it out now but I have only come to this web site so far so I dont know how it will do. I will catch up on some of the other recent posts in this thread later, but here's just a quick reply to your specific questions. Remember that I run a ZyWALL so I don't need these UDP filters. The ZyWall has a default firewall rule that only allows 68/UDP (DHCP client) from the outside so DHCP can work. You do not need to open 67/UDP (DHCP server) from the outside. Your router listens on the LAN for DHCP requests broadcast to 67/UDP from computers that need configuration, but you hopefully don't hand out configurations on the WAN. (Since a computer without configuration has no idea about local IPs, masks, etc. the DHCP request are sent to 255.255.255.255.) Do some tests with logging and renew your lease to see what's needed from the WAN. Since these are not really "ranges" you could open each port individually, it is just easier on the brain (at least mine): 1) pr=17, port=68, forward, else next 2) pr=17, port=1024, forward, else next 3) pr=17, port 1025, forward, else next 4) pr=17, dest=LAN subnet, forward, else next 5) pr=17, any port, drop, else next ... I really haven't studies the traffic patterns in detail, so I don't know if the the router uses any other dynamic UDP return ports if need arises. (In the absence of NAT mappings (menu 15), rule 4 allows UDP that is part of a NAT session, and thus most likely wanted, and rule 5 drops any other UDP). RIP on the WAN is off by default, so you should be safe. (try "ip rip st" to verify.) To turn it off, you go to menu 11.1 (menu 11...edit IP=yes) and set RIP Direction=none.
	to forum · permalink · 2001-03-18 14:19:04 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	I never saw that menu 11.3 before! Holy cow. Thanks Synack. I don't get the R4 line there. Dest=LAN subnet? Would that mean the following? Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= IP Mask= 255.255.255.0 Port #= Port # Comp= None Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Forward Action Not Matched= Check Next Rule Or would we have to put in the ip address of 192.168.0.0 too?
	to forum · permalink · 2001-03-18 14:34:42 ·

SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA Host: Networking Virtual Private Ne.. Netgear ZyXEL	said by alotero: Or would we have to put in the ip address of 192.168.0.0 too? Sorry about being too cryptic. A subnet is a combination of a Subnet address (192.168.0.0) and a Subnet Mask (255.255.255.0). So, Yes, you need both! Just a note: All this is theoretical for me and I haven't tested it. Make sure you test so there are no loose ends.
	to forum · permalink · 2001-03-18 14:42:53 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA kudos:1	reply to Sentinel I'll put spoof filter in router, then try to telnet from modem into router tonight. Yardwork and kids are calling me to another duty now...
	to forum · permalink · 2001-03-18 14:52:14 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	reply to SYNACK So this theoretical UDP filter might look like this: 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=68 N F N 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=1024 N F N 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=1025 N F N 4 Y IP Pr=17, SA=0.0.0.0, DA=192.168.0.0, N F D R1, R2 & R3 forward those ports. R4 allows NAT session UDP and drops all else(providing you put 255.255.255.0 in the dest IP mask). Am I getting close here?
	to forum · permalink · 2001-03-18 16:19:36 ·
SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA Host: Networking Virtual Private Ne.. Netgear ZyXEL	said by alotero: So this theoretical UDP filter might look like this: ... 4 Y IP Pr=17, SA=0.0.0.0, DA=192.168.0.0, N F D Am I getting close here? Just a note. I would NEVER drop on not matched! Imagine you have a TCP packet (e.g. from your web return traffic) passing this filter. Since it does not match (it is NOT UDP!) the filter will most likely drop it! (Unless this has changed with the newer firmware. This was the case when I was still using protocol filters) This is the reason for my rule #5!
	to forum · permalink · 2001-03-18 16:54:46 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	Duh, of course. Sorry about that. Yes, that is obvious now. So it should look more like this: 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=68 N F N 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=1024 N F N 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=1025 N F N 4 Y IP Pr=17, SA=0.0.0.0, DA=192.168.0.0, N F N 5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, N D F Providing this is the last rule of a chain.
	to forum · permalink · 2001-03-18 17:38:35 ·
jbibe Premium,MVM join:2001-02-22	I have been using the following for several months: 1 Y Pr=17, SA=0.0.0.0, SP=67, DA=0.0.0.0, DP=68 NFN 2 Y Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP>1023 NFN 3 Y Pr=17, SA=0.0.0.0, DA=0.0.0.0, NDF I don't actually use rule 3, but the filter rules which follow act like rule 3; i.e., drops all UDP datagrams bound for ports less than 1024. Rule 1 handles DHCP Rule 2 forwards the UDP datagram if DP is open. [text was edited by author 2001-03-18 18:09:28]
	to forum · permalink · 2001-03-18 18:06:11 ·
Sentinel Premium join:2001-02-07 Florida kudos:1	reply to SYNACK Oh my gosh that works so well! I just tested it at Secure Design's web security test. I always passed their test with flying colors but I never logged anything on UDP ports, so I didn't know if I was really OK. The logs used to ba about 850K. I just went with Synack's UDP filter above and the log was almost 2MB!! Every UDP probe was logged and dropped. Yet I can still do everything; play online games, etc... Thanks Synack! Or as they say today U DA Man! Now I have to study that TCP Established SPI 2 filter thing a few posts up again.
	to forum · permalink · 2001-03-18 18:42:50 ·

Equipment Support > Hardware By Brand > Netgear > Guidelines for Securing your Router